public inbox for gcc-patches@gcc.gnu.org
 help / color / mirror / Atom feed
* [COMMITTED][GCC8] Backport driver/89014 Use-after-free in aarch64 -march=native
@ 2019-11-29 19:16 Wilco Dijkstra
  0 siblings, 0 replies; only message in thread
From: Wilco Dijkstra @ 2019-11-29 19:16 UTC (permalink / raw)
  To: GCC Patches

Hi,

I've backported r268189 to GCC8:

aarch64: fix use-after-free in -march=native (PR driver/89014)

Running:
  $ valgrind ./xgcc -B. -c test.c -march=native
on aarch64 shows a use-after-free in host_detect_local_cpu due
to the std::string result of aarch64_get_extension_string_for_isa_flags
only living until immediately after a c_str call.

This leads to corrupt "-march=" values being passed to cc1.

This patch fixes the use-after-free, though it appears to also need
Tamar's patch here:
  https://gcc.gnu.org/ml/gcc-patches/2018-12/msg01302.html
in order to generate valid values for cc1.  This may have worked by
accident in the past, if the corrupt "-march=" value happened to be
0-terminated in the "right" place; with this patch it now appears
to reliably break without Tamar's patch.

	Backport from mainline
	2019-01-23  David Malcolm  <dmalcolm@redhat.com>

	PR driver/89014
	* config/aarch64/driver-aarch64.c (host_detect_local_cpu): Fix
	use-after-free of the result of
	aarch64_get_extension_string_for_isa_flags.

Modified:
    branches/gcc-8-branch/gcc/ChangeLog
    branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c
--
--- branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c	2019/11/29 15:02:35	278853
+++ branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c	2019/11/29 17:22:30	278854
@@ -179,7 +179,6 @@
   unsigned int variants[2] = { ALL_VARIANTS, ALL_VARIANTS };
   unsigned int n_variants = 0;
   bool processed_exts = false;
-  const char *ext_string = "";
   unsigned long extension_flags = 0;
   unsigned long default_flags = 0;
 
@@ -357,11 +356,12 @@
   if (tune)
     return res;
 
-  ext_string
-    = aarch64_get_extension_string_for_isa_flags (extension_flags,
-						  default_flags).c_str ();
-
-  res = concat (res, ext_string, NULL);
+  {
+    std::string extension
+      = aarch64_get_extension_string_for_isa_flags (extension_flags,
+						    default_flags);
+    res = concat (res, extension.c_str (), NULL);
+  }
 
   return res;

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2019-11-29 18:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-29 19:16 [COMMITTED][GCC8] Backport driver/89014 Use-after-free in aarch64 -march=native Wilco Dijkstra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).