Message ID | 5ad275929137bf8866c97d1281edf57f71fbeea8.1628799111.git.wschmidt@linux.ibm.com |
---|---|
State | New |
Headers | show |
Series | rs6000: Avoid buffer overruns | expand |
Per discussion with Martin, I'm also changing the post-increment to pre-increment in safe_inc_pos. That's what I'm regstrapping at the moment. Thanks, Bill On 8/12/21 3:28 PM, Bill Schmidt via Gcc-patches wrote: > Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c, > there are some other routines where we fail to detect the possibility. > Clean those up! > > Regstrap in progress on powerpc64le-linux-gnu. OK for trunk if that > passes? > > Thanks, > Bill > > 2021-08-12 Bill Schmidt <wschmidt@linux.ibm.com> > > gcc/ > * config/rs6000/rs6000-gen-builtins.c (consume_whitespace): > Diagnose buffer overrun. > (match_identifier): Likewise. > (match_integer): Likewise. > (match_to_right_bracket): Likewise. > --- > gcc/config/rs6000/rs6000-gen-builtins.c | 32 ++++++++++++++++++++++--- > 1 file changed, 29 insertions(+), 3 deletions(-) > > diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c b/gcc/config/rs6000/rs6000-gen-builtins.c > index 22902c37d55..ff8872c59e4 100644 > --- a/gcc/config/rs6000/rs6000-gen-builtins.c > +++ b/gcc/config/rs6000/rs6000-gen-builtins.c > @@ -638,6 +638,13 @@ consume_whitespace (void) > { > while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n') > pos++; > + > + if (pos >= LINELEN) > + { > + diag (pos, "line length overrun.\n"); > + exit (1); > + } > + > return; > } > > @@ -697,9 +704,16 @@ static char * > match_identifier (void) > { > int lastpos = pos - 1; > - while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_') > + while (lastpos < LINELEN - 1 > + && (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')) > ++lastpos; > > + if (lastpos >= LINELEN - 1) > + { > + diag (lastpos, "line length overrun.\n"); > + exit (1); > + } > + > if (lastpos < pos) > return 0; > > @@ -721,9 +735,15 @@ match_integer (void) > safe_inc_pos (); > > int lastpos = pos - 1; > - while (isdigit (linebuf[lastpos + 1])) > + while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1])) > ++lastpos; > > + if (lastpos >= LINELEN - 1) > + { > + diag (lastpos, "line length overrun.\n"); > + exit (1); > + } > + > if (lastpos < pos) > return NULL; > > @@ -741,13 +761,19 @@ static const char * > match_to_right_bracket (void) > { > int lastpos = pos - 1; > - while (linebuf[lastpos + 1] != ']') > + while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']') > { > if (linebuf[lastpos + 1] == '\n') > fatal ("no ']' found before end of line.\n"); > ++lastpos; > } > > + if (lastpos >= LINELEN - 1) > + { > + diag (lastpos, "line length overrun.\n"); > + exit (1); > + } > + > if (lastpos < pos) > return 0; >
Hi, On 8/12/21 3:43 PM, Bill Schmidt via Gcc-patches wrote: > Per discussion with Martin, I'm also changing the post-increment to > pre-increment in safe_inc_pos. That's what I'm regstrapping at the moment. > > Thanks, > Bill > > On 8/12/21 3:28 PM, Bill Schmidt via Gcc-patches wrote: >> Although safe_inc_pos avoids buffer overruns in rs6000-gen-builtins.c, >> there are some other routines where we fail to detect the possibility. >> Clean those up! >> >> Regstrap in progress on powerpc64le-linux-gnu. OK for trunk if that >> passes? >> >> Thanks, >> Bill Here's the final patch I tested, which passed regstrap. Ok for trunk? Thanks! Bill From 8d8868a13c809381420f50f2d24bc060b73c3d4a Mon Sep 17 00:00:00 2001 Message-Id: <8d8868a13c809381420f50f2d24bc060b73c3d4a.1628872666.git.wschmidt@linux.ibm.com> In-Reply-To: <1af4993ea84c8a8deb204055325420189ca2350e.1628872665.git.wschmidt@linux.ibm.com> References: <1af4993ea84c8a8deb204055325420189ca2350e.1628872665.git.wschmidt@linux.ibm.com> From: Bill Schmidt <wschmidt@linux.ibm.com> Date: Fri, 13 Aug 2021 11:35:55 -0500 Subject: [PATCH 35/35] rs6000: Avoid buffer overruns 2021-08-13 Bill Schmidt <wschmidt@linux.ibm.com> gcc/ PR target/101830 * config/rs6000/rs6000-gen-builtins.c (consume_whitespace): Diagnose buffer overrun. (safe_inc_pos): Fix overrun detection. (match_identifier): Diagnose buffer overrun. (match_integer): Likewise. (match_to_right_bracket): Likewise. --- gcc/config/rs6000/rs6000-gen-builtins.c | 34 ++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c b/gcc/config/rs6000/rs6000-gen-builtins.c index 22902c37d55..503099464d6 100644 --- a/gcc/config/rs6000/rs6000-gen-builtins.c +++ b/gcc/config/rs6000/rs6000-gen-builtins.c @@ -638,6 +638,13 @@ consume_whitespace (void) { while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n') pos++; + + if (pos >= LINELEN) + { + diag (pos, "line length overrun.\n"); + exit (1); + } + return; } @@ -684,7 +691,7 @@ advance_line (FILE *file) static inline void safe_inc_pos (void) { - if (pos++ >= LINELEN) + if (++pos >= LINELEN) { diag (pos, "line length overrun.\n"); exit (1); @@ -697,9 +704,16 @@ static char * match_identifier (void) { int lastpos = pos - 1; - while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_') + while (lastpos < LINELEN - 1 + && (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')) ++lastpos; + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return 0; @@ -721,9 +735,15 @@ match_integer (void) safe_inc_pos (); int lastpos = pos - 1; - while (isdigit (linebuf[lastpos + 1])) + while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1])) ++lastpos; + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return NULL; @@ -741,13 +761,19 @@ static const char * match_to_right_bracket (void) { int lastpos = pos - 1; - while (linebuf[lastpos + 1] != ']') + while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']') { if (linebuf[lastpos + 1] == '\n') fatal ("no ']' found before end of line.\n"); ++lastpos; } + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return 0;
diff --git a/gcc/config/rs6000/rs6000-gen-builtins.c b/gcc/config/rs6000/rs6000-gen-builtins.c index 22902c37d55..ff8872c59e4 100644 --- a/gcc/config/rs6000/rs6000-gen-builtins.c +++ b/gcc/config/rs6000/rs6000-gen-builtins.c @@ -638,6 +638,13 @@ consume_whitespace (void) { while (pos < LINELEN && isspace(linebuf[pos]) && linebuf[pos] != '\n') pos++; + + if (pos >= LINELEN) + { + diag (pos, "line length overrun.\n"); + exit (1); + } + return; } @@ -697,9 +704,16 @@ static char * match_identifier (void) { int lastpos = pos - 1; - while (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_') + while (lastpos < LINELEN - 1 + && (isalnum (linebuf[lastpos + 1]) || linebuf[lastpos + 1] == '_')) ++lastpos; + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return 0; @@ -721,9 +735,15 @@ match_integer (void) safe_inc_pos (); int lastpos = pos - 1; - while (isdigit (linebuf[lastpos + 1])) + while (lastpos < LINELEN - 1 && isdigit (linebuf[lastpos + 1])) ++lastpos; + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return NULL; @@ -741,13 +761,19 @@ static const char * match_to_right_bracket (void) { int lastpos = pos - 1; - while (linebuf[lastpos + 1] != ']') + while (lastpos < LINELEN - 1 && linebuf[lastpos + 1] != ']') { if (linebuf[lastpos + 1] == '\n') fatal ("no ']' found before end of line.\n"); ++lastpos; } + if (lastpos >= LINELEN - 1) + { + diag (lastpos, "line length overrun.\n"); + exit (1); + } + if (lastpos < pos) return 0;