Re: [devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit]

[Stanislav Ievlev <inger@altlinux.org>]

On Sun, Jun 01, 2003 at 10:15:49PM +0400, Dmitry V. Levin wrote:
> Господа, после того, как gcc 3.2.3-altX обоснуется в Сизифе, нас ждет
> полная пересборка.
Может сразу 3.3?
> 
> ----- Forwarded message from Luke Hutchison <lukehlistemail@byu.edu> -----
> 
> Date: Wed, 28 May 2003 17:51:47 -0600
> From: Luke Hutchison <lukehlistemail@byu.edu>
> To: bugtraq@securityfocus.com
> Subject: gcc (<3.2.3) implicit struct copy exploit
> 
> There is a bug in GCC, prior to version 3.2.3, which meant that
> performing an implicit struct copy several times in succession would
> result in data from different struct copy operations overwriting each
> other.
> 
> This problem is present in at least gcc-3.2 and gcc-3.2.2, i.e. the gcc
> present in RH8.x and RH9.
> 
> This bug is potentially a security risk, because data is unintentionally
> "overlapped" between subsequent struct copies.  A carefully crafted
> exploit may be able to obtain sensitive information, or run arbitrary
> code (in the case where a struct contains a function pointer).
> 
> Here is some code which illustrates the vulnerability:
> 
> 
> /*
> 
>  Compile with: gcc -Wall prog.c -o prog && ./prog
> 
>  I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
>  Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]
>  This problem is solved in gcc version 3.2.3 [RawHide]
> 
>    Actual output:
> 
>     0 1 0
>     1 0 0
>     1 2 1
>     2 3 4
> 
>    Expected output:
> 
>     2 2 3
>     1 3 3
>     1 2 4
>     2 3 4
> 
> */
> 
> 
> #include <stdio.h>
> 
> 
> typedef struct {
>   int _0, _1, _2;
> } POINT;
> 
> 
> POINT xform(POINT p) {
>   return (POINT) { p._0 + 1, p._1 + 2, p._2 + 3 };
> }
> 
> 
> int main(void) {
>   int i;
>   POINT p[4] =
>     { xform((POINT) { 1, 0, 0 }),
>       xform((POINT) { 0, 1, 0 }),
>       xform((POINT) { 0, 0, 1 }),
>       xform((POINT) { 1, 1, 1 }) };
> 
>   for (i = 0; i < 4; i++)
>     printf("    %d %d %d\n", p[i]._0, p[i]._1, p[i]._2);
> 
>   return 0;
> }
> 
> 
> 
> I have reported this bug to RedHat:
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90131
> however it is fixed in RawHide gcc (v.3.2.3), so the bug was closed.
> 
> 
> It appears, however, from the RH bugzilla report, that there were
> actually multiple struct-copy problems, one which was fixed by
> gcc-3.2.2-5-rh, and one which was fixed by gcc-3.2.3.
> 
> 
> Implicit struct copying is fortunately not used much by most C
> programmers, although I have struck this problem myself.
> 
> 
> If it is agreed that this bug poses a potential security risk, my
> suggestion is that all code in gcc that deals with implicit struct
> copying have statements added to send filenames/line numbers to a
> special log file, and that all security-sensitive system packages be
> built with this custom version of gcc, in order that a list of
> potentially vulnerable source files be found.  [Unfortunately I do not
> have the time or sufficient background to make these changes myself.] 
> Hopefully this issue can be picked up by some interested party.
> 
> Thanks!
> 
> 
> ----- End forwarded message -----
> 
> --
> ldv