[RS6000] Fix potiential buffer overflow

Message ID	20190204101631.GC6967@bubble.grove.modra.org
State	New
Headers	show Return-Path: <gcc-patches-return-495217-incoming=patchwork.ozlabs.org@gcc.gnu.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id :list-unsubscribe:list-archive:list-post:list-help:sender:date :from:to:cc:subject:message-id:mime-version:content-type; q=dns; s=default; b=k8F/TA+dWSLknLTYXgcvRN0Ylh41Z/vqcnMXpf5L+1RqHU+l84 zYqKR3HIEBkfWQBVCXk0Q303nMvrILYnPP0zynXbwAhTZ6ij/3lv0NG3MXxJVouK k1Is+taYlprpyHvGzNz05KitFKfCnZC3gH/DQX1WHX/QTRl2TIhWeyDaM= Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm Precedence: bulk Sender: gcc-patches-owner@gcc.gnu.org Date: Mon, 4 Feb 2019 20:46:31 +1030 From: Alan Modra <amodra@gmail.com> To: gcc-patches@gcc.gnu.org Cc: Segher Boessenkool <segher@kernel.crashing.org> Subject: [RS6000] Fix potiential buffer overflow Message-ID: <20190204101631.GC6967@bubble.grove.modra.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28)
Series	[RS6000] Fix potiential buffer overflow \| expand [RS6000] Fix potiential buffer overflow

Message ID

20190204101631.GC6967@bubble.grove.modra.org

State

New

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gcc.gnu.org; h=list-id
	:list-unsubscribe:list-archive:list-post:list-help:sender:date
	:from:to:cc:subject:message-id:mime-version:content-type; q=dns;
	s=default; b=k8F/TA+dWSLknLTYXgcvRN0Ylh41Z/vqcnMXpf5L+1RqHU+l84
	zYqKR3HIEBkfWQBVCXk0Q303nMvrILYnPP0zynXbwAhTZ6ij/3lv0NG3MXxJVouK
	k1Is+taYlprpyHvGzNz05KitFKfCnZC3gH/DQX1WHX/QTRl2TIhWeyDaM=
Mailing-List: contact gcc-patches-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
Sender: gcc-patches-owner@gcc.gnu.org
Date: Mon, 4 Feb 2019 20:46:31 +1030
From: Alan Modra <amodra@gmail.com>
To: gcc-patches@gcc.gnu.org
Cc: Segher Boessenkool <segher@kernel.crashing.org>
Subject: [RS6000] Fix potiential buffer overflow
Message-ID: <20190204101631.GC6967@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)

Series

[RS6000] Fix potiential buffer overflow | expand

Commit Message

Alan Modra Feb. 4, 2019, 10:16 a.m. UTC

It looks like I forgot to count the extra load of r2 for ABI_AIX
indirect calls when calculating the buffer size needed by
rs6000_indirect_call_template.  This patch fixes the miscalculation.
Tested by building a powerpc64le-linux compiler.  OK to apply?

	* config/rs6000/rs6000.c (rs6000_indirect_call_template_1): Increase
	str[] size to 160.  Comment.

Comments

Segher Boessenkool Feb. 4, 2019, 11:13 a.m. UTC | #1

On Mon, Feb 04, 2019 at 08:46:31PM +1030, Alan Modra wrote:
> It looks like I forgot to count the extra load of r2 for ABI_AIX
> indirect calls when calculating the buffer size needed by
> rs6000_indirect_call_template.  This patch fixes the miscalculation.
> Tested by building a powerpc64le-linux compiler.  OK to apply?

Yes, this is fine.  Thanks!

> 	* config/rs6000/rs6000.c (rs6000_indirect_call_template_1): Increase
> 	str[] size to 160.  Comment.

"Add comment" may be clearer?


Segher

diff --git a/gcc/config/rs6000/rs6000.c b/gcc/config/rs6000/rs6000.c
index 401e7194887..5f40f2c6024 100644
--- a/gcc/config/rs6000/rs6000.c
+++ b/gcc/config/rs6000/rs6000.c
@@ -21609,10 +21609,47 @@  rs6000_indirect_call_template_1 (rtx *operands, unsigned int funop,
 				 bool sibcall)
 {
   /* -Wformat-overflow workaround, without which gcc thinks that %u
-      might produce 10 digits.  */
+     might produce 10 digits.  Note that -Wformat-overflow will not
+     currently warn here for str[], so do not rely on a warning to
+     ensure str[] is correctly sized.  */
   gcc_assert (funop <= MAX_RECOG_OPERANDS);
 
-  static char str[144];  /* 1 spare */
+  /* Currently, funop is either 0 or 1.  The maximum string is always
+     a !speculate 64-bit __tls_get_addr call.
+
+     ABI_AIX:
+     .  9	ld 2,%3\n\t
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 29	.reloc .,R_PPC64_PLTSEQ,%z1\n\t
+     .  9	crset 2\n\t
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 30	.reloc .,R_PPC64_PLTCALL,%z1\n\t
+     . 10	beq%T1l-\n\t
+     . 10	ld 2,%4(1)
+     .---
+     .151
+
+     ABI_ELFv2:
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 29	.reloc .,R_PPC64_PLTSEQ,%z1\n\t
+     .  9	crset 2\n\t
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 30	.reloc .,R_PPC64_PLTCALL,%z1\n\t
+     . 10	beq%T1l-\n\t
+     . 10	ld 2,%3(1)
+     .---
+     .142
+
+     ABI_V4:
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 35	.reloc .,R_PPC64_PLTSEQ,%z1+32768\n\t
+     .  9	crset 2\n\t
+     . 27	.reloc .,R_PPC64_TLSGD,%2\n\t
+     . 36	.reloc .,R_PPC64_PLTCALL,%z1+32768\n\t
+     .  8	beq%T1l-
+     .---
+     .141  */
+  static char str[160];  /* 8 spare */
   char *s = str;
   const char *ptrload = TARGET_64BIT ? "d" : "wz";

[RS6000] Fix potiential buffer overflow

Commit Message

Comments

Patch