[Bug c++/78784] New: CRITIC BUG: Create a trash code using trash values of registers.

Mon, 12 Dec 2016 14:05:06 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78784

            Bug ID: 78784
           Summary: CRITIC BUG: Create a trash code using trash values of
                    registers.
           Product: gcc
           Version: 6.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rmbeer2 at gmail dot com
  Target Milestone: ---

System: GNU/Linux
Distro: Archlinux
G++ version: g++ (GCC) 6.2.1 20160830
glibc version: 2.24-2

this = 0xbffff4f4
zstrsym = 0xb7a4c510
vsim = 37 (0x25)
tblsym = 0xb7a4a1d0
tblsym[vsim] = 0xb7a4a420
tblsym[vsim].st_name = 19 (0x13)
zstrsym+tblsym[vsim].st_name = "__JCR_LIST__"
zmem = 0xb7a06ef0


202           printf("SUPER PUTO5 %2x) %8x - %8x - %8x - %s\n",vsim,zstrsym,
   0xb7f8506a <+2384>:  mov    -0x24(%ebp),%eax //eax = 0xb7a4c510
//this->zstrsym
   0xb7f8506d <+2387>:  lea    (%edx,%eax,1),%ecx //WHAT IS EDX???? HAVE
TRASH!!!
   0xb7f8507d <+2403>:  mov    (%eax),%edx //EDX ALWAYS HAVE TRASH!!!

203              
tblsym[vsim],tblsym[vsim].st_name,zstrsym+tblsym[vsim].st_name);
   0xb7f8505b <+2369>:  mov    -0x6c(%ebp),%eax //eax = 0x25 //this->vsim
   0xb7f8505e <+2372>:  shl    $0x4,%eax //0x25*16
   0xb7f85061 <+2375>:  mov    %eax,%edx //EDX = vsim*16
   0xb7f85063 <+2377>:  mov    -0x20(%ebp),%eax //EAX = 0xb7a4a1d0
//this->tblsym
   0xb7f85066 <+2380>:  add    %edx,%eax
   0xb7f85068 <+2382>:  mov    (%eax),%edx  //tblsym[vsim].st_name
   0xb7f85070 <+2390>:  mov    -0x6c(%ebp),%eax //vsim
   0xb7f85073 <+2393>:  shl    $0x4,%eax
   0xb7f85076 <+2396>:  mov    %eax,%edx  //ERASE THE EDX ?????
   0xb7f85078 <+2398>:  mov    -0x20(%ebp),%eax
   0xb7f8507b <+2401>:  add    %edx,%eax //tblsym+vsim
   0xb7f8507f <+2405>:  mov    -0x6c(%ebp),%eax
   0xb7f85082 <+2408>:  shl    $0x4,%eax //vsim*16
   0xb7f85085 <+2411>:  mov    %eax,%esi
   0xb7f85087 <+2413>:  mov    -0x20(%ebp),%eax
   0xb7f8508a <+2416>:  add    %esi,%eax //&tblsym[vsim]
   0xb7f8508c <+2418>:  sub    $0xc,%esp //WHAT??? RESERVE 3 VALUE FOR LATER
USE PUSHS???
   0xb7f8508f <+2421>:  push   %ecx //ECX HAVE TRASH!!!!
   0xb7f85090 <+2422>:  push   %edx //EDX = vsim*16   *-.-
   0xb7f85091 <+2423>:  pushl  0xc(%eax)  //tblsym[vsim].st_info (Elf32_Sym)
//PARTY TRASH!!!
   0xb7f85094 <+2426>:  pushl  0x8(%eax)  //tblsym[vsim].st_size
   0xb7f85097 <+2429>:  pushl  0x4(%eax)  //tblsym[vsim].st_value
   0xb7f8509a <+2432>:  pushl  (%eax)  //tblsym[vsim].st_name
   0xb7f8509c <+2434>:  pushl  -0x24(%ebp) //0xb7a4c510 //zstrsym //OK
   0xb7f8509f <+2437>:  pushl  -0x6c(%ebp) //vsim  //OK
   0xb7f850a2 <+2440>:  lea    -0x28a8(%ebx),%eax //EBX HAVE TRASH!!!!
   0xb7f850a8 <+2446>:  push   %eax  //String of text?? THIS IS A POSSIBLE BUG
TO SEGFAULT!!!: "SUPER PUTO5 %2x) %8x - %8x - %8x - %s\n"
   0xb7f850a9 <+2447>:  call   0xb7f84450 <printf@plt> //CALL WITH 9 PUSH WHERE
HOPE 6 VALUE!!! AND RESERVED WITH 3 VALUE BY "SUB" AND HAVE A 12 VALUES OF PURE
TRASH!!!!!!
   0xb7f850ae <+2452>:  add    $0x30,%esp //REMOVE 12 VALUES

