Bug

Bug

[Gcc]

This is an intersting bug it occurs on HPUX, not sure if this happens on
other platforms.  If u try to make any type of struct inside a template
function it will generate :

bash-2.01$ gcc --save-temps -v test4.C  
Reading specs from
/usr/local/lib/gcc-lib/hppa1.1-hp-hpux10.20/egcs-2.91.03/specs
gcc version egcs-2.91.03 971215 (gcc-2.8.0)
 /usr/local/lib/gcc-lib/hppa1.1-hp-hpux10.20/egcs-2.91.03/cpp -lang-c++ -v
-undef -D__GNUC__=2 -D__GNUG__=2 -D_
_cplusplus -D__GNUC_MINOR__=91 -Dhppa -Dhp9000s800 -D__hp9000s800 -Dhp9k8
-DPWB -Dhpux -Dunix -D__hppa__ -D__hp
9000s800__ -D__hp9000s800 -D__hp9k8__ -D__PWB__ -D__hpux__ -D__unix__
-D__hppa -D__hp9000s800 -D__hp9k8 -D__PWB
 -D__hpux -D__unix -Asystem(unix) -Asystem(hpux) -Acpu(hppa)
-Amachine(hppa) -D__EXCEPTIONS -D__hp9000s700 -D_P
A_RISC1_1 -D_HPUX_SOURCE -D_HIUX_SOURCE test4.C test4.ii
GNU CPP version egcs-2.91.03 971215 (gcc-2.8.0) (hppa)
#include "..." search starts here:
#include <...> search starts here:
 /usr/local/include/g++
 /usr/local/include
 /usr/local/hppa1.1-hp-hpux10.20/include
 /usr/local/lib/gcc-lib/hppa1.1-hp-hpux10.20/egcs-2.91.03/include
 /usr/include
End of search list.
 /usr/local/lib/gcc-lib/hppa1.1-hp-hpux10.20/egcs-2.91.03/cc1plus test4.ii
-quiet -dumpbase test4.cc -version -
o test4.s
GNU C++ version egcs-2.91.03 971215 (gcc-2.8.0) (hppa1.1-hp-hpux10.20)
compiled by GNU C version egcs-2.91.03 9
71215 (gcc-2.8.0).
test4.C: In function `void sort(T *, int)':
test4.C:8: Internal compiler error.
test4.C:8: Please submit a full bug report to `egcs-bugs@cygnus.com'.

This type of code can be seen in packages such as doc++.

int main() {
   return (0);
}
 
template< class T > void sort( T* t, int n )
{
   struct asd
   {
      int a;
   } c ;
}

cat test4.ii
        .LEVEL 1.1
        .SPACE $PRIVATE$
        .SUBSPA $DATA$,QUAD=1,ALIGN=8,ACCESS=31
        .SUBSPA $BSS$,QUAD=1,ALIGN=8,ACCESS=31,ZERO,SORT=82
        .SPACE $TEXT$
        .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=44
        .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44,CODE_ONLY
        .IMPORT $global$,DATA
        .IMPORT $$dyncall,MILLICODE
; gcc_compiled.:
        .IMPORT __main,CODE
        .SPACE $TEXT$
        .SUBSPA $CODE$

        .align 4
        .NSUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44,CODE_ONLY
        .EXPORT main,ENTRY,PRIV_LEV=3,RTNVAL=GR
main
        .PROC
        .CALLINFO FRAME=64,CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=3
        .ENTRY
        stw %r2,-20(0,%r30)
        copy %r3,%r1
        copy %r30,%r3
        stwm %r1,64(0,%r30)
        .CALL 
        bl __main,%r2
        nop
        ldi 0,%r28
        bl,n L$0001,0
        ldi 0,%r28
        bl,n L$0001,0
L$0001
        ldw -20(0,%r3),%r2
        ldo 64(%r3),%r30
        ldwm -64(0,%r30),%r3
        bv,n 0(%r2)
        .EXIT
        .PROCEND

One other note, how is one suppose to correctly generate a shared library
on HPUX with egcs generated o files.  I tried
bash-2.01$ g++ -shared -o libtest.sl *.o
/usr/ccs/bin/ld: DP relative code in file /var/tmp/cca12255.o - shared
library must be position
    independent.  Use +z or +Z to recompile.
collect2: ld returned 1 exit status
Yes, the .o files were created with -fPIC, -fpic doesn't make any
difference.  The reason I don't use /usr/bin/ld -b -n -o libtest.sl *.o.
Is because whenever u use static template members inside a shared library
it will crash whenever u try to access it.  When the shared library is
loaded the constructors for static template members aren't called.  This
can be proven by building an archive library and the core dump goes away.

