https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105341
Bug ID: 105341
Summary: Load introduction when writing a global variable
Product: gcc
Version: 9.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: MF21330112 at smail dot nju.edu.cn
Target Milestone: ---
Considering the following code:
int g1;
static short g2[3][6] =
{{(-8L),0xD50FL,(-8L),0x6E22L,0xD50FL,0x52F6L},{(-8L),0xECAFL,0x6E22L,0x6E22L,0xECAFL,(-8L)},{(-8L),0xA927L,0x52F6L,0x6E22L,0xA927L,0x6E22L}};
short func_35(unsigned char p1, long long p2)
{
int l1 = 8L;
if (((unsigned char)p1 + (unsigned char)1L))
{
unsigned short l2[7] = {0xE3C8L,0xE3C8L,0xE3C8L,
0xE3C8L,0xE3C8L,0xE3C8L,0xE3C8L};
for (p2 = 6; (p2 >= 2); p2 -= 1)
{
int *l3 = &g1;
short l4[4][4] =
{{0L,0x153EL,0x3343L,0xEF57L},{0L,0x3343L,0xCB45L,0x3343L},{0xCB45L,0x3343L,0L,0xEF57L},{0xF2DBL,0xEF57L,0L,(-2L)}};
if (l2[p2])
continue;
(*l3) = (unsigned long long)((l1 != &g2[1][4]) - (unsigned long
long)(l4[1][1] &= p1));
}
}
return p2;
}
int main(){
func_35(0,0);
printf("%d\n", g1);
}
g1's value may be modified by writing to its address held by l3. However, after
compiled with -O1 or -O2 on gcc 9.3.0, a redundant load instruction has been
generated and will be executed. This may cause some vulnerabilities of this
program:
func_35:
...
0x000000000000122b <+11>: mov 0x2de3(%rip),%ecx # 0x4014 <g1>
...
0x0000000000001274 <+84>: cmpw $0x0,0xa(%rax)
0x0000000000001279 <+89>: mov $0x1,%esi
0x000000000000127e <+94>: cmove %edi,%ecx
0x0000000000001281 <+97>: cmove %esi,%edx
0x0000000000001284 <+100>: sub $0x2,%rax
0x0000000000001288 <+104>: cmp %r8,%rax
0x000000000000128b <+107>: jne 0x1274 <func_35+84>
0x000000000000128d <+109>: test %dl,%dl
0x000000000000128f <+111>: je 0x1297 <func_35+119>
0x0000000000001291 <+113>: mov %ecx,0x2d7d(%rip) # 0x4014 <g1>
