| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 May 2003 15:51:46 -0400 (EDT)
From: Joe Meslovich <joe@...dgewater.edu>
To: bugtraq@...urityfocus.com
Subject: Re: gcc (<3.2.3) implicit struct copy exploit
Luke,
I just wanted to mention something I noticed in my own testing.
When I compiled prog.c with -O3 optimizations it supplied the expected
response.
$ gcc -Wall -O3 prog.c -o prog ; ./prog
2 2 3
1 3 3
1 2 4
2 3 4
Joe Meslovich
This was done with gcc 3.2.2 on a Solaris 9 box.
On Wed, 28 May 2003, Luke Hutchison wrote:
> There is a bug in GCC, prior to version 3.2.3, which meant that
> performing an implicit struct copy several times in succession would
> result in data from different struct copy operations overwriting each
> other.
>
> This problem is present in at least gcc-3.2 and gcc-3.2.2, i.e. the gcc
> present in RH8.x and RH9.
>
> This bug is potentially a security risk, because data is unintentionally
> "overlapped" between subsequent struct copies. A carefully crafted
> exploit may be able to obtain sensitive information, or run arbitrary
> code (in the case where a struct contains a function pointer).
>
> Here is some code which illustrates the vulnerability:
>
>
> /*
>
> Compile with: gcc -Wall prog.c -o prog && ./prog
>
> I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
> Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]
> This problem is solved in gcc version 3.2.3 [RawHide]
>
> Actual output:
>
> 0 1 0
> 1 0 0
> 1 2 1
> 2 3 4
>
> Expected output:
>
> 2 2 3
> 1 3 3
> 1 2 4
> 2 3 4
>
> */
>
>
> #include <stdio.h>
>
>
> typedef struct {
> int _0, _1, _2;
> } POINT;
>
>
> POINT xform(POINT p) {
> return (POINT) { p._0 + 1, p._1 + 2, p._2 + 3 };
> }
>
>
> int main(void) {
> int i;
> POINT p[4] =
> { xform((POINT) { 1, 0, 0 }),
> xform((POINT) { 0, 1, 0 }),
> xform((POINT) { 0, 0, 1 }),
> xform((POINT) { 1, 1, 1 }) };
>
> for (i = 0; i < 4; i++)
> printf(" %d %d %d\n", p[i]._0, p[i]._1, p[i]._2);
>
> return 0;
> }
>
>
>
> I have reported this bug to RedHat:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90131
> however it is fixed in RawHide gcc (v.3.2.3), so the bug was closed.
>
>
> It appears, however, from the RH bugzilla report, that there were
> actually multiple struct-copy problems, one which was fixed by
> gcc-3.2.2-5-rh, and one which was fixed by gcc-3.2.3.
>
>
> Implicit struct copying is fortunately not used much by most C
> programmers, although I have struck this problem myself.
>
>
> If it is agreed that this bug poses a potential security risk, my
> suggestion is that all code in gcc that deals with implicit struct
> copying have statements added to send filenames/line numbers to a
> special log file, and that all security-sensitive system packages be
> built with this custom version of gcc, in order that a list of
> potentially vulnerable source files be found. [Unfortunately I do not
> have the time or sufficient background to make these changes myself.]
> Hopefully this issue can be picked up by some interested party.
>
> Thanks!
>
>
>
----------------------------------------------------------------------------
Joe Meslovich joe@...dgewater.edu
Associate Network/Systems Engineer IT Center
Tel: (540) 828 - 5343
Powered by blists - more mailing lists