Thanks

Re: Bug

[Jeffrey A Law]

  In message < Pine.HPP.3.96.971219133552.12226A-100000@sunburst.rose.hp.com >you
 write:
  > This is an intersting bug it occurs on HPUX, not sure if this happens on
  > One other note, how is one suppose to correctly generate a shared library
  > on HPUX with egcs generated o files.  I tried
  > bash-2.01$ g++ -shared -o libtest.sl *.o
Add -fPIC/-fpic to the line to link the shared library too.


jeff

Bug

[Mark Mitchell]

>>>>> "Gcc" == Gcc  <gcc@sunburst.rose.hp.com> writes:

    Gcc> This is an intersting bug it occurs on HPUX, not sure if this
    Gcc> happens on other platforms.  If u try to make any type of
    Gcc> struct inside a template function it will generate :

This is a known bug; see the News file.  However, we should generate a
better erorr message, and then work on an implementation of this
feature.  It's somewhere on my todo list.

-- 
Mark Mitchell		mmitchell@usa.net
Stanford University	http://www.stanford.edu

Re: bug

[Daniel Jacobowitz]

On Fri, Dec 31, 2004 at 07:03:43PM +0000, Najib Bakari wrote:
> an exploit they say it gives root.

For the readers of this list, this is no kind of exploit, just an old
and not especially funny joke.  It preloads a module which overrides
getuid, making bash think it's root.

As usual, don't run suspicious looking code you find on mailing
lists...

-- 
Daniel Jacobowitz

Re: bug

[Ian Lance Taylor]

Najib Bakari <weirdobox@gmail.com> writes:

> --------------------------------------------------------
> [N]eo [S]ecurity [T]eam [NST]® - Advisory #01 - 28/12/04
> --------------------------------------------------------
> Program: ld - The GNU linker
> Homepage: http://gcc.gnu.org
> Vulnerable Versions: GNU gcc 3.4.3 and prior
> Risk: High!!
> Impact: Unchecked lenght fields

If there is a bug here, it is not in ld, nor in gcc, but rather in
ld.so.  ld.so is part of glibc.  Please report this bug to the glibc
maintainers.  For more information, see
    http://sourceware.org/glibc/
Thanks.

Ian

bug

[Najib Bakari]

an exploit they say it gives root.

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #01 - 28/12/04
--------------------------------------------------------
Program: ld - The GNU linker
Homepage: http://gcc.gnu.org
Vulnerable Versions: GNU gcc 3.4.3 and prior
Risk: High!!
Impact: Unchecked lenght fields
---------------------------------------------------------

- Description
---------------------------------------------------------
$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
Value starts and ends with a slash and contains about 1200 characters.
LD_PRELOAD doesn't ignore setuid executables, like this one.
Unchecked lenght fields.

setuid(0);
setreuid(0,0);
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }

- Tested
---------------------------------------------------------
I have done minimal testing on this.
Slackware 10.0

- Explotation
---------------------------------------------------------
$gcc ld_xpl_nst.c -o ld_xp_nst
$./ld_xp_nst
sh-3.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-3.00#

This will give you a root shell

- Solutions
--------------------------------------------------------
Not Yet or i don't know xD

- References
--------------------------------------------------------
http://neosecurityteam.org/Advisories/Advisory-01.txt


- Credits
-------------------------------------------------
Discovered by HaCkZaTaN <hck_zatan@hotmail.com>

[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.org/

Got Questions? http://neosecurityteam.org/foros/
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char NstCode[] =
"\x69\x6e\x74\x20\x67\x65\x74\x75\x69"
"\x64\x28\x29\x20\x7b\x20\x72\x65\x74"
"\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a"
"\x69\x6e\x74\x20\x67\x65\x74\x65\x75"
"\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d"
"\x0a\x69\x6e\x74\x20\x67\x65\x74\x67"
"\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d"
"\x0a\x69\x6e\x74\x20\x67\x65\x74\x65"
"\x67\x69\x64\x28\x29\x20\x7b\x20\x72"
"\x65\x74\x75\x72\x6e\x20\x30\x3b\x20"
"\x7d\x0a\x0/bin/sh";

void FG(int Opt, int Colour);
void BG(int Colour);
void RC();

int main()
{
FILE *Nst_C;
int x, y;
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!\n");
}
RC();
Nst_C=fopen("/tmp/nst.c","w");
fprintf(Nst_C,"%s",NstCode);
fclose(Nst_C);
system("gcc -shared -o /tmp/nst.nfo /tmp/nst.c;rm -f /tmp/nst.c");
system("LD_PRELOAD=/tmp/nst.nfo /bin/sh");
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!\n");
}
RC();
return 0;
}

void FG(int Opt, int Colour) {
printf("\033[%d;%dm", Opt, Colour);
}

void RC() {
printf("\033[0;m");
}

/* Bash Code:

