https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83697
Bug ID: 83697
Summary: Integer overflows in dynamically-sized stack
allocations with -fstack-clash-protection
Product: gcc
Version: 8.0
Status: UNCONFIRMED
Keywords: wrong-code
Severity: normal
Priority: P3
Component: middle-end
Assignee: unassigned at gcc dot gnu.org
Reporter: fw at gcc dot gnu.org
Target Milestone: ---
Created attachment 43039
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=43039&action=edit
reproducer.c
Reported downstream by John Reiser. Reproducer slightly adjusted (here used
with -O2 -fstack-clash-protection -fno-asynchronous-unwind-tables).
When computing the stack allocation size for alloca, an unchecked addition is
performed on the passed argument value:
with_alloca:
pushq %rbp
addq $23, %rdi
This can result in a wrapround and a smaller-than-requested value. Only this
value is passed into the probing machinery, so taken together, the code fails
to detect the invalid alloca argument.
A similar thing happens for VLAs, the original size argument is replaced
immediately:
with_vla_1:
pushq %rbp
addq $15, %rdi
For VLAs, the multiplication also needs to be guarded against overflow:
with_vla_4:
pushq %rbp
leaq 15(,%rdi,4), %rax
