diff mbox

Fix for PR70481 Libiberty Demangler

Message ID 56FD5CCB.5000002@redhat.com
State New
Headers show

Commit Message

Jeff Law March 31, 2016, 5:22 p.m. UTC 
On 03/31/2016 08:55 AM, Marcel Böhme wrote:
> Hi,
>
> This fixes the use-after-free detailed in https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70481
>
> There is a variable ksize storing the amount of allocated memory for the array ktypevec. ksize being zero (0) indicates that some memory must be allocated upon the first write. When more memory is needed, both ksize and the memory are doubled during reallocation. At some point the memory for the array is freed (in squangle_mop_up) but the value of ksize remains. Since ksize is not 0, there is no indication that new memory must be allocated when there is another write to the array.
>
> The same holds for bsize and btypevec.
>
> Best regards,
> - Marcel
>
>
> Index: libiberty/cplus-dem.c
> ===================================================================
> --- libiberty/cplus-dem.c	(revision 234607)
> +++ libiberty/cplus-dem.c	(working copy)
> @@ -1237,11 +1237,13 @@  squangle_mop_up (struct work_stuff *work)
Thanks.  I've just installed this patch, along with suitable tests from 
70481 and 67394.

Jeff
commit 6e4dbbe6a1d6dd21e2ae87cabd1eae81312feac2
Author: law <law@138bc75d-0d04-0410-961f-82ee72b054a4>
Date:   Thu Mar 31 17:20:53 2016 +0000

    	* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
    	btypevec/ktypevec.
    	* testsuite/demangle-expected: Add coverage tests.
    
    git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234645 138bc75d-0d04-0410-961f-82ee72b054a4

Comments

Bernd Schmidt March 31, 2016, 5:29 p.m. UTC | #1 
On 03/31/2016 07:22 PM, Jeff Law wrote:
>> @@ -1237,11 +1237,13 @@  squangle_mop_up (struct work_stuff *work)
> Thanks.  I've just installed this patch, along with suitable tests from
> 70481 and 67394.

What are the rules for modifying libiberty again? Do we have to patch 
binutils/gdb at the same time, or is there an automated process?


Bernd
Jeff Law March 31, 2016, 5:33 p.m. UTC | #2 
On 03/31/2016 11:29 AM, Bernd Schmidt wrote:
> On 03/31/2016 07:22 PM, Jeff Law wrote:
>>> @@ -1237,11 +1237,13 @@  squangle_mop_up (struct work_stuff *work)
>> Thanks.  I've just installed this patch, along with suitable tests from
>> 70481 and 67394.
>
> What are the rules for modifying libiberty again? Do we have to patch
> binutils/gdb at the same time, or is there an automated process?
My recollection is that gcc is considered the master for libiberty and 
the gdb project will resync as needed.

jeff
diff mbox

Patch

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index d11f4ce..b4054bd 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,10 @@ 
+2016-03-31  Mikhail Maltsev  <maltsevm@gmail.com>
+	    Marcel Bohme  boehme.marcel@gmail.com
+
+	* cplus-dem.c (squangle_mop_up): Zero bsize/ksize after freeing
+	btypevec/ktypevec.
+	* testsuite/demangle-expected: Add coverage tests.
+
 2016-01-27  Iain Buclaw  <ibuclaw@gdcproject.org>
 
 	* d-demangle.c (dlang_call_convention): Handle extern Objective-C
diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
index c68b981..7ab46dd 100644
--- a/libiberty/cplus-dem.c
+++ b/libiberty/cplus-dem.c
@@ -1237,11 +1237,13 @@  squangle_mop_up (struct work_stuff *work)
     {
       free ((char *) work -> btypevec);
       work->btypevec = NULL;
+      work->bsize = 0;
     }
   if (work -> ktypevec != NULL)
     {
       free ((char *) work -> ktypevec);
       work->ktypevec = NULL;
+      work->ksize = 0;
     }
 }
 
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index aebf01b..e214ee5 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -4421,3 +4421,13 @@  void baz<int>(A<sizeof (foo((int)(), (floatcomplex )00000000_00000000))>*)
 --format=gnu-v3
 _Z3fooI1FEN1XIXszdtcl1PclcvT__EEE5arrayEE4TypeEv
 X<sizeof ((P(((F)())())).array)>::Type foo<F>()
+#
+# Tests a use-after-free problem
+
+_Q.__0
+::Q.(void)
+#
+# Tests a use-after-free problem
+
+_Q10-__9cafebabe.
+cafebabe.::-(void)