https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78784
Bug ID: 78784 Summary: CRITIC BUG: Create a trash code using trash values of registers. Product: gcc Version: 6.2.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: rmbeer2 at gmail dot com Target Milestone: --- System: GNU/Linux Distro: Archlinux G++ version: g++ (GCC) 6.2.1 20160830 glibc version: 2.24-2 this = 0xbffff4f4 zstrsym = 0xb7a4c510 vsim = 37 (0x25) tblsym = 0xb7a4a1d0 tblsym[vsim] = 0xb7a4a420 tblsym[vsim].st_name = 19 (0x13) zstrsym+tblsym[vsim].st_name = "__JCR_LIST__" zmem = 0xb7a06ef0 202 printf("SUPER PUTO5 %2x) %8x - %8x - %8x - %s\n",vsim,zstrsym, 0xb7f8506a <+2384>: mov -0x24(%ebp),%eax //eax = 0xb7a4c510 //this->zstrsym 0xb7f8506d <+2387>: lea (%edx,%eax,1),%ecx //WHAT IS EDX???? HAVE TRASH!!! 0xb7f8507d <+2403>: mov (%eax),%edx //EDX ALWAYS HAVE TRASH!!! 203 tblsym[vsim],tblsym[vsim].st_name,zstrsym+tblsym[vsim].st_name); 0xb7f8505b <+2369>: mov -0x6c(%ebp),%eax //eax = 0x25 //this->vsim 0xb7f8505e <+2372>: shl $0x4,%eax //0x25*16 0xb7f85061 <+2375>: mov %eax,%edx //EDX = vsim*16 0xb7f85063 <+2377>: mov -0x20(%ebp),%eax //EAX = 0xb7a4a1d0 //this->tblsym 0xb7f85066 <+2380>: add %edx,%eax 0xb7f85068 <+2382>: mov (%eax),%edx //tblsym[vsim].st_name 0xb7f85070 <+2390>: mov -0x6c(%ebp),%eax //vsim 0xb7f85073 <+2393>: shl $0x4,%eax 0xb7f85076 <+2396>: mov %eax,%edx //ERASE THE EDX ????? 0xb7f85078 <+2398>: mov -0x20(%ebp),%eax 0xb7f8507b <+2401>: add %edx,%eax //tblsym+vsim 0xb7f8507f <+2405>: mov -0x6c(%ebp),%eax 0xb7f85082 <+2408>: shl $0x4,%eax //vsim*16 0xb7f85085 <+2411>: mov %eax,%esi 0xb7f85087 <+2413>: mov -0x20(%ebp),%eax 0xb7f8508a <+2416>: add %esi,%eax //&tblsym[vsim] 0xb7f8508c <+2418>: sub $0xc,%esp //WHAT??? RESERVE 3 VALUE FOR LATER USE PUSHS??? 0xb7f8508f <+2421>: push %ecx //ECX HAVE TRASH!!!! 0xb7f85090 <+2422>: push %edx //EDX = vsim*16 *-.- 0xb7f85091 <+2423>: pushl 0xc(%eax) //tblsym[vsim].st_info (Elf32_Sym) //PARTY TRASH!!! 0xb7f85094 <+2426>: pushl 0x8(%eax) //tblsym[vsim].st_size 0xb7f85097 <+2429>: pushl 0x4(%eax) //tblsym[vsim].st_value 0xb7f8509a <+2432>: pushl (%eax) //tblsym[vsim].st_name 0xb7f8509c <+2434>: pushl -0x24(%ebp) //0xb7a4c510 //zstrsym //OK 0xb7f8509f <+2437>: pushl -0x6c(%ebp) //vsim //OK 0xb7f850a2 <+2440>: lea -0x28a8(%ebx),%eax //EBX HAVE TRASH!!!! 