February 27, 2010
Green Hills C Compiler bug
I had a rather proud moment a few days ago. I had been looking at a curious piece of compiled code that had an integer promotion bug. Yeah, I have some pretty weird hobbies these days. This particular bug was for the Motorola Coldfire processor. The C code, it turns out, looked like this:
unsigned char table[256] = {0xsomevals} // global array, located on process heapThe compiler compiled the code (the function part of the above) into something like this:
unsigned char array_lookup(unsigned char uc){
return table[(unsigned integer) uc];
}
link a6, #0
;; there would be a 'store registers' command here', I don't remember the syntax at the moment
;; stw.l (a0,d0), (-sp) ?
move.l -4(sp),d0
mvs.b d0,d0 ;; offending line
move.l (0,d0+a0),d0
unlink a6, #0
;; there would be a 'restore register' command here, again I don't remember syntax
rts
For the coldfire assembler unaware, the mvs operation is "move with sign extension". The effect is that the function can return memory logically *before* the array. If the unsigned char passed in is 0x80 or greater, the most significant bit of the byte is a '1'. The sign-extended move operation makes the index value negative. What is interesting here is that the compiler ignored the explicit unsigned integer cast when it dereferenced the element in the array.
It turns out that this was a bug in an older version of the Green Hills compiler. Newer versions don't exhibit this erroneous behavior. I have no information on what versions of the Green Hills compiler are affected by the bug, but if you are a vendor programming Coldfire V4 cpus (mvs was introduced in the Coldfire V4 instruction set), you may want to compile my above code snippet and make sure that your compiler is not affected.
I have to say that I was kind of impressed with myself for finding the bug. The people that produced the compiled code were kind of dumbfounded as to how I stumbled upon it. Since I have started exploring embedded systems security, I've decided that the C language is probably one of the most wretched things in the universe, and that embedded system vendors ought to use as much as peer-reviewed code (read: open source) as possible in their systems. Here I mean both compilers and process code. C compilers for these systems generally don't receive as much scrutiny as desktop application compilers, probably because the target processors are not x86.
Post a comment
Further back...
ArchivesFriends and Family
Search
Previous Trips...
-
Hiking Mount Whitney, 2007 
Spring Break in West Virginia, 2005
New Year's in Paris, 2003-2004
Coming to America, 2003
Protesting in Berlin, 2003
Prague Bier-Tour, 2002
Dresden, 2002
Recent Reading
![]()
Stealing the Network
I first bumped into the Stealing the Network series when reading the exploits of Joe Grand, one of the book's many hacker authors.
The 'Stealing the ...' series of books follows a rather disparate group of computer hackers as they help a former NSA spook (many of them unwittingly) gather the money he needs to retire.
The stories themselves are not fantastic fiction. The writing is uneven and choppy, the characters are stereotypical and not very well thought-out. What is fascinating about this book series is the technical accuracy of the exploits (at some points *too* accurate, with screen shots and step-by-step instructions).
It's a great series to read if you're a system administrator, or just getting into the wonderful field of computer security.
Rated 
by reid
on March 06, 2011
by reid
on March 06, 2011
![]()
Close to the Machine
Ellen Ullman is one of those authors that somehow avoided my radar. Until now...
Close to the Machine is less a book than a collection of loosely related personal anecdotes from Ellen's time as a very rare thing -- a successful female bisexual independent computer programming consultant.
In the course of her work and relationship life, she learns hard lessons about programming, running a business, being lonely, and loving the wrong people. I found it particularly poignant being a crypto-nerd with difficult times in relationships and a more-or-less NDA'd, secret work life.
This book is a must-read for anyone into running their own business, programming, or anyone dating a person that is a business-a-holic or programmer.
Rated 
by reid
on November 23, 2009
by reid
on November 23, 2009
![]()
The Long Trip Home
I had the joy of dining with the author in Florida. We went to a little Brazilian BBQ where he spoke with our waitstaff in (what I can only assume was) flawless Portugese.
Brian Wyllie spent 1969-1971 living in Brazil working for the Peace Corps. His recent book outlines his trip back to the United States via Bolivia, Peru, and the Carribean chain, by way of bus, train, and sailboat. The format comes spattered with observations from the modern day, and makes me think, "this must be what John McPhee's journal looks like."
The trip sounded like a fantastic one, but I was left wanting more detail...where did the gun (being snuck through customs in a variety of places, no doubt) come from? And how did Geneve's hair smell? Alas, we'll have to wait for another book to find the answers.
Rated by reid
on April 16, 2009
by reid
on April 16, 2009