From patchwork Thu Sep 3 13:01:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Modra X-Patchwork-Id: 1356600 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=gcc-patches-bounces@gcc.gnu.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=gcc.gnu.org Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=gcc.gnu.org header.i=@gcc.gnu.org header.a=rsa-sha256 header.s=default header.b=Zh46g3wW; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bj1Cg3qWwz9sSJ for ; Thu, 3 Sep 2020 23:01:34 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 9D019386102B; Thu, 3 Sep 2020 13:01:31 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 9D019386102B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1599138091; bh=ABzwXzdfYGlxyGP12+plzXioqvbUnx4pEPTcderkPVw=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=Zh46g3wWNIen7PCIWwqrfnNO0sgf9Ki75Jso3X/mxVKuIpbj+vP2iVpqes4vL5QEA kqT2yLIrJmmQAHKzFt8JaTGc8a7WmRsXizX7cKzvdDA7fxwAYYETSGWEG4RVjwbrRS uzvdnIliJjB3uJB21xKM3wuTkIw82Ksb0WASBJ+I= X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by sourceware.org (Postfix) with ESMTPS id CAC44386101B for ; Thu, 3 Sep 2020 13:01:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org CAC44386101B Received: by mail-pf1-x429.google.com with SMTP id o20so2264121pfp.11 for ; Thu, 03 Sep 2020 06:01:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=ABzwXzdfYGlxyGP12+plzXioqvbUnx4pEPTcderkPVw=; b=a9ER60nr03BB8E9daYbEYbjmAbx7nZ9QsXzhytFGoX+Kapgdopl9B4NDG7JqEientD HgfSESOE+B8guVqTJcP4N9pAtUJYMkv8hpI3+JRI+Twz/V5zlMOLPWydeeqTLrH+v15j z6hJCGRNcJGe9tD8G/ZHZ1H//cfVru86aIVe9Io/GOKzWyNTiocL9UN5tR/gfCfsv66j zuDqWG7Y0Sus4PKClIJ/RtYkUuH+okc0s9lH1iRhKbD0zd02Rn0jqq2Myc0Mq2jqYJ9l FBRBKoN9x3J62+JzQexdw4fVUP2TuX6AgXJkmUF3W2OHFj8jOjfoTmcaCJtd8Uo+o8os JQxw== X-Gm-Message-State: AOAM530UOLgpZQynF1CFtahsPrL7GyIizPzsJ7aVWHHDSVZqa+kLY2im i2boaIbfRbomMeGVCJ36Tjk= X-Google-Smtp-Source: ABdhPJysX5vREe9+Za8bXhZv8hNqeN17Ile42p7ht2wC4aUkSY6DmM6Bz76FGGOD30saSAG1LnpcOg== X-Received: by 2002:a63:fb4a:: with SMTP id w10mr2839289pgj.114.1599138082693; Thu, 03 Sep 2020 06:01:22 -0700 (PDT) Received: from bubble.grove.modra.org ([2406:3400:51d:8cc0:d197:c5ae:484a:3c93]) by smtp.gmail.com with ESMTPSA id 193sm3056151pfu.169.2020.09.03.06.01.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Sep 2020 06:01:21 -0700 (PDT) Received: by bubble.grove.modra.org (Postfix, from userid 1000) id 04EB387AB1; Thu, 3 Sep 2020 22:31:16 +0930 (ACST) Date: Thu, 3 Sep 2020 22:31:16 +0930 To: gcc-patches@gcc.gnu.org Subject: ubsan: d-demangle.c:214 signed integer overflow Message-ID: <20200903130116.GQ15695@bubble.grove.modra.org> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Alan Modra via Gcc-patches From: Alan Modra Reply-To: Alan Modra Cc: Ian Lance Taylor Errors-To: gcc-patches-bounces@gcc.gnu.org Sender: "Gcc-patches" Running the libiberty testsuite ./test-demangle < libiberty/testsuite/d-demangle-expected libiberty/d-demangle.c:214:14: runtime error: signed integer overflow: 922337203 * 10 cannot be represented in type 'long int' On looking at silencing ubsan, I found a real bug