https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105447
Bug ID: 105447
Summary: load introduction when reading an adjacent variable
Product: gcc
Version: 11.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: absoler at smail dot nju.edu.cn
Target Milestone: ---
given the following code:
#include<stdio.h>
#pragma pack(1)
struct S2 {
int f0;
short f1;
};
struct S2 g_32[2][2][1] =
{{{{0x200CC90FL,0x27C9L}},{{0x9A802726L,0x125BL}}},{{{0xE23F1199L,-4L}},{{4294967292UL,0xD72EL}}}};
void f1(struct S2 p1){
p1.f1+=1;
int* p=(void*)&p1;
printf("%x\n",p[1]);
}
int main(){
scanf("%d", &g_32[0][1][0].f0);
f1(g_32[0][0][0]);
}
when it's compiled on gcc-11.3.0 with -O2/-O1 option, the second statement in
main() will be translated as:
0x0000000000401044 <+4>: mov 0x2fe5(%rip),%rdi # 0x404030 <g_32>
0x000000000040104b <+11>: callq 0x401150 <f1>
it just load first 8 bytes of g_32 directly as argument, thus in f1(), the
first 2 bytes of g_32[0][1][0] can be read. For example, when executing this
program and input 1, then the output would be 127ca, which could lead to
vulnerabilities
