public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/105447] New: load introduction when reading an adjacent variable
@ 2022-05-01 8:19 absoler at smail dot nju.edu.cn
2022-05-02 7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
2022-05-02 7:04 ` rguenth at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: absoler at smail dot nju.edu.cn @ 2022-05-01 8:19 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447
Bug ID: 105447
Summary: load introduction when reading an adjacent variable
Product: gcc
Version: 11.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: absoler at smail dot nju.edu.cn
Target Milestone: ---
given the following code:
#include<stdio.h>
#pragma pack(1)
struct S2 {
int f0;
short f1;
};
struct S2 g_32[2][2][1] =
{{{{0x200CC90FL,0x27C9L}},{{0x9A802726L,0x125BL}}},{{{0xE23F1199L,-4L}},{{4294967292UL,0xD72EL}}}};
void f1(struct S2 p1){
p1.f1+=1;
int* p=(void*)&p1;
printf("%x\n",p[1]);
}
int main(){
scanf("%d", &g_32[0][1][0].f0);
f1(g_32[0][0][0]);
}
when it's compiled on gcc-11.3.0 with -O2/-O1 option, the second statement in
main() will be translated as:
0x0000000000401044 <+4>: mov 0x2fe5(%rip),%rdi # 0x404030 <g_32>
0x000000000040104b <+11>: callq 0x401150 <f1>
it just load first 8 bytes of g_32 directly as argument, thus in f1(), the
first 2 bytes of g_32[0][1][0] can be read. For example, when executing this
program and input 1, then the output would be 127ca, which could lead to
vulnerabilities
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak
2022-05-01 8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
@ 2022-05-02 7:02 ` rguenth at gcc dot gnu.org
2022-05-02 7:04 ` rguenth at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-05-02 7:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target| |x86_64-*-* i?86-*-*
Summary|argument passing of packed |argument passing of packed
|struct causes aligned read |struct causes aligned read
|of non-packed struct size |of non-packed struct size
| |with information leak
--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
It probably happens on more targets. Am I correct you are worried about the
information leak of the first two bytes of the next array element to the
(possibly external and untrusted) function f1()?
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak
2022-05-01 8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
2022-05-02 7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
@ 2022-05-02 7:04 ` rguenth at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: rguenth at gcc dot gnu.org @ 2022-05-02 7:04 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447
--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
clang 11 produces
movl g_32(%rip), %eax
movl g_32+4(%rip), %edi
shlq $32, %rdi
orq %rax, %rdi
callq f1
which does the same just in a less efficient way.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-02 7:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-01 8:19 [Bug c/105447] New: load introduction when reading an adjacent variable absoler at smail dot nju.edu.cn
2022-05-02 7:02 ` [Bug target/105447] argument passing of packed struct causes aligned read of non-packed struct size with information leak rguenth at gcc dot gnu.org
2022-05-02 7:04 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).