User: Password:
Subscribe / Log in / New account


GCC and pointer overflows

By Jonathan Corbet
April 16, 2008
On April 4, CERT put out a scary advisory about the GNU Compiler Collection (GCC). This advisory raises some interesting issues on when such advisories are appropriate, what programmers must do to write secure code, and whether compilers should perform optimizations which could open up security holes in poorly-written code.

In summary, the advisory states:

Some versions of gcc may silently discard certain checks for overflow. Applications compiled with these versions of gcc may be vulnerable to buffer overflows. [...]

Application developers and vendors of large codebases that cannot be audited for use of the defective length checks are urged to avoiding [sic] the use of gcc versions 4.2 and later.

This advisory has disappointed a number of GCC developers, who feel that their project has been singled out in an unfair way. But the core issue is one that C programmers should be aware of, so a closer look is called for.

To understand this issue, consider the following code fragment:

    char buffer[BUFLEN];
    char *buffer_end = buffer + BUFLEN;

    /* ... */
    unsigned int len;

    if (buffer + len >= buffer_end)
	die_a_gory_death("len is out of range\n");

Here, the programmer is trying to ensure that len (which might come from an untrusted source) fits within the range of buffer. There is a problem, though, in that if len is very large, the addition could cause an overflow, yielding a pointer value which is less than buffer. So a more diligent programmer might check for that case by changing the code to read:

    if (buffer + len >= buffer_end || buffer + len < buffer)
	loud_screaming_panic("len is out of range\n");

This code should catch all cases; ensuring that len is within range. There is only one little problem: recent versions of GCC will optimize out the second test (returning the if statement to the first form shown above), making overflows possible again. So any code which relies upon this kind of test may, in fact, become vulnerable to a buffer overflow attack.

This behavior is allowed by the C standard, which states that, in a correct program, pointer addition will not yield a pointer value outside of the same object. So the compiler can assume that the test for overflow is always false and may thus be eliminated from the expression. It turns out that GCC is not alone in taking advantage of this fact: some research by GCC developers turned up other compilers (including PathScale, xlC, LLVM, TI Code Composer Studio, and Microsoft Visual C++ 2005) which perform the same optimization. So it seems that the GCC developers have a legitimate reason to be upset: CERT would appear to be telling people to avoid their compiler in favor of others - which do exactly the same thing.

The right solution to the problem, of course, is to write code which complies with the C standard. In this case, rather than doing pointer comparisons, the programmer should simply write something like:

    if (len >= BUFLEN)
        launch_photon_torpedoes("buffer overflow attempt thwarted\n");

There can be no doubt, though, that incorrectly-written code exists. So the addition of this optimization to GCC 4.2 may cause that bad code to open up a vulnerability which was not there before. Given that, one might question whether the optimization is worth it. In response to a statement (from CERT) that, in the interest of security, overflow tests should not be optimized away, Florian Weimer said:

I don't think this is reasonable. If you use GCC and its C frontend, you want performance, not security. After all, the real issue is not the missing comparison instruction, but the fact that this might lead to subsequent unwanted code execution. There are C implementations that run more or less unmodified C code in an environment which can detect such misuse, but they come at a performance cost few are willing to pay.

Joe Buck added:

Furthermore, there are a number of competitors to GCC. These competitors do not advertise better security than GCC. Instead they claim better performance (though such claims should be taken with a grain of salt). To achieve high performance, it is necessary to take advantage of all of the opportunities for optimization that the C language standard permits.

It is clear that the GCC developers see their incentives as strongly pushing toward more aggressive optimization. That kind of optimization often must assume that programs are written correctly; otherwise the compiler is unable to remove code which, in a correctly-written (standard-compliant) program, is unnecessary. So the removal of pointer overflow checks seems unlikely to go away, though it appears that some new warnings will be added to alert programmers to potentially buggy code. The compiler may not stop programmers from shooting themselves in the foot, but it can often warn them that it is about to happen.

