[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Controversy and exploitability of gcc issue 30475 |assert(int+100 > int)|

Georgi Guninski <gguninski AT gmail.com> writes:

> Any workarounds?

> ===poc===
> #include <assert.h>

> int foo(int a) {
>   assert(a+100 > a);
>   printf("%d %d\n",a+100,a);
>   return a;
> }

> int main() {
>   foo(100);
>   foo(0x7fffffff);
> }
> =========

As pointed out in the bug, if you want defined behavior from signed
integer overflow, you can ask for it with -fwrapv:

$ gcc -O3 -fwrapv -o foo foo.c
$ ./foo
200 100
foo: foo.c:5: foo: Assertion `a+100 > a' failed.
Aborted (core dumped)

The C standard says this shouldn't be the default, but software that cares
about avoiding undefined behavior should consider adding -fwrapv, or
carefully writing the check to avoid overflow (something that, sadly, one
needs to become expert in to use C relatively safely).

Or, of course, use a different language that has more safety checks built
into the language definition, although that's obviously a much broader
(and probably off-topic) conversation.

Russ Allbery (eagle AT eyrie.org)             <https://www.eyrie.org/~eagle/>