Secure Coding mailing list archives

GCC and pointer overflows [LWN.net]

From: rcs at cert.org (Robert C. Seacord)
Date: Thu, 01 May 2008 09:37:52 -0400

Ken,

Comment below.

FYI, here's an interesting article (and follow-on discussions) about a 
recent bug in the GCC compiler collection.

http://lwn.net/Articles/278137/

The bug, which has been documented in a CERT advisory, affects C code 
in which, under some circumstances, buffer bounds checking can be 
optimized out to produce binaries that are susceptible to buffer 
overflows.  The article includes a couple examples that really help 
illustrate the issue -- very interesting reading, IMHO.

Of course, many/most SC-Lers will no doubt jump on this as another 
example of why C is such a dangerous language to write (secure) code 
in, and that's fine.  But, I see the issue at least a little 
differently: a compiler making decisions for the programmer and 
producing executable code that does not accurately conform to what the 
programmer coded.  We've all heard of security-related optimizing 
issues for years, right?  Well, here's a prime example of one in action.

To be fair to gcc, the code in question is "undefined behavior" which 
means that the C standard gives the compiler lease to deal with the code 
in any manner they wish.  This means that they do not need to diagnose 
the problem, generate object code, or generate correct code.  This is a 
problem with the C language--the onus is on the developer to write 
"conforming" applications.

The reason we dinged gcc in this case was because versions of the 
compiler prior to v 4.2 did generate object code in this case that was 
consistent with the user model (e.g., that adding a pointer to a integer 
could result in wrapping).  Version 4.2 silently changed this behavior 
without providing a flag or option to diagnose the issue.  They have 
since modified their compiler to warn on this issue, and once this 
version of the compiler is released we will update the vul note to 
recommend this version of the compiler be used.

We are looking at this as a prototype for similar vulnerability notes 
dealing with erroneous or unexpected behavior in tools that can lead to 
the introduction of vulnerabilities in software, so I would be 
interested in feedback as to if vulnerability notes of this sort are of 
value.

rCs

Current thread:

GCC and pointer overflows [LWN.net] Kenneth Van Wyk (May 01)
- GCC and pointer overflows [LWN.net] Robert C. Seacord (May 01)
- GCC and pointer overflows [LWN.net] der Mouse (May 01)
- GCC and pointer overflows [LWN.net] Epstein, Jeremy (May 01)
  - GCC and pointer overflows [LWN.net] ljknews (May 01)
  - GCC and pointer overflows [LWN.net] Leichter, Jerry (May 01)
    - GCC and pointer overflows [LWN.net] ljknews (May 01)