0xb7f850a8 <+2446>: push %eax //String of text?? THIS IS A POSSIBLE BUG TO SEGFAULT!!!: "SUPER PUTO5 %2x) %8x - %8x - %8x - %s\n" 0xb7f850a9 <+2447>: call 0xb7f84450 <printf@plt> //CALL WITH 9 PUSH WHERE HOPE 6 VALUE!!! AND RESERVED WITH 3 VALUE BY "SUB" AND HAVE A 12 VALUES OF PURE TRASH!!!!!! 0xb7f850ae <+2452>: add $0x30,%esp //REMOVE 12 VALUES RESULT: SUPER PUTO5 25) b7a4c510 - 13 - 805def0 - (null) 204 printf("SUPER PUTO5b%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym, 0xb7f850c0 <+2470>: mov -0x24(%ebp),%eax //eax = 0xb7a4c510 //this->zstrsym 0xb7f850c3 <+2473>: add %eax,%edx //EDX HAVE TRASH!!! (from vsim*16 by last process line) //EDX = zstrsym+vsim*16 WHAT????? 205 tblsym[vsim],0x1000,zstrsym+tblsym[vsim].st_name); 0xb7f850b1 <+2455>: mov -0x6c(%ebp),%eax 0xb7f850b4 <+2458>: shl $0x4,%eax 0xb7f850b7 <+2461>: mov %eax,%edx //EDX = vsim*16 //REMOVE THE LAST EDX PROCESS!!!! 0xb7f850b9 <+2463>: mov -0x20(%ebp),%eax //tblsym 0xb7f850bc <+2466>: add %edx,%eax //tblsym+vsim*16 //&tblsym[vsim] or tblsym+vsim 0xb7f850be <+2468>: mov (%eax),%edx //tblsym[vsim].st_name 0xb7f850c5 <+2475>: mov -0x6c(%ebp),%eax 0xb7f850c8 <+2478>: shl $0x4,%eax 0xb7f850cb <+2481>: mov %eax,%ecx //ECX = vsim*16 0xb7f850cd <+2483>: mov -0x20(%ebp),%eax //tblsym 0xb7f850d0 <+2486>: add %ecx,%eax //tblsym[vsim] 0xb7f850d2 <+2488>: sub $0xc,%esp //NOW AGAIN!!! RESERVE 3 VALUE FOR WHAT???? 0xb7f850d5 <+2491>: push %edx //tblsym[vsim].st_name 0xb7f850d6 <+2492>: push $0x1000 //0x1000 by test output 0xb7f850db <+2497>: pushl 0xc(%eax) //AGAIN PARTY TRASH!!! 0xb7f850de <+2500>: pushl 0x8(%eax) 0xb7f850e1 <+2503>: pushl 0x4(%eax) 0xb7f850e4 <+2506>: pushl (%eax) 0xb7f850e6 <+2508>: pushl -0x24(%ebp) //OK 0xb7f850e9 <+2511>: pushl -0x6c(%ebp) //OK 0xb7f850ec <+2514>: lea -0x2880(%ebx),%eax //AGAIN USE EBX TRASH!!!! 0xb7f850f2 <+2520>: push %eax 0xb7f850f3 <+2521>: call 0xb7f84450 <printf@plt> //AGAIN WITH 12 VALUES WHERE HOPE 6!!! 0xb7f850f8 <+2526>: add $0x30,%esp //REMOVE 12 VALUES RESULT: SUPER PUTO5b25) b7a4c510 - 13 - 805def0 - (null) 206 printf("SUPER PUTO5c%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym, 0xb7f8510a <+2544>: mov -0x24(%ebp),%eax //zstrsym 0xb7f8510d <+2547>: add %edx,%eax //EDX HAVE TRASH!!! (by tblsym[vsim].st_name from the last process!!) //zstrsym+tblsym[vsim].st_name WITH GOOD PRECARIOUS RESULT!!! 