https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66479
Bug ID: 66479
Summary: -fstack-check doesn't prevent stack allocation with
size -1
Product: gcc
Version: 5.1.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: jann at thejh dot net
Target Milestone: ---
[I hope I filed this in the correct place? Sorry, I'm not very familiar with
gcc internals.]
It looks like -fstack-check doesn't prevent stack allocations with size
(unsigned long)-1 and values close to that. Repro code:
$ cat stackalloc.c
#include <stdio.h>
#include <bsd/string.h>
int main(void) {
unsigned long size = -1;
char buf2[] = "hello world";
char buf[size];
strlcpy(buf, "asdfasdf1234", size);
puts(buf2);
return 0;
}
$ gcc -o stackalloc stackalloc.c -fstack-check -lbsd -m32 -ggdb -Wall -Wextra
$ ./stackalloc
1234
$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/home/jann/tmp/gccroot/bin/../libexec/gcc/x86_64-unknown-linux-gnu/5.1.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with: ../gcc-5.1.0/configure --prefix=/home/jann/tmp/gccroot
--disable-bootstrap
Thread model: posix
gcc version 5.1.0 (GCC)
This might be a security problem if an application decides to perform stack
allocations with completely attacker-controlled sizes.
