diff mbox series

varasm: Fix type confusion bug

Message ID Y4jJSkO6Ccew5OjL@arm.com
State New
Headers show
Series varasm: Fix type confusion bug | expand

Commit Message

Alex Coplan Dec. 1, 2022, 3:33 p.m. UTC 
Hi,

This patch fixes a type confusion bug in varasm.cc:assemble_variable.
The problem is that the current code calls:

  sect = get_variable_section (decl, false);

and then accesses sect->named.name without checking whether the section
is in fact a named section. In the surrounding else clause, we only know
that SECTION_STYLE (sect) != SECTION_NOSWITCH, so it is possible that
the section is an unnamed section.

In practice, this means that we end up doing a wild string compare
between a function pointer and the string literal ".vtable_map_vars".
This is because sect->named.name aliases sect->unnamed.callback in the
section union.

This can be seen in GDB with a simple testcase such as "int x;".

This patch fixes the issue by checking the SECTION_STYLE of the section
is in fact SECTION_NAMED before trying to do the string comparison.

We drop the existing check of whether sect->named.name is non-NULL
because this should presumably always be the case for a named section.

Bootstrapped/regtested on aarch64-none-linux-gnu, OK for trunk?

Thanks,
Alex

gcc/ChangeLog:

	* varasm.cc (assemble_variable): Fix type confusion bug when
	checking for ".vtable_map_vars" section.

Comments

Richard Sandiford Dec. 1, 2022, 4:12 p.m. UTC | #1 
Alex Coplan via Gcc-patches <gcc-patches@gcc.gnu.org> writes:
> Hi,
>
> This patch fixes a type confusion bug in varasm.cc:assemble_variable.
> The problem is that the current code calls:
>
>   sect = get_variable_section (decl, false);
>
> and then accesses sect->named.name without checking whether the section
> is in fact a named section. In the surrounding else clause, we only know
> that SECTION_STYLE (sect) != SECTION_NOSWITCH, so it is possible that
> the section is an unnamed section.
>
> In practice, this means that we end up doing a wild string compare
> between a function pointer and the string literal ".vtable_map_vars".
> This is because sect->named.name aliases sect->unnamed.callback in the
> section union.
>
> This can be seen in GDB with a simple testcase such as "int x;".
>
> This patch fixes the issue by checking the SECTION_STYLE of the section
> is in fact SECTION_NAMED before trying to do the string comparison.
>
> We drop the existing check of whether sect->named.name is non-NULL
> because this should presumably always be the case for a named section.
>
> Bootstrapped/regtested on aarch64-none-linux-gnu, OK for trunk?

OK, thanks.  I think it's OK for backports too if you like,
since it's a regression from around 2013.

Richard

>
> Thanks,
> Alex
>
> gcc/ChangeLog:
>
> 	* varasm.cc (assemble_variable): Fix type confusion bug when
> 	checking for ".vtable_map_vars" section.
>
> diff --git a/gcc/varasm.cc b/gcc/varasm.cc
> index 9dfbebbb915..6851201b6a2 100644
> --- a/gcc/varasm.cc
> +++ b/gcc/varasm.cc
> @@ -2400,7 +2400,7 @@ assemble_variable (tree decl, int top_level ATTRIBUTE_UNUSED,
>    else
>      {
>        /* Special-case handling of vtv comdat sections.  */
> -      if (sect->named.name
> +      if (SECTION_STYLE (sect) == SECTION_NAMED
>  	  && (strcmp (sect->named.name, ".vtable_map_vars") == 0))
>  	handle_vtv_comdat_section (sect, decl);
>        else
Alex Coplan Dec. 1, 2022, 5:59 p.m. UTC | #2 
On 01/12/2022 16:12, Richard Sandiford wrote:
> Alex Coplan via Gcc-patches <gcc-patches@gcc.gnu.org> writes:
> > Hi,
> >
> > This patch fixes a type confusion bug in varasm.cc:assemble_variable.
> > The problem is that the current code calls:
> >
> >   sect = get_variable_section (decl, false);
> >
> > and then accesses sect->named.name without checking whether the section
> > is in fact a named section. In the surrounding else clause, we only know
> > that SECTION_STYLE (sect) != SECTION_NOSWITCH, so it is possible that
> > the section is an unnamed section.
> >
> > In practice, this means that we end up doing a wild string compare
> > between a function pointer and the string literal ".vtable_map_vars".
> > This is because sect->named.name aliases sect->unnamed.callback in the
> > section union.
> >
> > This can be seen in GDB with a simple testcase such as "int x;".
> >
> > This patch fixes the issue by checking the SECTION_STYLE of the section
> > is in fact SECTION_NAMED before trying to do the string comparison.
> >
> > We drop the existing check of whether sect->named.name is non-NULL
> > because this should presumably always be the case for a named section.
> >
> > Bootstrapped/regtested on aarch64-none-linux-gnu, OK for trunk?
> 
> OK, thanks.  I think it's OK for backports too if you like,
> since it's a regression from around 2013.

Thanks, I've pushed the patch to trunk, and will backport if there are
no complaints after a week or so.

Alex

> 
> Richard
> 
> >
> > Thanks,
> > Alex
> >
> > gcc/ChangeLog:
> >
> > 	* varasm.cc (assemble_variable): Fix type confusion bug when
> > 	checking for ".vtable_map_vars" section.
> >
> > diff --git a/gcc/varasm.cc b/gcc/varasm.cc
> > index 9dfbebbb915..6851201b6a2 100644
> > --- a/gcc/varasm.cc
> > +++ b/gcc/varasm.cc
> > @@ -2400,7 +2400,7 @@ assemble_variable (tree decl, int top_level ATTRIBUTE_UNUSED,
> >    else
> >      {
> >        /* Special-case handling of vtv comdat sections.  */
> > -      if (sect->named.name
> > +      if (SECTION_STYLE (sect) == SECTION_NAMED
> >  	  && (strcmp (sect->named.name, ".vtable_map_vars") == 0))
> >  	handle_vtv_comdat_section (sect, decl);
> >        else
diff mbox series

Patch

diff --git a/gcc/varasm.cc b/gcc/varasm.cc
index 9dfbebbb915..6851201b6a2 100644
--- a/gcc/varasm.cc
+++ b/gcc/varasm.cc
@@ -2400,7 +2400,7 @@  assemble_variable (tree decl, int top_level ATTRIBUTE_UNUSED,
   else
     {
       /* Special-case handling of vtv comdat sections.  */
-      if (sect->named.name
+      if (SECTION_STYLE (sect) == SECTION_NAMED
 	  && (strcmp (sect->named.name, ".vtable_map_vars") == 0))
 	handle_vtv_comdat_section (sect, decl);
       else