in dlang_number. For a 32-bit long, some overflows won't be detected. For example, 21474836480. Why? Well 214748364 * 10 is 0x7FFFFFF8 (no overflow so far). Adding 8 gives 0x80000000 (which does overflow but there is no test for that overflow in the code). Then multiplying 0x80000000 * 10 = 0x500000000 = 0 won't be caught by the multiplication overflow test. The same holds for a 64-bit long using similarly crafted digit sequences. This patch replaces the mod 10 test with a simpler limit test, and similarly the mod 26 test in dlang_decode_backref. About the limit test: val * 10 + digit > ULONG_MAX is the condition for overflow ie. val * 10 > ULONG_MAX - digit or val > (ULONG_MAX - digit) / 10 or assuming the largest digit val > (ULONG_MAX - 9) / 10 I resisted the aesthetic appeal of simplifying this further to val > -10UL / 10 since -1UL for ULONG_MAX is only correct for 2's complement numbers. Passes all the libiberty tests, on both 32-bit and 64-bit hosts. OK to apply? * d-demangle.c: Include limits.h. (ULONG_MAX): Provide fall-back definition. (dlang_number): Simplify and correct overflow test. Only write *ret on returning non-NULL. (dlang_decode_backref): Likewise. diff --git a/libiberty/d-demangle.c b/libiberty/d-demangle.c index f2d6946eca..59e6ae007a 100644 --- a/libiberty/d-demangle.c +++ b/libiberty/d-demangle.c @@ -31,6 +31,9 @@ If not, see . */ #ifdef HAVE_CONFIG_H #include "config.h" #endif +#ifdef HAVE_LIMITS_H +#include +#endif #include "safe-ctype.h" @@ -45,6 +48,10 @@ If not, see . */ #include #include "libiberty.h" +#ifndef ULONG_MAX +#define ULONG_MAX (~0UL) +#endif + /* A mini string-handling package */ typedef struct string /* Beware: these aren't required to be */ @@ -207,24 +214,24 @@ dlang_number (const char *mangled, long *ret) if (mangled == NULL || !ISDIGIT (*mangled)) return NULL; - (*ret) = 0; + unsigned long val = 0; while (ISDIGIT (*mangled)) { - (*ret) *= 10; - - /* If an overflow occured when multiplying by ten, the result - will not be a multiple of ten. */ - if ((*ret % 10) != 0) + /* Check for overflow. Yes, we return NULL here for some digits + that don't overflow "val * 10 + digit", but that doesn't + matter given the later "(long) val < 0" test. */ + if (val > (ULONG_MAX - 9) / 10) return NULL; - (*ret) += mangled[0] - '0'; + val = val * 10 + mangled[0] - '0'; mangled++; } - if (*mangled == '\0' || *ret < 0) + if (*mangled == '\0' || (long) val < 0) return NULL; + *ret = val; return mangled; } @@ -294,24 +301,24 @@ dlang_decode_backref (const char *mangled, long *ret) [A-Z] NumberBackRef ^ */ - (*ret) = 0; + unsigned long val = 0; while (ISALPHA (*mangled)) { - (*ret) *= 26; + /* Check for overflow. */ + if (val > (ULONG_MAX - 25) / 26) + break; - /* If an overflow occured when multiplying by 26, the result - will not be a multiple of 26. */ - if ((*ret % 26) != 0) - return NULL; + val *= 26; if (mangled[0] >= 'a' && mangled[0] <= 'z') { - (*ret) += mangled[0] - 'a'; + val += mangled[0] - 'a'; + *ret = val; return mangled + 1; } - (*ret) += mangled[0] - 'A'; + val += mangled[0] - 'A'; mangled++; }