On 2019-10-21 12:12 +0000, Wilson John wrote:
> I find a vulnerability in gcc. Can you distribute an CVE? When I compile the
> program below, it crashed.
>
> #include<stdio.h>
> #include<string.h>
>
> int main()
> {
> char buff[]="12312312312312312312312*****";
> char *a = "2*";
> char *ptr = memmem(buff, 0x30, a,2);
> printf("%c\n",ptr[0]);
> return 0;
>
> }
>
> My gcc: gcc version 9.1.0 (Ubuntu 9.1.0-2ubuntu2~16.04)
> Reason: when memmem() returns an address which has 64 bits, But the compiled
> program truncates it to 32 bits. So the program crashed by a segment fault.
>
> However, when I write the program below, it doesn’t crash. For malloc()’s
> returning address is 32 bits too(in the userspace).
>
>
> #include<stdio.h>
> #include<string.h>
>
> int main()
> {
> char buff[]="12312312312312312312312*****";
> char *buf=malloc(0x100);
> memcpy(buf,buff,0x40);
> char *a = "2*";
> char *ptr = memmem(buf, 0x30, a,2);
> printf("%c\n",ptr[0]);
> return 0;
>
> }
That's not a bug.
To use memmem() you have to define _GNU_SOURCE. Without _GNU_SOURCE you don't
have a prototype for memmem() so its return type is persumed to be `int`.
Didn't you see the warning compiling this buggy program?
> test.c: In function ‘main’:
> test.c:8:17: warning: implicit declaration of function ‘memmem’; did you mean
> ‘memset’? [-Wimplicit-function-declaration]
> 8 | char *ptr = memmem(buff, 0x30, a,2);
> | ^~~~~~
> | memset
> test.c:8:17: warning: initialization of ‘char *’ from ‘int’ makes pointer from
> integer without a cast [-Wint-conversion]
--
Xi Ruoyao <xry111@xxxxxxxxxxxxxxxx>
School of Aerospace Science and Technology, Xidian University
