From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <macro@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1256)
 id DBFC53858D39; Tue, 18 Jan 2022 19:39:34 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DBFC53858D39
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
From: Maciej W. Rozycki <macro@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r12-6696] RISC-V: Fix use-after-free error in
 `parse_multiletter_ext'
X-Act-Checkin: gcc
X-Git-Author: Maciej W. Rozycki <macro@embecosm.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 0d01a2722671bef37b931fd1f121e44b27e68268
X-Git-Newrev: dad495e30135904b0d0305eab8c0ce5f838440d4
Message-Id: <20220118193934.DBFC53858D39@sourceware.org>
Date: Tue, 18 Jan 2022 19:39:34 +0000 (GMT)
X-BeenThere: gcc-cvs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-cvs mailing list <gcc-cvs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-cvs>,
 <mailto:gcc-cvs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-cvs/>
List-Help: <mailto:gcc-cvs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-cvs>,
 <mailto:gcc-cvs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 19:39:35 -0000

https://gcc.gnu.org/g:dad495e30135904b0d0305eab8c0ce5f838440d4

commit r12-6696-gdad495e30135904b0d0305eab8c0ce5f838440d4
Author: Maciej W. Rozycki <macro@embecosm.com>
Date:   Tue Jan 18 19:39:13 2022 +0000

    RISC-V: Fix use-after-free error in `parse_multiletter_ext'
    
    Avoid undefined arithmetic involving a pointer to a heap allocation that
    has been freed and move a problematic calculation ahead of the following
    call to `free' in `riscv_subset_list::parse_multiletter_ext', removing a
    compilation error:
    
    .../gcc/common/config/riscv/riscv-common.cc: In member function 'const char* riscv_subset_list::parse_multiletter_ext(const char*, const char*, const char*)':
    .../gcc/common/config/riscv/riscv-common.cc:905:27: error: pointer 'subset' used after 'void free(void*)' [-Werror=use-after-free]
      905 |       p += end_of_version - subset;
          |            ~~~~~~~~~~~~~~~^~~~~~~~
    .../gcc/common/config/riscv/riscv-common.cc:904:12: note: call to 'void free(void*)' here
      904 |       free (subset);
          |       ~~~~~^~~~~~~~
    cc1plus: all warnings being treated as errors
    make[2]: *** [Makefile:2428: riscv-common.o] Error 1
    
    and a build regression from commit 671a283636de ("Add -Wuse-after-free
    [PR80532].").
    
            gcc/
            * common/config/riscv/riscv-common.cc
            (riscv_subset_list::parse_multiletter_ext): Move pointer
            arithmetic ahead of `free'.

Diff:
---
 gcc/common/config/riscv/riscv-common.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcc/common/config/riscv/riscv-common.cc b/gcc/common/config/riscv/riscv-common.cc
index 004822bfe6c..25f56707d94 100644
--- a/gcc/common/config/riscv/riscv-common.cc
+++ b/gcc/common/config/riscv/riscv-common.cc
@@ -901,8 +901,8 @@ riscv_subset_list::parse_multiletter_ext (const char *p,
 	}
 
       add (subset, major_version, minor_version, explicit_version_p, false);
-      free (subset);
       p += end_of_version - subset;
+      free (subset);
 
       if (*p != '\0' && *p != '_')
 	{