LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

GCC and pointer overflows

By Jonathan Corbet
April 16, 2008
On April 4, CERT put out a scary advisory about the GNU Compiler Collection (GCC). This advisory raises some interesting issues on when such advisories are appropriate, what programmers must do to write secure code, and whether compilers should perform optimizations which could open up security holes in poorly-written code.
Advertisement

In summary, the advisory states:

Some versions of gcc may silently discard certain checks for overflow. Applications compiled with these versions of gcc may be vulnerable to buffer overflows. [...]

Application developers and vendors of large codebases that cannot be audited for use of the defective length checks are urged to avoiding [sic] the use of gcc versions 4.2 and later.

This advisory has disappointed a number of GCC developers, who feel that their project has been singled out in an unfair way. But the core issue is one that C programmers should be aware of, so a closer look is called for.

To understand this issue, consider the following code fragment: 

    char buffer[BUFLEN];
    char *buffer_end = buffer + BUFLEN;

    /* ... */
    unsigned int len;

    if (buffer + len >= buffer_end)
	die_a_gory_death("len is out of range\n");

Here, the programmer is trying to ensure that len (which might come from an untrusted source) fits within the range of buffer. There is a problem, though, in that if len is very large, the addition could cause an overflow, yielding a pointer value which is less than buffer. So a more diligent programmer might check for that case by changing the code to read: 

    if (buffer + len >= buffer_end || buffer + len < buffer)
	loud_screaming_panic("len is out of range\n");

This code should catch all cases; ensuring that len is within range. There is only one little problem: recent versions of GCC will optimize out the second test (returning the if statement to the first form shown above), making overflows possible again. So any code which relies upon this kind of test may, in fact, become vulnerable to a buffer overflow attack.

This behavior is allowed by the C standard, which states that, in a correct program, pointer addition will not yield a pointer value outside of the same object. So the compiler can assume that the test for overflow is always false and may thus be eliminated from the expression. It turns out that GCC is not alone in taking advantage of this fact: some research by GCC developers turned up other compilers (including PathScale, xlC, LLVM, TI Code Composer Studio, and Microsoft Visual C++ 2005) which perform the same optimization. So it seems that the GCC developers have a legitimate reason to be upset: CERT would appear to be telling people to avoid their compiler in favor of others - which do exactly the same thing.

The right solution to the problem, of course, is to write code which complies with the C standard. In this case, rather than doing pointer comparisons, the programmer should simply write something like: 

    if (len >= BUFLEN)
        launch_photon_torpedoes("buffer overflow attempt thwarted\n");

There can be no doubt, though, that incorrectly-written code exists. So the addition of this optimization to GCC 4.2 may cause that bad code to open up a vulnerability which was not there before. Given that, one might question whether the optimization is worth it. In response to a statement (from CERT) that, in the interest of security, overflow tests should not be optimized away, Florian Weimer said:

I don't think this is reasonable. If you use GCC and its C frontend, you want performance, not security. After all, the real issue is not the missing comparison instruction, but the fact that this might lead to subsequent unwanted code execution. There are C implementations that run more or less unmodified C code in an environment which can detect such misuse, but they come at a performance cost few are willing to pay.

Joe Buck added:

Furthermore, there are a number of competitors to GCC. These competitors do not advertise better security than GCC. Instead they claim better performance (though such claims should be taken with a grain of salt). To achieve high performance, it is necessary to take advantage of all of the opportunities for optimization that the C language standard permits.

It is clear that the GCC developers see their incentives as strongly pushing toward more aggressive optimization. That kind of optimization often must assume that programs are written correctly; otherwise the compiler is unable to remove code which, in a correctly-written (standard-compliant) program, is unnecessary. So the removal of pointer overflow checks seems unlikely to go away, though it appears that some new warnings will be added to alert programmers to potentially buggy code. The compiler may not stop programmers from shooting themselves in the foot, but it can often warn them that it is about to happen.

Comments (61 posted)

New vulnerabilities

am-utils: insecure temporary file creation

Package(s):am-utils CVE #(s):CVE-2008-1078
Created:April 11, 2008 Updated:April 16, 2008
Description: From the Gentoo advisory: am-utils creates temporary files insecurely allowing local users to overwrite arbitrary files via a symlink attack.
Alerts:
Gentoo 200804-09 2008-04-10

Comments (none posted)

libpng: denial of service

Package(s):libpng CVE #(s):CVE-2008-1382
Created:April 15, 2008 Updated:April 29, 2008
Description: From the CVE entry: libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.
Alerts:
Gentoo 200804-15 2008-04-15
SuSE SUSE-SR:2008:010 2008-04-25
Slackware SSA:2008-119-01 2008-04-29

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2008-1761 CVE-2008-1762 CVE-2008-1764
Created:April 15, 2008 Updated:April 16, 2008
Description: From the CVE entries: Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted newsfeed source, which triggers an invalid memory access. Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers a memory corruption. Unspecified vulnerability in Opera for Windows before 9.27 has unknown impact and attack vectors related to "keyboard handling of password inputs."
Alerts:
Gentoo 200804-14 2008-04-14

Comments (none posted)

python: integer signedness error

Package(s):python CVE #(s):CVE-2008-1721
Created:April 15, 2008 Updated:April 28, 2008
Description: From the CVE entry: Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
Alerts:
Mandriva MDVSA-2008:085 2007-04-15
Debian DSA-1551-1 2008-04-19
rPath rPSA-2008-0149-1 2008-04-25

Comments (none posted)

rsync: integer overflow

Package(s):rsync CVE #(s):CVE-2008-1720
Created:April 11, 2008 Updated:April 17, 2008
Description: From the Debian advisory: Sebastian Krahmer discovered that an integer overflow in rsync's code for handling extended attributes may lead to arbitrary code execution.
Alerts:
Debian DSA-1545-1 2008-04-10
Ubuntu USN-600-1 2008-04-11
Mandriva MDVSA-2008:084 2007-04-11
Fedora FEDORA-2008-3060 2008-04-17
Fedora FEDORA-2008-3047 2008-04-17
Gentoo 200804-16 2008-04-17

Comments (none posted)

squid: insufficient bounds checking

Package(s):squid CVE #(s):CVE-2008-1612
Created:April 15, 2008 Updated:April 29, 2008
Description: From the Ubuntu advisory: It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect fix for CVE-2007-6239.
Alerts:
Ubuntu USN-601-1 2008-04-14
Fedora FEDORA-2008-2740 2008-04-29

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.