public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed
* [gcc(refs/users/marxin/heads/pgo-reproducibility-test)] gimple-fold: Fix buffer overflow in fold_array_ctor_reference [PR93454]
@ 2020-01-30 8:50 Martin Liska
0 siblings, 0 replies; only message in thread
From: Martin Liska @ 2020-01-30 8:50 UTC (permalink / raw)
To: gcc-cvs
https://gcc.gnu.org/g:3c076c9642fd8877def0a0597ec7e4adfb5aa3b3
commit 3c076c9642fd8877def0a0597ec7e4adfb5aa3b3
Author: Jakub Jelinek <jakub@redhat.com>
Date: Tue Jan 28 08:44:07 2020 +0100
gimple-fold: Fix buffer overflow in fold_array_ctor_reference [PR93454]
libgcrypt FAILs to build on aarch64-linux with
*** stack smashing detected ***: terminated
when gcc is compiled with -D_FORTIFY_SOURCE=2. The problem is if
fold_array_ctor_reference is called with size equal to or very close to
MAX_BITSIZE_MODE_ANY_MODE bits and non-zero inner_offset.
The first native_encode_expr is called with that inner_offset and bufoff 0,
the subsequent ones with offset of 0, and bufoff elt_size - inner_offset,
2 * elt_size - inner_offset etc. So, e.g. on the testcase where we start
with inner_offset 1 and size is e.g. 256 bytes and elt_size 4 bytes
we then call native_encode_expr at bufoff 251 and then 255, but that one
overwrites 3 bytes beyond the buf array.
The following patch fixes that. In addition, it avoids calling
elt_size.to_uhwi () all the time, and punts if elt_sz would be too large.
2020-01-28 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/93454
* gimple-fold.c (fold_array_ctor_reference): Perform
elt_size.to_uhwi () just once, instead of calling it in every
iteration. Punt if that value is above size of the temporary
buffer. Decrease third native_encode_expr argument when
bufoff + elt_sz is above size of buf.
* gcc.dg/pr93454.c: New test.
Diff:
---
gcc/ChangeLog | 9 +++++++++
gcc/gimple-fold.c | 13 ++++++++-----
gcc/testsuite/ChangeLog | 5 +++++
gcc/testsuite/gcc.dg/pr93454.c | 25 +++++++++++++++++++++++++
4 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index af0945f..6db98ed 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,3 +1,12 @@
+2020-01-28 Jakub Jelinek <jakub@redhat.com>
+
+ PR tree-optimization/93454
+ * gimple-fold.c (fold_array_ctor_reference): Perform
+ elt_size.to_uhwi () just once, instead of calling it in every
+ iteration. Punt if that value is above size of the temporary
+ buffer. Decrease third native_encode_expr argument when
+ bufoff + elt_sz is above size of buf.
+
2020-01-27 Joseph Myers <joseph@codesourcery.com>
* config/mips/mips.c (mips_declare_object_name)
diff --git a/gcc/gimple-fold.c b/gcc/gimple-fold.c
index 569f91e..ed22592 100644
--- a/gcc/gimple-fold.c
+++ b/gcc/gimple-fold.c
@@ -6665,12 +6665,14 @@ fold_array_ctor_reference (tree type, tree ctor,
/* And offset within the access. */
inner_offset = offset % (elt_size.to_uhwi () * BITS_PER_UNIT);
- if (size > elt_size.to_uhwi () * BITS_PER_UNIT)
+ unsigned HOST_WIDE_INT elt_sz = elt_size.to_uhwi ();
+ if (size > elt_sz * BITS_PER_UNIT)
{
/* native_encode_expr constraints. */
if (size > MAX_BITSIZE_MODE_ANY_MODE
|| size % BITS_PER_UNIT != 0
- || inner_offset % BITS_PER_UNIT != 0)
+ || inner_offset % BITS_PER_UNIT != 0
+ || elt_sz > MAX_BITSIZE_MODE_ANY_MODE / BITS_PER_UNIT)
return NULL_TREE;
unsigned ctor_idx;
@@ -6701,10 +6703,11 @@ fold_array_ctor_reference (tree type, tree ctor,
index = wi::umax (index, access_index);
do
{
- int len = native_encode_expr (val, buf + bufoff,
- elt_size.to_uhwi (),
+ if (bufoff + elt_sz > sizeof (buf))
+ elt_sz = sizeof (buf) - bufoff;
+ int len = native_encode_expr (val, buf + bufoff, elt_sz,
inner_offset / BITS_PER_UNIT);
- if (len != elt_size - inner_offset / BITS_PER_UNIT)
+ if (len != (int) elt_sz - inner_offset / BITS_PER_UNIT)
return NULL_TREE;
inner_offset = 0;
bufoff += len;
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index f83f18b..44d8e67 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2020-01-28 Jakub Jelinek <jakub@redhat.com>
+
+ PR tree-optimization/93454
+ * gcc.dg/pr93454.c: New test.
+
2020-01-27 David Malcolm <dmalcolm@redhat.com>
PR analyzer/93451
diff --git a/gcc/testsuite/gcc.dg/pr93454.c b/gcc/testsuite/gcc.dg/pr93454.c
new file mode 100644
index 0000000..84c47cf
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/pr93454.c
@@ -0,0 +1,25 @@
+/* PR tree-optimization/93454 */
+/* { dg-do compile } */
+/* { dg-options "-O2 -g" } */
+
+#if __SIZEOF_INT__ == 4 && __CHAR_BIT__ == 8
+#define A(n) n, n + 0x01010101, n + 0x02020202, n + 0x03030303
+#define B(n) A (n), A (n + 0x04040404), A (n + 0x08080808), A (n + 0x0c0c0c0c)
+#define C(n) B (n), B (n + 0x10101010), B (n + 0x20202020), B (n + 0x30303030)
+#define D(n) C (n), C (n + 0x40404040), C (n + 0x80808080U), C (n + 0xc0c0c0c0U)
+const unsigned int a[64] = { C (0) };
+const unsigned int b[256] = { D (0) };
+const unsigned int c[32] = { B (0), B (0x10101010) };
+const unsigned int d[16] = { B (0) };
+const unsigned int e[8] = { A (0), A (0x04040404) };
+
+void
+foo (void)
+{
+ const unsigned char *s = ((const unsigned char *) a) + 1;
+ const unsigned char *t = ((const unsigned char *) b) + 1;
+ const unsigned char *u = ((const unsigned char *) c) + 1;
+ const unsigned char *v = ((const unsigned char *) d) + 1;
+ const unsigned char *w = ((const unsigned char *) e) + 1;
+}
+#endif
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-01-30 8:49 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-30 8:50 [gcc(refs/users/marxin/heads/pgo-reproducibility-test)] gimple-fold: Fix buffer overflow in fold_array_ctor_reference [PR93454] Martin Liska
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).