Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080407162956.GA1025@suse.de>
Date: Mon, 7 Apr 2008 18:29:56 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: gcc 4.2 optimizations and integer overflow checks

On Mon, Apr 07, 2008 at 12:12:34PM -0400, Josh Bressers wrote:
> Has anyone started to look at this yet:
> http://www.kb.cert.org/vuls/id/162289
> 
> I suspect this isn't going to be trivial to detect.  Ideas are welcome.
> 
> Thanks.

Please note this section:

"Note: this issue does not strictly constitute a vulnerability in gcc
 itself. The behavior that gcc exhibits in this case is permitted by the
 ISO/IEC 9899:1999 C specification (ยง6.5.6p8). "

The gcc folks have discussed this to death already and in the discussion
the code received a -Wstrict-overflow option.


	> cat xx.c
	int f(int a, int b) {
		return a < a+b;
	}

	int g(int a) {
		return f(a,1<<30);
	}
	> LANG=C projects/gcc/BIN/bin/gcc -O2 -c xx.c -Wstrict-overflow -Wall 
	xx.c: In function 'g':
	xx.c:2: warning: assuming signed overflow does not occur when assuming that (X + c) >= X is always true

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.