system/5217: gcc - canary isn't clobbered when it should be

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

system/5217: gcc - canary isn't clobbered when it should be

Paul Stoeber
>Number:         5217
>Category:       system
>Synopsis:       gcc - canary isn't clobbered when it should be
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 03 19:40:01 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Paul Stoeber
>Release:        3.9
>Organization:
net
>Environment:
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
$ uname -mrsv
OpenBSD 3.9 GENERIC#617 i386
$ cat x.c
#include <assert.h>
extern int __guard;
int main() {
  int buf[N];
  int *p;
  buf[N] = *(buf+N) + 1;
  assert((int)&(buf[N]) == (int)&(*(buf+N)));
  assert(buf[N] != *(buf+N));
  assert(buf[N] == *(buf+N) + 1);
  assert(*(buf+N) == __guard);
  p = buf+N+4;
  buf[N] = 0;
  assert(buf[N] == *p);
  buf[N] = 1;
  assert(buf[N] == *p);
  return 0;
}
$ for n in $(jot 12); do echo -n $n:; gcc -DN=$n x.c && ./a.out && echo ok; done
1:ok
2:ok
3:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
4:ok
5:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
6:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
7:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
8:ok
9:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
10:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
11:assertion "buf[N] != *(buf+N)" failed: file "x.c", line 8, function "main"
Abort trap (core dumped)
12:ok
$

This could at least mask programming errors like
buf[sizeof(buf)/sizeof(buf[0])] = 0


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: