another SSP bug? (Re: userland ppp ("No context" errors))
YONETANI Tomokazu
qhwt+dfly at les.ath.cx
Mon Jun 19 09:22:07 PDT 2006
On Mon, Jun 19, 2006 at 02:20:36PM +0200, joerg at xxxxxxxxxxxxxxxxx wrote:
> On Mon, Jun 19, 2006 at 09:13:15PM +0900, YONETANI Tomokazu wrote:
> > I have almost zero knowledge of how stack protector works, but
> > does it only care about char array of size greater than 8 bytes
> > (8 bytes was ok)? I also tried int[] and double[], but none of them
> > did it.
>
> Hm. Could be a bug in the reordering done for character arrays only.
> If you can create a smaller testcase, we can bug Etoh about it :-)
Done. It's very hard to narrow down when gdb lies to me :)
(attached)
/*
* SSP tickler
*
* expected results(says "OK")
* gcc -W -Wall -pipe -O -march=i586 ssp.c && ./a.out
* gcc -W -Wall -pipe -O2 ssp.c && ./a.out
* gcc -W -Wall -pipe -O2 -fno-stack-protector -march=i586 ssp.c && ./a.out
* (bug untriggered without SSP)
* gcc -W -Wall -pipe -O3 -march=i586 ssp.c && ./a.out
* (baz[] optimized out?)
*
* unexpected results(says "NG")
* gcc -W -Wall -pipe -Os -fstack-protector -march=i586 ssp.c && ./a.out
* gcc -W -Wall -pipe -O2 -fstack-protector -march=i586 ssp.c && ./a.out
*
* NOTES
* - tested on the following compiler:
* gcc 3.4.5 20050809 (prelease) [DragonFly] (propolice, visibility)
* - only -Os and -O2 give you unexpected result.
* - -march or -mtune set to pentium or better is affected.
* - -fno-strict-aliasing has no effect on the result.
*/
#include <stdio.h>
int foo;
int true_expr = 1;
static int
bar(void *p)
{
char baz[9];
int val = 1;
/* just to quiet gcc, no effects on the result */
(void)baz; (void)val;
if (true_expr && !p)
p = &foo;
if (true_expr && !p)
return 1;
else
return 0;
}
int
main(void)
{
printf("%s\n", bar(NULL) ? "NG" : "OK");
return 0;
}
More information about the Bugs
mailing list