https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78981
Bug ID: 78981
Summary: Sign extension bug when stdlib is not explicitly
included while using getenv on amd64.
Product: gcc
Version: 5.4.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: rwincey at securifera dot com
Target Milestone: ---
When compiling the following program using
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
#include <stdio.h>
#include <stdint.h>
//#include <stdlib.h>
#include <unistd.h>
int main( int argc, const char **argv, const char **envp ){
char *src;
close(0);
src = getenv("QUERY_STRING");
if( !src )
exit(1);
puts("Content-Type: text/html\r\n\r");
puts("<center><br><br><br>");
printf("Input %s", src);
return 0;
}
The compiler adds an unnecessary sign extension instruction after the call to
getenv (cdqe), which in my case was changing the address from 0x7fffffffef3b to
0xffffffffffffef3b.
After some troubleshooting it was discovered that this was due to stdlib.h not
explicitly being defined as an include.
This bug has the potential to cause significant security implications depending
on what operations follow the sign extension. It is suggested that the compiler
either errors out completed during compilation if stdlib is not included, or
properly includes the correct library which will not cause the sign extension
assembly instruction to be added.