#! /bin/bash
echo -e "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
>/tmp/nst.c
echo -e "\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
>/tmp/nst.c
echo -e "\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
>/tmp/nst.c
echo -e "\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
>/tmp/nst.c
echo -e "\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
>/tmp/nst.c
echo -e "\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
>/tmp/nst.c
echo -e "\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh">/tmp/nst.c

sleep 1
gcc -shared -o /tmp/nst.nfo /tmp/nst.c
rm -rf /tmp/nst.c
sleep 4
echo -e "\n"
export LD_LIBRARY_PATH=/tmp
LD_PRELOAD=/tmp/nst.nfo /bin/sh
*/

bug

[Dennis A. Nazaroff]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

Hello!

I want porting RogueWave to WindowsNT/for Gnu-Win32.
I using gcc-2.95.2.
I have some problems:
If i compiling Tools.h++ v0710 Windows in static mode, then all work
right.
If i compiling that library in dynamic mode (DLL), then half of examples
work right, but some (for example: binaryt) don't compiling.
Software Parts Manager wrote:
g++    -I. -I../..      -O2 -mthreads -DRW_MULTI_THREAD -D_REENTRANT -D_RWTO
OLSDLL     -DRW_NO_STL=1   -c binaryt.cpp

binaryt.cpp:207: Internal compiler error, output_operand_lossage `invalid
expression as operand'

I change type of base-class and all it static members to __declspec
(dllexport),
but examples still don't compile.

What do you think about this?

With best wishes
        Dennis A. Nazaroff
P.S. Sorry for my knowledge of english.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: binaryt.cpp --]
[-- Type: text/x-c; charset=unknown-8bit; name="binaryt.cpp", Size: 6228 bytes --]

/*
 * Example 4: class BinaryTree, storing and retrieving collectable strings
 *
 * $Id: binaryt.cpp,v 7.8 1996/09/20 15:05:54 griswolf Exp $
 *
 * Copyright (c) 1989-1999 Rogue Wave Software, Inc.  All Rights Reserved.
 *
 * This computer software is owned by Rogue Wave Software, Inc. and is
 * protected by U.S. copyright laws and other laws and by international
 * treaties.  This computer software is furnished by Rogue Wave Software,
 * Inc. pursuant to a written license agreement and may be used, copied,
 * transmitted, and stored only in accordance with the terms of such
 * license and with the inclusion of the above copyright notice.  This
 * computer software or any other copies thereof may not be provided or
 * otherwise made available to any other person.
 *
 * U.S. Government Restricted Rights.  This computer software is provided
 * with Restricted Rights.  Use, duplication, or disclosure by the
 * Government is subject to restrictions as set forth in subparagraph (c)
 * (1) (ii) of The Rights in Technical Data and Computer Software clause
 * at DFARS 252.227-7013 or subparagraphs (c) (1) and (2) of the
 * Commercial Computer Software – Restricted Rights at 48 CFR 52.227-19,
 * as applicable.  Manufacturer is Rogue Wave Software, Inc., 5500
 * Flatiron Parkway, Boulder, Colorado 80301 USA.
 *
 ***************************************************************************
 */


// Declarations for Binary Tree class:
#include "rw/bintree.h"

/*
 * Declarations for class RWCollectableString.  
 * This class inherits class RWCString and class RWCollectable.  
 * Class RWCollectable has a virtual function compareTo() that is redefined 
 * by class RWCollectableString.  This function is used to order the 
 * RWCollectableStrings in the binary tree.
 */
#include "rw/collstr.h"
#include "rw/rstream.h"

/*
 * "STARTWRAP" and "ENDWRAP" are macros that allow inclusion of ANSI-C header
 * files using standard "C" linkage.  They are necessary for C++ compilers that
 * do not supply their own special "C++" header files and, instead, rely on
 * standard C header files.
 */
STARTWRAP
#include <stdlib.h>
ENDWRAP

