oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: gcc 4.2 optimizations and integer overflow checks

From: Marcus Meissner <meissner () suse de>
Date: Mon, 7 Apr 2008 18:29:56 +0200
On Mon, Apr 07, 2008 at 12:12:34PM -0400, Josh Bressers wrote:

Has anyone started to look at this yet:
http://www.kb.cert.org/vuls/id/162289

I suspect this isn't going to be trivial to detect.  Ideas are welcome.

Thanks.


Please note this section:

"Note: this issue does not strictly constitute a vulnerability in gcc
 itself. The behavior that gcc exhibits in this case is permitted by the
 ISO/IEC 9899:1999 C specification (ยง6.5.6p8). "

The gcc folks have discussed this to death already and in the discussion
the code received a -Wstrict-overflow option.


        > cat xx.c
        int f(int a, int b) {
                return a < a+b;
        }

        int g(int a) {
                return f(a,1<<30);
        }
        > LANG=C projects/gcc/BIN/bin/gcc -O2 -c xx.c -Wstrict-overflow -Wall 
        xx.c: In function 'g':
        xx.c:2: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true

Ciao, Marcus
Previous By Date Next
Previous By Thread Next

Current thread: