search menu icon-carat-right cmu-wordmark

CERT Coordination Center

libgcc contains multiple flaws that allow integer type range vulnerabilities to occur at runtime

Vulnerability Note VU#540517

Original Release Date: 2004-04-30 | Last Revised: 2006-02-03

Overview

The libgcc runtime for the gcc and g++ compilers contain multiple flaws that can result in integer type range vulnerabilities in programs that are compiled using the -ftrapv option.

Description

Both gcc and g++ provide an -ftrapv compiler option that, according to the gcc man page, "generates traps for signed overflow on addition, subtraction, multiplication operations." When used, this flag replaces the native assembler instructions that perform these arithmetic operations with calls to arithmetic routines in the libgcc2.c module located in the gcc subdirectory of the gcc distribution. These routines perform checks for overflow conditions and call abort() when a signed overflow condition is detected. These routines implement flawed algorithms for detecting signed overflow conditions, and as a result, do not correctly identify all cases of signed overflow. This can result in developers producing code that they believe is secure but in reality is subject to integer type range vulnerabilities resulting from signed integer overflow and underflow conditions.

All versions of gcc and g++ release 3.3.3 and older are affected. The patch for this bug was committed to mainline on July 6th, 2003, by Roger Sayle meaning this patch will be available starting from gcc version 3.4.0.

Impact

The complete impact of this vulnerability is not yet known.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Do not rely on the -ftrapv option for preventing signed integer overflow.

Vendor Information

No information available at this time.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Bruno Haible for reporting this vulnerability.

This document was written by Robert C Seacord.

Other Information

CVE IDs: None
Severity Metric: 8.96
Date Public: 2000-11-01
Date First Published: 2004-04-30
Date Last Updated: 2006-02-03 19:57 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.