Cray Inc.

Notified:  April 23, 2008 Updated: April 23, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

GNU Compiler Collection

Updated:  July 29, 2008

Status

  Vulnerable

Vendor Statement

The behaviour of pointer overflow has now changed as of the following (as yet unreleased) versions: gcc 4.2.4 gcc 4.3.1 gcc 4.4.0 and all subsequent versions (4.2.x where x >= 4, 4.3.y where y >= 1, 4.z where z >= 4). The optimization under discussion is for comparisons between P + V1 and P + V2, where P is the same pointer and V1 and V2 are variables of some integer type. The C/C++ language standards permit this to be reduced to a comparison between V1 and V2. However, if V1 or V2 are such that the sum with P overflows, then the comparison of V1 and V2 will not yield the same result as actually computing P + V1 and P + V2 and comparing the sums. The new behaviour as of the above releases is that this optimization is performed by default at -O2 and above, including -Os. It is not performed by default at -O1 or (of course) -O0. The optimization may be enabled for -O1 with the -fstrict-overflow option. The optimization may be disabled for -O2 and above with the -fno-strict-overflow option. When the optimization is enabled, cases where it occurs may be detected by using -Wstrict-overflow=N where N >= 3. Note that using this warning option is likely to yield a number of false positive reports--cases where this or other overflow optimizations are being applied, but where there is no actual problem. Please see the gcc manual for more information about these options.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Vendors and developers using the GNU C compiler should consider using versions of GCC that do not perform the optimization such as those listed above or GCC 4.1.2 or earlier versions (but NOT 4.1.0).

Hewlett-Packard Company

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

IBM Corporation

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Intel Corporation

Notified:  April 17, 2008 Updated: April 25, 2008

Status

  Not Vulnerable

Vendor Statement

I tried the given program with our compiler on IA32 linux (Where int and ptr are both 32 bits). I couldn't ever get it to optimize the test away. It may be possible under some circumstances to get this to happen, but the test case sent doesn't show that for me. I tried icc -O1, -O2, and -O3 levels of optimization, and none of them showed the problem.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Microsoft Corporation

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Silicon Graphics, Inc.

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Sun Microsystems, Inc.

Notified:  April 17, 2008 Updated: August 26, 2008

Status

  Not Vulnerable

Vendor Statement

We have run the provided test case on various versions of Sun's C compilers with various levels of optimization and we do not believe that they are impacted by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Sybase

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Wind River Systems, Inc.

Notified:  April 17, 2008 Updated: April 17, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.