another SSP bug? (Re: userland ppp ("No context" errors))

YONETANI Tomokazu qhwt+dfly at les.ath.cx
Mon Jun 19 09:22:07 PDT 2006


On Mon, Jun 19, 2006 at 02:20:36PM +0200, joerg at xxxxxxxxxxxxxxxxx wrote:
> On Mon, Jun 19, 2006 at 09:13:15PM +0900, YONETANI Tomokazu wrote:
> > I have almost zero knowledge of how stack protector works, but
> > does it only care about char array of size greater than 8 bytes
> > (8 bytes was ok)?  I also tried int[] and double[], but none of them
> > did it.
> 
> Hm. Could be a bug in the reordering done for character arrays only.
> If you can create a smaller testcase, we can bug Etoh about it :-)

Done.  It's very hard to narrow down when gdb lies to me :)
(attached)
/*
 * SSP tickler
 *
 * expected results(says "OK")
 *   gcc -W -Wall -pipe -O -march=i586 ssp.c && ./a.out
 *   gcc -W -Wall -pipe -O2 ssp.c && ./a.out
 *   gcc -W -Wall -pipe -O2 -fno-stack-protector -march=i586 ssp.c && ./a.out
 *	(bug untriggered without SSP)
 *   gcc -W -Wall -pipe -O3 -march=i586 ssp.c && ./a.out
 *	(baz[] optimized out?)
 *
 * unexpected results(says "NG")
 *   gcc -W -Wall -pipe -Os -fstack-protector -march=i586 ssp.c && ./a.out
 *   gcc -W -Wall -pipe -O2 -fstack-protector -march=i586 ssp.c && ./a.out
 *
 * NOTES
 * - tested on the following compiler:
 *	gcc 3.4.5 20050809 (prelease) [DragonFly] (propolice, visibility)
 * - only -Os and -O2 give you unexpected result.
 * - -march or -mtune set to pentium or better is affected.
 * - -fno-strict-aliasing has no effect on the result.
 */
#include <stdio.h>

int foo;
int true_expr = 1;

static int
bar(void *p)
{
	char baz[9];
	int val = 1;

	/* just to quiet gcc, no effects on the result */
	(void)baz; (void)val;

	if (true_expr && !p)
		p = &foo;
	if (true_expr && !p)
		return 1;
	else
		return 0;
}

int
main(void)
{
	printf("%s\n", bar(NULL) ? "NG" : "OK");
	return 0;
}




More information about the Bugs mailing list