Vulnerability Note VU#540517

libgcc contains multiple flaws that allow integer type range vulnerabilities to occur at runtime

Original Release date: 30 Apr 2004 | Last revised: 03 Feb 2006

Overview

The libgcc runtime for the gcc and g++ compilers contain multiple flaws that can result in integer type range vulnerabilities in programs that are compiled using the -ftrapv option.

Description

Both gcc and g++ provide an -ftrapv compiler option that, according to the gcc man page, "generates traps for signed overflow on addition, subtraction, multiplication operations." When used, this flag replaces the native assembler instructions that perform these arithmetic operations with calls to arithmetic routines in the libgcc2.c module located in the gcc subdirectory of the gcc distribution. These routines perform checks for overflow conditions and call abort() when a signed overflow condition is detected. These routines implement flawed algorithms for detecting signed overflow conditions, and as a result, do not correctly identify all cases of signed overflow. This can result in developers producing code that they believe is secure but in reality is subject to integer type range vulnerabilities resulting from signed integer overflow and underflow conditions.

All versions of gcc and g++ release 3.3.3 and older are affected. The patch for this bug was committed to mainline on July 6th, 2003, by Roger Sayle meaning this patch will be available starting from gcc version 3.4.0.

Impact

The complete impact of this vulnerability is not yet known.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Do not rely on the -ftrapv option for preventing signed integer overflow.

Systems Affected (Learn More)

No information available. If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Bruno Haible for reporting this vulnerability.

This document was written by Robert C Seacord.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Nov 2000
  • Date First Published: 30 Apr 2004
  • Date Last Updated: 03 Feb 2006
  • Severity Metric: 8.96
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.