Comments (61 posted)

New vulnerabilities

am-utils: insecure temporary file creation

Package(s):am-utils CVE #(s):CVE-2008-1078
Created:April 11, 2008 Updated:January 7, 2009
Description: From the Gentoo advisory: am-utils creates temporary files insecurely allowing local users to overwrite arbitrary files via a symlink attack.
Fedora FEDORA-2008-10755 am-utils 2008-12-07
Gentoo 200804-09 am-utils 2008-04-10

Comments (none posted)

libpng: denial of service

Package(s):libpng CVE #(s):CVE-2008-1382
Created:April 15, 2008 Updated:June 18, 2009
Description: From the CVE entry: libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory.
Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Oracle ELSA-2012-0317 libpng 2012-02-21
Fedora FEDORA-2009-6603 libpng 2009-06-18
Debian DSA-1750-1 libpng 2009-03-22
Ubuntu USN-730-1 libpng 2009-03-06
CentOS CESA-2009:0333 libpng 2009-03-05
Red Hat RHSA-2009:0333-01 libpng 2009-03-04
Fedora FEDORA-2009-2128 libpng 2009-02-26
Gentoo 200812-15 povray 2008-12-14
Fedora FEDORA-2008-9379 libpng10 2008-11-13
Fedora FEDORA-2008-9393 libpng10 2008-11-13
Mandriva MDVSA-2008:156 libpng 2007-07-28
Fedora FEDORA-2008-4910 libpng 2008-06-03
Fedora FEDORA-2008-4847 libpng 2008-06-03
Fedora FEDORA-2008-4947 libpng 2008-06-03
Fedora FEDORA-2008-3683 libpng10 2008-05-28
Fedora FEDORA-2008-3937 libpng10 2008-05-28
Fedora FEDORA-2008-3979 libpng10 2008-05-28
Gentoo 200805-10 pngcrush 2008-05-11
rPath rPSA-2008-0151-1 libpng 2008-04-29
Slackware SSA:2008-119-01 libpng 2008-04-29
SuSE SUSE-SR:2008:010 licq, libpng, asterisk, openldap2, audit, blender 2008-04-25
Gentoo 200804-15 libpng 2008-04-15

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2008-1761 CVE-2008-1762 CVE-2008-1764
Created:April 15, 2008 Updated:April 16, 2008
Description: From the CVE entries: Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted newsfeed source, which triggers an invalid memory access. Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers a memory corruption. Unspecified vulnerability in Opera for Windows before 9.27 has unknown impact and attack vectors related to "keyboard handling of password inputs."
Gentoo 200804-14 opera 2008-04-14

Comments (none posted)

python: integer signedness error

Package(s):python CVE #(s):CVE-2008-1721
Created:April 15, 2008 Updated:July 30, 2009
Description: From the CVE entry: Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
CentOS CESA-2009:1176 python 2009-07-29
Red Hat RHSA-2009:1176-01 python 2009-07-27
Red Hat RHSA-2009:1177-01 python 2009-07-27
Ubuntu USN-632-1 python2.4, python2.5 2008-08-01
Debian DSA-1620-1 python2.5 2008-07-27
Gentoo 200807-01 python 2008-07-01
rPath rPSA-2008-0149-1 python, idle 2008-04-25
Debian DSA-1551-1 python2.4 2008-04-19
Mandriva MDVSA-2008:085 python 2007-04-15

Comments (none posted)

rsync: integer overflow

Package(s):rsync CVE #(s):CVE-2008-1720
Created:April 11, 2008 Updated:May 9, 2008
Description: From the Debian advisory: Sebastian Krahmer discovered that an integer overflow in rsync's code for handling extended attributes may lead to arbitrary code execution.
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Gentoo 200804-16 rsync 2008-04-17
Fedora FEDORA-2008-3047 rsync 2008-04-17
Fedora FEDORA-2008-3060 rsync 2008-04-17
Mandriva MDVSA-2008:084 rsync 2007-04-11
Ubuntu USN-600-1 rsync 2008-04-11
Debian DSA-1545-1 rsync 2008-04-10

Comments (none posted)

squid: insufficient bounds checking

Package(s):squid CVE #(s):CVE-2008-1612
Created:April 15, 2008 Updated:March 25, 2009
Description: From the Ubuntu advisory: It was discovered that Squid did not perform proper bounds checking when processing cache update replies. A remote authenticated user may be able to trigger an assertion error and cause a denial of service. This vulnerability is due to an incorrect fix for CVE-2007-6239.
Gentoo 200903-38 squid 2009-03-24
Debian DSA-1646-2 squid 2008-10-11
Debian DSA-1646-1 squid 2008-10-07
Mandriva MDVSA-2008:134 squid 2007-07-04
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Fedora FEDORA-2008-2740 squid 2008-04-29
Ubuntu USN-601-1 squid 2008-04-14

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds