system/5225: gcc - valid code smashes the stack

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

system/5225: gcc - valid code smashes the stack

Paul Stoeber
>Number:         5225
>Category:       system
>Synopsis:       gcc - valid code smashes the stack
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 04 21:10:02 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Paul Stoeber
>Release:        3.9
>Organization:
net
>Environment:
        System      : OpenBSD 3.9
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
$ cat bug.c
#include <string.h>
void f(char x) {
  { char b[9]; }
  char buf[20];
  bzero(buf,sizeof(buf));
}
int main() { f(0); return 0; }
$ gcc bug.c
$ ./a.out
Abort trap (core dumped)
$

There's a chance of 2^(-32) that you don't get a core dump,
so try again.

g++ inherits this bug.


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: system/5225: gcc - valid code smashes the stack

dimitry (Bugzilla)
The following reply was made to PR system/5225; it has been noted by GNATS.

From: Dimitry Andric <[hidden email]>
To: Paul Stoeber <[hidden email]>
Cc: [hidden email]
Subject: Re: system/5225: gcc - valid code smashes the stack
Date: Tue, 05 Sep 2006 00:32:39 +0200

 Paul Stoeber wrote:
 > #include <string.h>
 > void f(char x) {
 >   { char b[9]; }
 >   char buf[20];
 >   bzero(buf,sizeof(buf));
 > }
 > int main() { f(0); return 0; }
 
 Strangely, if you remove the braces around char b[9], the trap doesn't
 occur.  I'm not quite sure if the braces are legal C (at least C90).
 Turning on any optimization makes the trap disappear too.
 
 With braces, you get:
 
  .file "smash.c"
  .globl __stack_smash_handler
  .section .rodata
 .LC0:
  .string "f"
  .text
  .globl f
  .type f, @function
 f:
  pushl %ebp
  movl %esp, %ebp
  subl $56, %esp
  movl 8(%ebp), %eax
  movb %al, -41(%ebp)
  movl __guard, %eax
  movl %eax, -24(%ebp)
  subl $8, %esp
  pushl $20
  leal -40(%ebp), %eax
  pushl %eax
  call bzero
  addl $16, %esp
  movl -24(%ebp), %eax
  cmpl __guard, %eax
  je .L2
  subl $8, %esp
  pushl -24(%ebp)
  pushl $.LC0
  call __stack_smash_handler
  addl $16, %esp
 .L2:
  leave
  ret
  .size f, .-f
  .globl __stack_smash_handler
  .section .rodata
 .LC1:
  .string "main"
  .text
  .globl main
  .type main, @function
 main:
  pushl %ebp
  movl %esp, %ebp
  subl $24, %esp
  andl $-16, %esp
  movl $0, %eax
  subl %eax, %esp
  movl __guard, %eax
  movl %eax, -24(%ebp)
  subl $12, %esp
  pushl $0
  call f
  addl $16, %esp
  movl $0, %eax
  movl -24(%ebp), %edx
  cmpl __guard, %edx
  je .L4
  subl $8, %esp
  pushl -24(%ebp)
  pushl $.LC1
  call __stack_smash_handler
  addl $16, %esp
 .L4:
  leave
  ret
  .size main, .-main
 
 While without braces, you get the following diff:
 
 @@ -9,14 +9,14 @@
  f:
  pushl %ebp
  movl %esp, %ebp
 - subl $56, %esp
 + subl $88, %esp
  movl 8(%ebp), %eax
 - movb %al, -41(%ebp)
 + movb %al, -73(%ebp)
  movl __guard, %eax
  movl %eax, -24(%ebp)
  subl $8, %esp
  pushl $20
 - leal -40(%ebp), %eax
 + leal -72(%ebp), %eax
  pushl %eax
  call bzero
  addl $16, %esp
 
 So something screws up the total stack size calculation in the first
 instance...

Reply | Threaded
Open this post in threaded view
|

Re: system/5225: gcc - valid code smashes the stack

Andrew Pinski
On Mon, 2006-09-04 at 16:45 -0600, Dimitry Andric wrote:

> The following reply was made to PR system/5225; it has been noted by GNATS.
>
> From: Dimitry Andric <[hidden email]>
> To: Paul Stoeber <[hidden email]>
> Cc: [hidden email]
> Subject: Re: system/5225: gcc - valid code smashes the stack
> Date: Tue, 05 Sep 2006 00:32:39 +0200
>
>  Paul Stoeber wrote:
>  > #include <string.h>
>  > void f(char x) {
>  >   { char b[9]; }
>  >   char buf[20];
>  >   bzero(buf,sizeof(buf));
>  > }
>  > int main() { f(0); return 0; }
>  
>  Strangely, if you remove the braces around char b[9], the trap doesn't
>  occur.  I'm not quite sure if the braces are legal C (at least C90).
>  Turning on any optimization makes the trap disappear too.

The scope for b is only inside those braces so it does not escape the
braces.  There is nothing funny about the above code, in fact it is
valid and should not crash.

Thanks,
Andrew Pinski

Reply | Threaded
Open this post in threaded view
|

Re: system/5225: gcc - valid code smashes the stack

Paul Stoeber
In reply to this post by Paul Stoeber
The following reply was made to PR system/5225; it has been noted by GNATS.

From: Paul Stoeber <[hidden email]>
To: [hidden email]
Cc:  
Subject: Re: system/5225: gcc - valid code smashes the stack
Date: Mon, 4 Sep 2006 23:08:41 +0000

 On Tue, 05 Sep 2006 00:32:39 +0200
 Dimitry Andric <[hidden email]> wrote:
 
 > Strangely, if you remove the braces around char b[9], the trap doesn't
 > occur.  I'm not quite sure if the braces are legal C (at least C90).
 
 $ cat bug.c                                
 #include <string.h>
 void f(char x) {
   if (x==1) {
     char b[9];
     b[0]=0;
   } else {
     char buf[20];
     bzero(buf,sizeof(buf));
   }
 }
 int main() { f(0); return 0; }
 $ gcc -Wall -ansi -pedantic bug.c          
 $ ./a.out                                                                                                    
 Abort trap (core dumped)
 $