Date: Sat, 19 Apr 2008 06:42:33 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: gcc 4.2 optimizations and integer overflow checks I'm sorry for failing to find time to comment on this earlier. On Fri, Apr 18, 2008 at 01:18:32PM +0200, Marcus Meissner wrote: > On Thu, Apr 10, 2008 at 02:31:13PM -0400, Steven M. Christey wrote: > > My immediate suspicion is that they're not the same, based solely on > > affected versions - CVE-2008-1685 has a specific affected version range > > because it changed behaviors in 4.2.0. Maybe that change came out of > > followup analysis stemming from CVE-2006-1902. > > > > But, I'm not completely sure. Solar? > > They are mostly unrelated, one is about signed integers, while the > new one is "pointer + offset" related. Yes, I am aware of these two gcc non-bugs - one is that the behavior on signed integer overflow is undefined, the other is that pointer arithmetic is only defined within the object (and one element beyond its end). So this would be two CVEs, if CVEs are to be assigned for things like that at all (are they for common application bugs? or for the gcc non-bugs?) However, the current descriptions and references for CVE-2006-1902 and CVE-2008-1685 are very confusing. Neither appears to be for signed integer overflows being undefined. By the way, this issue was discussed on mailing lists in 2002, so I presume that gcc started doing that kind of optimizations at about that time. In fact, I've been fixing some of my own older code to use unsigned arithmetic or to pre-check (rather than post-check) for potential integer overflows at about that time. Both CVE-2006-1902 and CVE-2008-1685 refer to gcc bug 26763, which deals with the pointer arithmetic issue. It appears that gcc developers decided to not have gcc take full advantage of pointer arithmetic outside of the object being undefined, thus fixing the bug on 2006-04-05. But I could be wrong here - maybe the fix is for an actual gcc bug only. The most straightforward and reliable way to find this out is to ask one of the gcc developers who worked on this bug (I'd ask Richard Guenther). Finally, CVE-2008-1685 refers to "gcc 4.2.0 through 4.3.0", which means that it can't be for the non-bug (or actual bug?) that got fixed in 2006. Yet I think that the reference to gcc bug 26763 is somewhat relevant, because both CERT VU#162289 and comments on that bug mention the wraparound case. My limited understanding is that the fix that got committed on 2006-04-05 would deal with the wraparound case as well. However, perhaps - I am just guessing here - the same issue (a non-bug) got re-introduced with another change to gcc later, and we do not currently have a reference for that in the CVE entries. I am really not into gcc internals, so it doesn't make sense for me to continue to speculate on this. Please ask the people who actually know, such as Richard. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.