[devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit]

[devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit]

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 2838 bytes --]

Господа, после того, как gcc 3.2.3-altX обоснуется в Сизифе, нас ждет
полная пересборка.

----- Forwarded message from Luke Hutchison <lukehlistemail@byu.edu> -----

Date: Wed, 28 May 2003 17:51:47 -0600
From: Luke Hutchison <lukehlistemail@byu.edu>
To: bugtraq@securityfocus.com
Subject: gcc (<3.2.3) implicit struct copy exploit

There is a bug in GCC, prior to version 3.2.3, which meant that
performing an implicit struct copy several times in succession would
result in data from different struct copy operations overwriting each
other.

This problem is present in at least gcc-3.2 and gcc-3.2.2, i.e. the gcc
present in RH8.x and RH9.

This bug is potentially a security risk, because data is unintentionally
"overlapped" between subsequent struct copies.  A carefully crafted
exploit may be able to obtain sensitive information, or run arbitrary
code (in the case where a struct contains a function pointer).

Here is some code which illustrates the vulnerability:


/*

 Compile with: gcc -Wall prog.c -o prog && ./prog

 I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
 Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]
 This problem is solved in gcc version 3.2.3 [RawHide]

   Actual output:

    0 1 0
    1 0 0
    1 2 1
    2 3 4

   Expected output:

    2 2 3
    1 3 3
    1 2 4
    2 3 4

*/


#include <stdio.h>


typedef struct {
  int _0, _1, _2;
} POINT;


POINT xform(POINT p) {
  return (POINT) { p._0 + 1, p._1 + 2, p._2 + 3 };
}


int main(void) {
  int i;
  POINT p[4] =
    { xform((POINT) { 1, 0, 0 }),
      xform((POINT) { 0, 1, 0 }),
      xform((POINT) { 0, 0, 1 }),
      xform((POINT) { 1, 1, 1 }) };

  for (i = 0; i < 4; i++)
    printf("    %d %d %d\n", p[i]._0, p[i]._1, p[i]._2);

  return 0;
}



I have reported this bug to RedHat:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90131
however it is fixed in RawHide gcc (v.3.2.3), so the bug was closed.


It appears, however, from the RH bugzilla report, that there were
actually multiple struct-copy problems, one which was fixed by
gcc-3.2.2-5-rh, and one which was fixed by gcc-3.2.3.


Implicit struct copying is fortunately not used much by most C
programmers, although I have struck this problem myself.


If it is agreed that this bug poses a potential security risk, my
suggestion is that all code in gcc that deals with implicit struct
copying have statements added to send filenames/line numbers to a
special log file, and that all security-sensitive system packages be
built with this custom version of gcc, in order that a list of
potentially vulnerable source files be found.  [Unfortunately I do not
have the time or sufficient background to make these changes myself.] 
Hopefully this issue can be picked up by some interested party.

Thanks!


----- End forwarded message -----

--
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit]

[Stanislav Ievlev]

On Sun, Jun 01, 2003 at 10:15:49PM +0400, Dmitry V. Levin wrote:
> Господа, после того, как gcc 3.2.3-altX обоснуется в Сизифе, нас ждет
> полная пересборка.
Может сразу 3.3?
> 
> ----- Forwarded message from Luke Hutchison <lukehlistemail@byu.edu> -----
> 
> Date: Wed, 28 May 2003 17:51:47 -0600
> From: Luke Hutchison <lukehlistemail@byu.edu>
> To: bugtraq@securityfocus.com
> Subject: gcc (<3.2.3) implicit struct copy exploit
> 
> There is a bug in GCC, prior to version 3.2.3, which meant that
> performing an implicit struct copy several times in succession would
> result in data from different struct copy operations overwriting each
> other.
> 
> This problem is present in at least gcc-3.2 and gcc-3.2.2, i.e. the gcc
> present in RH8.x and RH9.
> 
> This bug is potentially a security risk, because data is unintentionally
> "overlapped" between subsequent struct copies.  A carefully crafted
> exploit may be able to obtain sensitive information, or run arbitrary
> code (in the case where a struct contains a function pointer).
> 
> Here is some code which illustrates the vulnerability:
> 
> 
> /*
> 
>  Compile with: gcc -Wall prog.c -o prog && ./prog
> 
>  I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7)
>  Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9]
>  This problem is solved in gcc version 3.2.3 [RawHide]
> 
>    Actual output:
> 
>     0 1 0
>     1 0 0
>     1 2 1
>     2 3 4
> 
>    Expected output:
> 
>     2 2 3
>     1 3 3
>     1 2 4
>     2 3 4
> 
> */
> 
> 
> #include <stdio.h>
> 
> 
> typedef struct {
>   int _0, _1, _2;
> } POINT;
> 
> 
> POINT xform(POINT p) {
>   return (POINT) { p._0 + 1, p._1 + 2, p._2 + 3 };
> }
> 
> 
> int main(void) {
>   int i;
>   POINT p[4] =
>     { xform((POINT) { 1, 0, 0 }),
>       xform((POINT) { 0, 1, 0 }),
>       xform((POINT) { 0, 0, 1 }),
>       xform((POINT) { 1, 1, 1 }) };
> 
>   for (i = 0; i < 4; i++)
>     printf("    %d %d %d\n", p[i]._0, p[i]._1, p[i]._2);
> 
>   return 0;
> }
> 
> 
> 
> I have reported this bug to RedHat:
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90131
> however it is fixed in RawHide gcc (v.3.2.3), so the bug was closed.
> 
> 
> It appears, however, from the RH bugzilla report, that there were
> actually multiple struct-copy problems, one which was fixed by
> gcc-3.2.2-5-rh, and one which was fixed by gcc-3.2.3.
> 
> 
> Implicit struct copying is fortunately not used much by most C
> programmers, although I have struck this problem myself.
> 
> 
> If it is agreed that this bug poses a potential security risk, my
> suggestion is that all code in gcc that deals with implicit struct
> copying have statements added to send filenames/line numbers to a
> special log file, and that all security-sensitive system packages be
> built with this custom version of gcc, in order that a list of
> potentially vulnerable source files be found.  [Unfortunately I do not
> have the time or sufficient background to make these changes myself.] 
> Hopefully this issue can be picked up by some interested party.
> 
> Thanks!
> 
> 
> ----- End forwarded message -----
> 
> --
> ldv

Re: [devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit]

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

On Mon, Jun 02, 2003 at 11:39:12AM +0400, Stanislav Ievlev wrote:
> On Sun, Jun 01, 2003 at 10:15:49PM +0400, Dmitry V. Levin wrote:
> > Господа, после того, как gcc 3.2.3-altX обоснуется в Сизифе, нас ждет
> > полная пересборка.
> Может сразу 3.3?

Нет, спасибо. :)


--
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]