RESULT: SUPER PUTO5 25) b7a4c510 -       13 -  805def0 - (null)


204           printf("SUPER PUTO5b%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym,
   0xb7f850c0 <+2470>:  mov    -0x24(%ebp),%eax //eax = 0xb7a4c510
//this->zstrsym
   0xb7f850c3 <+2473>:  add    %eax,%edx //EDX HAVE TRASH!!! (from vsim*16 by
last process line) //EDX = zstrsym+vsim*16   WHAT?????

205               tblsym[vsim],0x1000,zstrsym+tblsym[vsim].st_name);
   0xb7f850b1 <+2455>:  mov    -0x6c(%ebp),%eax
   0xb7f850b4 <+2458>:  shl    $0x4,%eax
   0xb7f850b7 <+2461>:  mov    %eax,%edx //EDX = vsim*16  //REMOVE THE LAST EDX
PROCESS!!!!
   0xb7f850b9 <+2463>:  mov    -0x20(%ebp),%eax //tblsym
   0xb7f850bc <+2466>:  add    %edx,%eax //tblsym+vsim*16 //&tblsym[vsim] or
tblsym+vsim
   0xb7f850be <+2468>:  mov    (%eax),%edx //tblsym[vsim].st_name
   0xb7f850c5 <+2475>:  mov    -0x6c(%ebp),%eax
   0xb7f850c8 <+2478>:  shl    $0x4,%eax
   0xb7f850cb <+2481>:  mov    %eax,%ecx //ECX = vsim*16
   0xb7f850cd <+2483>:  mov    -0x20(%ebp),%eax //tblsym
   0xb7f850d0 <+2486>:  add    %ecx,%eax //tblsym[vsim]
   0xb7f850d2 <+2488>:  sub    $0xc,%esp  //NOW AGAIN!!! RESERVE 3 VALUE FOR
WHAT????
   0xb7f850d5 <+2491>:  push   %edx  //tblsym[vsim].st_name
   0xb7f850d6 <+2492>:  push   $0x1000 //0x1000 by test output
   0xb7f850db <+2497>:  pushl  0xc(%eax) //AGAIN PARTY TRASH!!!
   0xb7f850de <+2500>:  pushl  0x8(%eax)
   0xb7f850e1 <+2503>:  pushl  0x4(%eax)
   0xb7f850e4 <+2506>:  pushl  (%eax)
   0xb7f850e6 <+2508>:  pushl  -0x24(%ebp) //OK
   0xb7f850e9 <+2511>:  pushl  -0x6c(%ebp) //OK
   0xb7f850ec <+2514>:  lea    -0x2880(%ebx),%eax //AGAIN USE EBX TRASH!!!!
   0xb7f850f2 <+2520>:  push   %eax
   0xb7f850f3 <+2521>:  call   0xb7f84450 <printf@plt> //AGAIN WITH 12 VALUES
WHERE HOPE 6!!!
   0xb7f850f8 <+2526>:  add    $0x30,%esp //REMOVE 12 VALUES

RESULT: SUPER PUTO5b25) b7a4c510 -       13 -  805def0 - (null)


206           printf("SUPER PUTO5c%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym,
   0xb7f8510a <+2544>:  mov    -0x24(%ebp),%eax //zstrsym
   0xb7f8510d <+2547>:  add    %edx,%eax //EDX HAVE TRASH!!! (by
tblsym[vsim].st_name from the last process!!) //zstrsym+tblsym[vsim].st_name
WITH GOOD PRECARIOUS RESULT!!!

