[PATCH v2] rs6000: Avoid buffer overruns

[PATCH v2] rs6000: Avoid buffer overruns

[Bill Schmidt]

Hi,

I totally biffed the previous version of this patch, as it was built
against an experimental tree instead of trunk.  Trying again...

Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c,
there are some other routines where we fail to detect the possibility.
Clean those up!  (Also, safe_inc_pos is not quite right itself.)

Bootstrapped and tested on powerpc64le-linux-gnu, this time without
some unsubmitted patches in the way.  Is this OK for trunk?

Thanks,
Bill


2021-08-19  Bill Schmidt  <wschmidt@linux.ibm.com>

gcc/
	PR target/101830
	* config/rs6000/rs6000-gen-builtins.c (consume_whitespace):
	Diagnose buffer overrun.
	(safe_inc_pos): Fix overrun detection.
	(match_identifier): Diagnose buffer overrun.
	(match_integer): Likewise.
	(match_to_right_bracket): Likewise.
---
  gcc/config/rs6000/rs6000-gen-builtins.c | 34 ++++++++++++++++++++++---
  1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c b/gcc/config/rs6000/rs6000-gen-builtins.c
index e5d3b71b622..05b2d2939b5 100644
--- a/gcc/config/rs6000/rs6000-gen-builtins.c
+++ b/gcc/config/rs6000/rs6000-gen-builtins.c
@@ -597,6 +597,13 @@ consume_whitespace (void)
  {
    while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n')
      pos++;
+
+  if (pos >= LINELEN)
+    {
+      diag ("line length overrun at %d.\n", pos);
+      exit (1);
+    }
+
    return;
  }
  
@@ -623,7 +630,7 @@ advance_line (FILE *file)
  static inline void
  safe_inc_pos (void)
  {
-  if (pos++ >= LINELEN)
+  if (++pos >= LINELEN)
      {
        (*diag) ("line length overrun.\n");
        exit (1);
@@ -636,9 +643,16 @@ static char *
  match_identifier (void)
  {
    int lastpos = pos - 1;
-  while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')
+  while (lastpos < LINELEN - 1
+	 && (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_'))
      ++lastpos;
  
+  if (lastpos >= LINELEN - 1)
+    {
+      diag ("line length overrun at %d.\n", lastpos);
+      exit (1);
+    }
+
    if (lastpos < pos)
      return 0;
  
@@ -660,9 +674,15 @@ match_integer (void)
      safe_inc_pos ();
  
    int lastpos = pos - 1;
-  while (isdigit (linebuf[lastpos + 1]))
+  while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1]))
      ++lastpos;
  
+  if (lastpos >= LINELEN - 1)
+    {
+      diag ("line length overrun at %d.\n", lastpos);
+      exit (1);
+    }
+
    if (lastpos < pos)
      return NULL;
  
@@ -680,7 +700,7 @@ static const char *
  match_to_right_bracket (void)
  {
    int lastpos = pos - 1;
-  while (linebuf[lastpos + 1] != ']')
+  while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']')
      {
        if (linebuf[lastpos + 1] == '\n')
  	{
@@ -690,6 +710,12 @@ match_to_right_bracket (void)
        ++lastpos;
      }
  
+  if (lastpos >= LINELEN - 1)
+    {
+      diag ("line length overrun at %d.\n", lastpos);
+      exit (1);
+    }
+
    if (lastpos < pos)
      return 0;
  
-- 
2.27.0

Re: [PATCH v2] rs6000: Avoid buffer overruns

[Segher Boessenkool]

Hi!

On Thu, Aug 19, 2021 at 04:40:42PM -0500, Bill Schmidt wrote:
> I totally biffed the previous version of this patch, as it was built
> against an experimental tree instead of trunk.  Trying again...
> 
> Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c,
> there are some other routines where we fail to detect the possibility.
> Clean those up!  (Also, safe_inc_pos is not quite right itself.)

> 	PR target/101830
> 	* config/rs6000/rs6000-gen-builtins.c (consume_whitespace):
> 	Diagnose buffer overrun.

Please don't break changelog lines unnecessary.

> 	(safe_inc_pos): Fix overrun detection.
> 	(match_identifier): Diagnose buffer overrun.
> 	(match_integer): Likewise.
> 	(match_to_right_bracket): Likewise.

Okay for trunk.  Thanks!


Segher