[Bug c/105447] New: load introduction when reading an adjacent variable

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug c/105447] New: load introduction when reading an adjacent variable
@ 2022-05-01  8:19 absoler at smail dot nju.edu.cn
  2022-05-02  7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
  2022-05-02  7:04 ` rguenth at gcc dot gnu.org
  0 siblings, 2 replies; 3+ messages in thread
From: absoler at smail dot nju.edu.cn @ 2022-05-01  8:19 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447

            Bug ID: 105447
           Summary: load introduction when reading an adjacent variable
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: absoler at smail dot nju.edu.cn
  Target Milestone: ---

given the following code:

#include<stdio.h>
#pragma pack(1)
struct S2 {
   int  f0;
   short  f1;
};
struct S2 g_32[2][2][1] =
{{{{0x200CC90FL,0x27C9L}},{{0x9A802726L,0x125BL}}},{{{0xE23F1199L,-4L}},{{4294967292UL,0xD72EL}}}};


void f1(struct S2 p1){
    p1.f1+=1;
    int* p=(void*)&p1;
    printf("%x\n",p[1]);
}

int main(){
    scanf("%d", &g_32[0][1][0].f0);
    f1(g_32[0][0][0]);
}

when it's compiled on gcc-11.3.0 with -O2/-O1 option, the second statement in
main() will be translated as:

 0x0000000000401044 <+4>:     mov    0x2fe5(%rip),%rdi        # 0x404030 <g_32>
 0x000000000040104b <+11>:    callq  0x401150 <f1>

it just load first 8 bytes of g_32 directly as argument, thus in f1(), the
first 2 bytes of g_32[0][1][0] can be read. For example, when executing this
program and input 1, then the output would be 127ca, which could lead to
vulnerabilities

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak
  2022-05-01  8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
@ 2022-05-02  7:02 ` rguenth at gcc dot gnu.org
  2022-05-02  7:04 ` rguenth at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-05-02  7:02 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|                            |x86_64-*-* i?86-*-*
            Summary|argument passing of packed  |argument passing of packed
                   |struct causes aligned read  |struct causes aligned read
                   |of non-packed struct size   |of non-packed struct size
                   |                            |with information leak

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
It probably happens on more targets.  Am I correct you are worried about the
information leak of the first two bytes of the next array element to the
(possibly external and untrusted) function f1()?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak
  2022-05-01  8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
  2022-05-02  7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
@ 2022-05-02  7:04 ` rguenth at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-05-02  7:04 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
clang 11 produces

        movl    g_32(%rip), %eax
        movl    g_32+4(%rip), %edi
        shlq    $32, %rdi
        orq     %rax, %rdi
        callq   f1

which does the same just in a less efficient way.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-05-02  7:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-01  8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
2022-05-02  7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
2022-05-02  7:04 ` rguenth at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).