Thanks for your reply. That's the question many of us did't notice. ________________________________ 发件人: Xi Ruoyao <xry111@xxxxxxxxxxxxxxxx> 发送时间: 2019年10月21日 2:17 收件人: Wilson John <bsauce0@xxxxxxxxxxx> 抄送: gcc-help@xxxxxxxxxxx <gcc-help@xxxxxxxxxxx> 主题: Re: A common bug about gcc On 2019-10-21 12:12 +0000, Wilson John wrote: > I find a vulnerability in gcc. Can you distribute an CVE? When I compile the > program below, it crashed. > > #include<stdio.h> > #include<string.h> > > int main() > { > char buff[]="12312312312312312312312*****"; > char *a = "2*"; > char *ptr = memmem(buff, 0x30, a,2); > printf("%c\n",ptr[0]); > return 0; > > } > > My gcc: gcc version 9.1.0 (Ubuntu 9.1.0-2ubuntu2~16.04) > Reason: when memmem() returns an address which has 64 bits, But the compiled > program truncates it to 32 bits. So the program crashed by a segment fault. > > However, when I write the program below, it doesn’t crash. For malloc()’s > returning address is 32 bits too(in the userspace). > > > #include<stdio.h> > #include<string.h> > > int main() > { > char buff[]="12312312312312312312312*****"; > char *buf=malloc(0x100); > memcpy(buf,buff,0x40); > char *a = "2*"; > char *ptr = memmem(buf, 0x30, a,2); > printf("%c\n",ptr[0]); > return 0; > > } That's not a bug. To use memmem() you have to define _GNU_SOURCE. Without _GNU_SOURCE you don't have a prototype for memmem() so its return type is persumed to be `int`. Didn't you see the warning compiling this buggy program? > test.c: In function ‘main’: > test.c:8:17: warning: implicit declaration of function ‘memmem’; did you mean > ‘memset’? [-Wimplicit-function-declaration] > 8 | char *ptr = memmem(buff, 0x30, a,2); > | ^~~~~~ > | memset > test.c:8:17: warning: initialization of ‘char *’ from ‘int’ makes pointer from > integer without a cast [-Wint-conversion] -- Xi Ruoyao <xry111@xxxxxxxxxxxxxxxx> School of Aerospace Science and Technology, Xidian University