207               0x2000,0x1000,zstrsym+tblsym[vsim].st_name);
   0xb7f850fb <+2529>:  mov    -0x6c(%ebp),%eax
   0xb7f850fe <+2532>:  shl    $0x4,%eax
   0xb7f85101 <+2535>:  mov    %eax,%edx //EDX = vsim*16
   0xb7f85103 <+2537>:  mov    -0x20(%ebp),%eax //tblsym
   0xb7f85106 <+2540>:  add    %edx,%eax //tblsym[vsim]
   0xb7f85108 <+2542>:  mov    (%eax),%edx //tblsym[vsim].st_name
   0xb7f8510f <+2549>:  sub    $0x8,%esp //RESERVE 2 VALUE!!!
   0xb7f85112 <+2552>:  push   %eax
   0xb7f85113 <+2553>:  push   $0x1000 //OK
   0xb7f85118 <+2558>:  push   $0x2000 //OK
   0xb7f8511d <+2563>:  pushl  -0x24(%ebp) //OK
   0xb7f85120 <+2566>:  pushl  -0x6c(%ebp) //OK
   0xb7f85123 <+2569>:  lea    -0x2858(%ebx),%eax //EBX ALWAYS HAVE TRASH!!!
   0xb7f85129 <+2575>:  push   %eax
   0xb7f8512a <+2576>:  call   0xb7f84450 <printf@plt> //HAVE 8 VALUE WHERE
HOPE 6!!!
   0xb7f8512f <+2581>:  add    $0x20,%esp //REMOVE 8 VALUE

RESULT: SUPER PUTO5c25) b7a4c510 -     2000 -     1000 - __JCR_LIST__
  *This result is hoped, but internal show bad string


208           printf("SUPER PUTO5d%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym,
   0xb7f85141 <+2599>:  mov    -0x24(%ebp),%eax //zstrsym
   0xb7f85144 <+2602>:  add    %eax,%edx //EDX HAVE TRASH!!! (by
tblsym[vsim].st_name from the last process!!)  //zstrsym+tblsym[vsim].st_name
WITH GOOD PRECARIOUS RESULT!!!
   0xb7f85153 <+2617>:  mov    (%eax),%eax //WHAT???? THIS IS A GOOD BUG FOR A
SEGFAULT!!! ALSO EAX IS REMOVE LATE!!!

209               0x2000,tblsym[vsim].st_name,zstrsym+tblsym[vsim].st_name);
   0xb7f85132 <+2584>:  mov    -0x6c(%ebp),%eax
   0xb7f85135 <+2587>:  shl    $0x4,%eax
   0xb7f85138 <+2590>:  mov    %eax,%edx //vsim*16
   0xb7f8513a <+2592>:  mov    -0x20(%ebp),%eax
   0xb7f8513d <+2595>:  add    %edx,%eax //tblsym[vsim]
   0xb7f8513f <+2597>:  mov    (%eax),%edx //tblsym[vsim].st_name
   0xb7f85146 <+2604>:  mov    -0x6c(%ebp),%eax
   0xb7f85149 <+2607>:  shl    $0x4,%eax
   0xb7f8514c <+2610>:  mov    %eax,%ecx
   0xb7f8514e <+2612>:  mov    -0x20(%ebp),%eax
   0xb7f85151 <+2615>:  add    %ecx,%eax //tblsym[vsim]
   0xb7f85155 <+2619>:  sub    $0x8,%esp //RESERVE 2 VALUE!!!
   0xb7f85158 <+2622>:  push   %edx //OK
   0xb7f85159 <+2623>:  push   %eax //OK
   0xb7f8515a <+2624>:  push   $0x2000 //OK
   0xb7f8515f <+2629>:  pushl  -0x24(%ebp) //OK
   0xb7f85162 <+2632>:  pushl  -0x6c(%ebp) //OK
   0xb7f85165 <+2635>:  lea    -0x2830(%ebx),%eax //EBX HAVE A TRASH!!!!
   0xb7f8516b <+2641>:  push   %eax
   0xb7f8516c <+2642>:  call   0xb7f84450 <printf@plt> //HAVE 8 VALUE WHERE
HOPE 6 VALUE!!!!
   0xb7f85171 <+2647>:  add    $0x20,%esp //REMOVE 8 VALUE

RESULT: SUPER PUTO5d25) b7a4c510 -     2000 -       13 - __JCR_LIST__
  *This result is hoped, but internal show bad string

Reply via email to