Secure Coding mailing list archives
GCC and pointer overflows [LWN.net]
From: ken at krvw.com (Kenneth Van Wyk)
Date: Thu, 1 May 2008 09:13:44 -0400
FYI, here's an interesting article (and follow-on discussions) about a recent bug in the GCC compiler collection. http://lwn.net/Articles/278137/ The bug, which has been documented in a CERT advisory, affects C code in which, under some circumstances, buffer bounds checking can be optimized out to produce binaries that are susceptible to buffer overflows. The article includes a couple examples that really help illustrate the issue -- very interesting reading, IMHO. Of course, many/most SC-Lers will no doubt jump on this as another example of why C is such a dangerous language to write (secure) code in, and that's fine. But, I see the issue at least a little differently: a compiler making decisions for the programmer and producing executable code that does not accurately conform to what the programmer coded. We've all heard of security-related optimizing issues for years, right? Well, here's a prime example of one in action. Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3240 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20080501/b01ccf74/attachment.bin
Current thread:
- GCC and pointer overflows [LWN.net] Kenneth Van Wyk (May 01)
- GCC and pointer overflows [LWN.net] Robert C. Seacord (May 01)
- GCC and pointer overflows [LWN.net] der Mouse (May 01)
- GCC and pointer overflows [LWN.net] Epstein, Jeremy (May 01)
- GCC and pointer overflows [LWN.net] ljknews (May 01)
- GCC and pointer overflows [LWN.net] Leichter, Jerry (May 01)
- GCC and pointer overflows [LWN.net] ljknews (May 01)