From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 2 Jun 2003 11:39:12 +0400 From: Stanislav Ievlev To: devel@altlinux.ru Subject: Re: [devel] [lukehlistemail@byu.edu: gcc (<3.2.3) implicit struct copy exploit] Message-ID: <20030602073912.GB8433@basalt.office.altlinux.org> References: <20030601181549.GA1091@basalt.office.altlinux.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20030601181549.GA1091@basalt.office.altlinux.org> Sender: devel-admin@altlinux.ru Errors-To: devel-admin@altlinux.ru X-BeenThere: devel@altlinux.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: devel@altlinux.ru List-Unsubscribe: , List-Id: List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: On Sun, Jun 01, 2003 at 10:15:49PM +0400, Dmitry V. Levin wrote: > Господа, после того, как gcc 3.2.3-altX обоснуется в Сизифе, нас ждет > полная пересборка. Может сразу 3.3? > > ----- Forwarded message from Luke Hutchison ----- > > Date: Wed, 28 May 2003 17:51:47 -0600 > From: Luke Hutchison > To: bugtraq@securityfocus.com > Subject: gcc (<3.2.3) implicit struct copy exploit > > There is a bug in GCC, prior to version 3.2.3, which meant that > performing an implicit struct copy several times in succession would > result in data from different struct copy operations overwriting each > other. > > This problem is present in at least gcc-3.2 and gcc-3.2.2, i.e. the gcc > present in RH8.x and RH9. > > This bug is potentially a security risk, because data is unintentionally > "overlapped" between subsequent struct copies. A carefully crafted > exploit may be able to obtain sensitive information, or run arbitrary > code (in the case where a struct contains a function pointer). > > Here is some code which illustrates the vulnerability: > > > /* > > Compile with: gcc -Wall prog.c -o prog && ./prog > > I'm using gcc version 3.2 20020903 (Red Hat Linux 8.0 3.2-7) > Also tested on gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5) [RH9] > This problem is solved in gcc version 3.2.3 [RawHide] > > Actual output: > > 0 1 0 > 1 0 0 > 1 2 1 > 2 3 4 > > Expected output: > > 2 2 3 > 1 3 3 > 1 2 4 > 2 3 4 > > */ > > > #include > > > typedef struct { > int _0, _1, _2; > } POINT; > > > POINT xform(POINT p) { > return (POINT) { p._0 + 1, p._1 + 2, p._2 + 3 }; > } > > > int main(void) { > int i; > POINT p[4] = > { xform((POINT) { 1, 0, 0 }), > xform((POINT) { 0, 1, 0 }), > xform((POINT) { 0, 0, 1 }), > xform((POINT) { 1, 1, 1 }) }; > > for (i = 0; i < 4; i++) > printf(" %d %d %d\n", p[i]._0, p[i]._1, p[i]._2); > > return 0; > } > > > > I have reported this bug to RedHat: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=90131 > however it is fixed in RawHide gcc (v.3.2.3), so the bug was closed. > > > It appears, however, from the RH bugzilla report, that there were > actually multiple struct-copy problems, one which was fixed by > gcc-3.2.2-5-rh, and one which was fixed by gcc-3.2.3. > > > Implicit struct copying is fortunately not used much by most C > programmers, although I have struck this problem myself. > > > If it is agreed that this bug poses a potential security risk, my > suggestion is that all code in gcc that deals with implicit struct > copying have statements added to send filenames/line numbers to a > special log file, and that all security-sensitive system packages be > built with this custom version of gcc, in order that a list of > potentially vulnerable source files be found. [Unfortunately I do not > have the time or sufficient background to make these changes myself.] > Hopefully this issue can be picked up by some interested party. > > Thanks! > > > ----- End forwarded message ----- > > -- > ldv