207 0x2000,0x1000,zstrsym+tblsym[vsim].st_name); 0xb7f850fb <+2529>: mov -0x6c(%ebp),%eax 0xb7f850fe <+2532>: shl $0x4,%eax 0xb7f85101 <+2535>: mov %eax,%edx //EDX = vsim*16 0xb7f85103 <+2537>: mov -0x20(%ebp),%eax //tblsym 0xb7f85106 <+2540>: add %edx,%eax //tblsym[vsim] 0xb7f85108 <+2542>: mov (%eax),%edx //tblsym[vsim].st_name 0xb7f8510f <+2549>: sub $0x8,%esp //RESERVE 2 VALUE!!! 0xb7f85112 <+2552>: push %eax 0xb7f85113 <+2553>: push $0x1000 //OK 0xb7f85118 <+2558>: push $0x2000 //OK 0xb7f8511d <+2563>: pushl -0x24(%ebp) //OK 0xb7f85120 <+2566>: pushl -0x6c(%ebp) //OK 0xb7f85123 <+2569>: lea -0x2858(%ebx),%eax //EBX ALWAYS HAVE TRASH!!! 0xb7f85129 <+2575>: push %eax 0xb7f8512a <+2576>: call 0xb7f84450 <printf@plt> //HAVE 8 VALUE WHERE HOPE 6!!! 0xb7f8512f <+2581>: add $0x20,%esp //REMOVE 8 VALUE RESULT: SUPER PUTO5c25) b7a4c510 - 2000 - 1000 - __JCR_LIST__ *This result is hoped, but internal show bad string 208 printf("SUPER PUTO5d%2x) %8x - %8x - %8x - %s\n",vsim,zstrsym, 0xb7f85141 <+2599>: mov -0x24(%ebp),%eax //zstrsym 0xb7f85144 <+2602>: add %eax,%edx //EDX HAVE TRASH!!! (by tblsym[vsim].st_name from the last process!!) //zstrsym+tblsym[vsim].st_name WITH GOOD PRECARIOUS RESULT!!! 0xb7f85153 <+2617>: mov (%eax),%eax //WHAT???? THIS IS A GOOD BUG FOR A SEGFAULT!!! ALSO EAX IS REMOVE LATE!!! 209 0x2000,tblsym[vsim].st_name,zstrsym+tblsym[vsim].st_name); 0xb7f85132 <+2584>: mov -0x6c(%ebp),%eax 0xb7f85135 <+2587>: shl $0x4,%eax 0xb7f85138 <+2590>: mov %eax,%edx //vsim*16 0xb7f8513a <+2592>: mov -0x20(%ebp),%eax 0xb7f8513d <+2595>: add %edx,%eax //tblsym[vsim] 0xb7f8513f <+2597>: mov (%eax),%edx //tblsym[vsim].st_name 0xb7f85146 <+2604>: mov -0x6c(%ebp),%eax 0xb7f85149 <+2607>: shl $0x4,%eax 0xb7f8514c <+2610>: mov %eax,%ecx 0xb7f8514e <+2612>: mov -0x20(%ebp),%eax 0xb7f85151 <+2615>: add %ecx,%eax //tblsym[vsim] 0xb7f85155 <+2619>: sub $0x8,%esp //RESERVE 2 VALUE!!! 0xb7f85158 <+2622>: push %edx //OK 0xb7f85159 <+2623>: push %eax //OK 0xb7f8515a <+2624>: push $0x2000 //OK 0xb7f8515f <+2629>: pushl -0x24(%ebp) //OK 0xb7f85162 <+2632>: pushl -0x6c(%ebp) //OK 0xb7f85165 <+2635>: lea -0x2830(%ebx),%eax //EBX HAVE A TRASH!!!! 0xb7f8516b <+2641>: push %eax 0xb7f8516c <+2642>: call 0xb7f84450 <printf@plt> //HAVE 8 VALUE WHERE HOPE 6 VALUE!!!! 0xb7f85171 <+2647>: add $0x20,%esp //REMOVE 8 VALUE RESULT: SUPER PUTO5d25) b7a4c510 - 2000 - 13 - __JCR_LIST__ *This result is hoped, but internal show bad string