public inbox for gcc-help@gcc.gnu.org
 help / color / mirror / Atom feed
From: Vincent Lefevre <vincent+gcc@vinc17.org>
To: gcc-help@gcc.gnu.org
Subject: Silent stack-heap collision under GNU/Linux
Date: Sun, 20 Jul 2014 17:49:00 -0000	[thread overview]
Message-ID: <20140720174911.GE7776@xvii.vinc17.org> (raw)

It appears that GCC can generate code that yields silent stack-heap
collision under GNU/Linux. I mean, the program doesn't crash (at least
not immediately), the memory just gets corrupted. At the same time,
this overrides the stack-size limit defined at the kernel level
(getrlimit system call / RLIMIT_STACK) because the kernel has no
chance to detect the collision (no page fault); thus this limit
doesn't protect the user, and the problem seems to be on GCC's side.

Why aren't such collisions detected by default?

How can one tell GCC to detect them?

Here's a test case:

------------------------------------------------------------------------
#include <stdio.h>

static char a = 0;
static unsigned long pa, pb, pc;

#define GETADDR(V) \
  do { p##V = (unsigned long) &V; printf ("&" #V " = %016lx\n", p##V); } \
  while (0)

void foo (unsigned long s)
{
  char c[s];

  GETADDR(c);
  if (pa >= pc)
    c[pa - pc] = 1;
  else
    printf ("Cannot test.\n");
}

int main (int argc, char **argv)
{
  char b;

  GETADDR(a);
  GETADDR(b);

  printf ("a = %d\n", a);
  if (pb > pa)
    foo (pb - pa);
  else
    printf ("Cannot test.\n");
  printf ("a = %d\n", a);

  return 0;
}
------------------------------------------------------------------------

I get something like:

&a = 0000000000600b20
&b = 00007fffbfea7d2f
a = 0
&c = 0000000000600ac0
a = 1

Same problem with the 32-bit ABI (-m32).

With GCC 4.9.1 (Debian/unstable), the program terminates successfully.
With the 4.10.0 snapshot, I also get a segmentation fault at the end,
but that's too late.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

             reply	other threads:[~2014-07-20 17:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-07-20 17:49 Vincent Lefevre [this message]
2014-07-20 19:04 ` Ian Lance Taylor
2014-07-20 20:37   ` Vincent Lefevre
2014-07-21  9:44 ` Florian Weimer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140720174911.GE7776@xvii.vinc17.org \
    --to=vincent+gcc@vinc17.org \
    --cc=gcc-help@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).