/*
 * The following complex conditional inclusion results from mixing
 * nww, old, and idiosyncratic header names. It _will_ get better...
 * ... someday.
 */

#ifdef __GLOCK__
#  include <fstream.hxx>
#else
#  ifndef RW_NO_IOSTD
#    include <fstream>
#  else
#    include <fstream.h>
#  endif
#endif


#ifdef applec                          
#  define RW_END_PROMPT   endl << flush
#else                                  
#  define RW_END_PROMPT   flush         
#endif                                 

/*
 * A pointer to this function will be handed to RWBinaryTree::apply() 
 * to enumerate the members of the collection.
 */
static void
printStrings(RWCollectable* c, void*)
{
  /*
   * If we're using the Standard C++ Library and the iostream operators
   * are in the std namespace, we need to pull in namespace std, or
   * scope the operator with std::.
   */
#if !defined(RW_NO_STL) && !defined(RW_NO_STD_NAMESPACE) && !defined(RW_NO_IOSTD)    
  using namespace std;                                                            
#endif
  /*
   *  borland 4 needs the std namespace
   */
#if defined(RW_BCB_NAMESPACE)  
  using namespace std;
#endif
  /*
   * Cast the RWCollectable pointer to a RWCollectableString pointer,
   * then dereference and print.  RWCollectableString inherits
   * its ability to be printed from its base class RWCString.
   */
  cout << * (RWCollectableString*) c << " ";
}


int main()
{
#if !defined(RW_NO_STL) && !defined(RW_NO_STD_NAMESPACE) && !defined(RW_NO_IOSTD)
  using namespace std;
#endif
  /*
   *  borland 4 needs the std namespace
   */
#if defined(RW_BCB_NAMESPACE) 
  using namespace std;
#endif
  RWBinaryTree		B;
  RWCollectableString	aWord;
  RWCollectableString*	pWord;
  int i = 0;

  cout << "***** Example using a Binary Tree (SortedCollection) ******\n";
  
  ifstream inputFile("textfile.in", ios::in);
  if(!inputFile){
    cerr << "Cannot open file textfile.in.\n";
    exit(1);
  }

  cout << "Reading from file \"textfile.in\"...\n";

  // Read until we hit an EOF:
  // Macintosh needs explicit check for eof 

#ifndef macintosh
  while ( inputFile >> aWord )
#else
  while ( !(inputFile >> aWord ).eof() )
#endif  
  { 

    // Transfer it to something off the heap and insert:
    pWord = new RWCollectableString(aWord);
    B.insert(pWord);

    cout << i++ << " " << *pWord << endl;
  }

  cout << "done.\n\nA total of " << i << " words were read.\n";
  cout << "Contents of the tree are:\n\n";
  B.apply(printStrings, 0);    // Uses global function defined above.
  cout << "\n\n";

  // Loop to do various things to the table:
  char option;
  
  while(1){

    cout << "(i)nsert (s)earch (d)elete (c)lear (l)ist e(x)it:\t" << RW_END_PROMPT;

    // Check for EOF or terminating character:
    if ( !(cin >> option).good() || option=='x' || option=='X' ) break;

    switch ( option ) {
    case 'i':		// Insert a word in tree.
    case 'I':
      cout << "Enter word:\t" << RW_END_PROMPT;
      pWord = new RWCollectableString;
      if(pWord){
        if( (cin >> *pWord).good() ) B.insert(pWord);	// Check for failed stream
        else delete pWord;
      }
      else cerr << "Out of memory.\n";
      break;
    case 's':		// Find the number of occurrences of a word.
    case 'S':
      cout << "Enter word:\t" << RW_END_PROMPT;
      cin >> aWord;
      cout << B.occurrencesOf(&aWord) << " occurrences of word in tree.\n";
      break;
    case 'd':   	// Remove a word.
    case 'D':
      cout << "Enter word:\t" << RW_END_PROMPT;
      cin >> aWord;
      B.removeAndDestroy(&aWord);
      break;
    case 'c':
    case 'C':		// Both clear AND destroy the contents
      B.clearAndDestroy();
      break;
    case 'l':
    case 'L':		// List the contents of the tree, in order.
      cout << B.entries() << " entries in tree:\n";
      B.apply(printStrings,0);
      cout << "\n\n";
      break;
    default:
      cerr << "Unrecognized.\n";
    } 	// End switch
  }	// End while

  cout << endl;		// To pretty things up.

  B.clearAndDestroy();	// Not really essential, but good style

  return 0;
}