Re: VU#540517

Re: VU#540517

[Robert C. Seacord]

Bruno,

Thanks for the info.  I'm sort of a newbie when it comes to gcc 
maintenance so forgive me if I'm asking stupid questions.

I've downloaded the latest (3.3.3) release and noticed that libgcc2 has 
not been patched.

I also went to the CVS log for gcc/gcc/libgcc2.c and I can see that the 
latest revision 1.168.6.1 of this file has been patched.

However, you claim that this is not the version of  __mulvsi3 etc. that 
ends up in /lib/libgcc_s.so.1?  if not, in which source file do these 
versions of the functions originate?  i performed a search of the entire 
3.3.3 distribution and only found the routines here....

The specific version I had been testing on, in which I was able to cause 
undetected integer overflows was gcc (GCC) 3.2.2 20030222 (Red Hat Linux 
3.2.2-5).  I'll try to repeat these tests on a newer compiler version ASAP.

Believe it or not, we would still consider this a security vulnerability 
even if it has already been patched since previous versions of the 
software are still in use, and applications which have been built with 
previous gcc versions may also be vulnerable.  however, i would like to 
accurately document which versions are vulnerable.  my best thinking 
right now is that 3.3.3 and previous versions are vulnerable to integer 
overflow.  could you please confirm this?

once i have had a chance to evaluate your latest patches i will comment  
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you prefer to 
keep this discussion private for security reasons.

rCs

-- 
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC 

Work: 412-268-7608
FAX: 412-268-5758

Re: VU#540517

[Giovanni Bajo]

Robert C. Seacord wrote:

> I've downloaded the latest (3.3.3) release and noticed that libgcc2
> has not been patched.
>
> I also went to the CVS log for gcc/gcc/libgcc2.c and I can see that
> the latest revision 1.168.6.1 of this file has been patched.
>
>[....]
>
> once i have had a chance to evaluate your latest patches i will
> comment http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you

The patch for this bug was committed to mainline on July 6th, 2003, by Roger
Sayle. This means that it will be available starting from GCC 3.4.0. Previous
versions of GCC did not have this patch. If it turns out to be important for
security reasons, you can ask Gabriel Dos Reis (Release Manager of GCC 3.3,
CC:d in this message) for approval to backport the patch to the 3.3 serie (for
3.3.4+). Older release series (3.2 and such) are discontinued now.

Giovanni Bajo

RE: VU#540517

[Dave Korn]

> -----Original Message-----
> From: gcc-owner On Behalf Of Robert C. Seacord
> Sent: 02 April 2004 15:58

> once i have had a chance to evaluate your latest patches i 
> will comment  
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=6578 unless you prefer to 
> keep this discussion private for security reasons.


  You kind of blew that by posting it to a public mailing list!  Anyone know
how many subscribers there are to gcc-l?


    cheers, 
      DaveK
-- 
Can't think of a witty .sigline today....
 

Re: VU#540517

[Ian Lance Taylor]

"Dave Korn" <dk@artimi.com> writes:

>   You kind of blew that by posting it to a public mailing list!  Anyone know
> how many subscribers there are to gcc-l?

931.

Of course some of the e-mail addresses are themselves exploders to
other lists, and of course people also read the mailing list via news
and via the web archives.

Ian

RE: VU#540517

[Dave Korn]

> -----Original Message-----
> From: Ian Lance Taylor 
> Sent: 02 April 2004 17:03

> "Dave Korn" <dk@artimi.com> writes:
> 
> >   You kind of blew that by posting it to a public mailing 
> list!  Anyone know
> > how many subscribers there are to gcc-l?
> 
> 931.

  You're kidding!  That few?!  I expected an order of magnitude greater.

> Of course some of the e-mail addresses are themselves exploders to
> other lists, and of course people also read the mailing list via news
> and via the web archives.

  Yeh, I guess it's impossible to even estimate how far it really spreads.

    cheers, 
      DaveK
-- 
Can't think of a witty .sigline today....

Re: VU#540517

[Bruno Haible]

Robert C. Seacord wrote:
> However, you claim that this is not the version of  __mulvsi3 etc. that
> ends up in /lib/libgcc_s.so.1?  if not, in which source file do these
> versions of the functions originate?

I said that on older systems the functions from libgcc2.c end up in
/lib/libc.so.6 and on newer systems they end up in /lib/libgcc_s.so.1.

> my best thinking
> right now is that 3.3.3 and previous versions are vulnerable to integer
> overflow.  could you please confirm this?

All versions of gcc <= 3.3.3 have the bug we are talking about.

However, the term "vulnerable to integer overflow" is applicable to any
software programmed in C/C++ (compiled *without* -ftrapv) or Java or similar
languages. Only languages like ANSI Common Lisp, R5RS Scheme, or
implementations that use GNU gmp, are free from integer overflow
vulnerabilities.

Btw, the impact of the bug is probably zero: I bet that on a typical Linux
system, not a single program is compiled with -ftrapv. (Try googling for
"+cflags +frapv". All occurrences that you find are commented out.)

Bruno

Re: VU#540517

[Richard Stallman]

    Btw, the impact of the bug is probably zero: I bet that on a typical Linux
    system, not a single program is compiled with -ftrapv. (Try googling for
    "+cflags +frapv". All occurrences that you find are commented out.)

You're probably right--but if we're having a discussion about the
GNU/Linux system, please let's not call it "Linux".

(See http://www.gnu.org/gnu/gnu-linux-faq.html for more explanation.)