Message ID | 36dc1688-d9f5-4f8b-ffd1-ffb1b19f06ab@suse.cz |
---|---|
State | New |
Headers |
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 356D9385AC29 for <patchwork@sourceware.org>; Wed, 10 Nov 2021 10:47:01 +0000 (GMT) X-Original-To: gcc-patches@gcc.gnu.org Delivered-To: gcc-patches@gcc.gnu.org Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by sourceware.org (Postfix) with ESMTPS id 16FC13857C77 for <gcc-patches@gcc.gnu.org>; Wed, 10 Nov 2021 10:46:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 16FC13857C77 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.cz Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.cz Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id CA8701FD3F for <gcc-patches@gcc.gnu.org>; Wed, 10 Nov 2021 10:46:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1636541194; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZE22pASVfjxxb+vFV1xOl1uM5EBcG4QpwGLlP8IPr7A=; b=AIMAPxL2ux7RLZCZEBX01lMffbh56ALlJJkqVNGlHn0rMDVhERwmjEskZvwiabS/AIQoRV 7rtbKFqxhkYMBCGh37cgznwpCRGl3jTBB5rj8k8ymoZ/kj40v+LRCJqIO4mQb53DnBOvkA Ix8fXy/9sM1JeZIY/KcyXbsiqTn7xHA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1636541194; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ZE22pASVfjxxb+vFV1xOl1uM5EBcG4QpwGLlP8IPr7A=; b=mISOynCfGVTBn+adjKS5fmHndoh3BP5y3uPDnh09x4As0zXuKiKvsKh9i66G5gDrc+V61i kT5zyaBWaYICZyDA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id B8D9913BEA for <gcc-patches@gcc.gnu.org>; Wed, 10 Nov 2021 10:46:34 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id RHPHKwqji2F4QQAAMHmgww (envelope-from <mliska@suse.cz>) for <gcc-patches@gcc.gnu.org>; Wed, 10 Nov 2021 10:46:34 +0000 Message-ID: <36dc1688-d9f5-4f8b-ffd1-ffb1b19f06ab@suse.cz> Date: Wed, 10 Nov 2021 11:46:34 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0 From: =?utf-8?q?Martin_Li=C5=A1ka?= <mliska@suse.cz> Subject: [PATCH] lto-wrapper: fix memory corruption. To: gcc-patches@gcc.gnu.org Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gcc-patches@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org> List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe> List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/> List-Post: <mailto:gcc-patches@gcc.gnu.org> List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help> List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>, <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe> Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org Sender: "Gcc-patches" <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org> |
Series |
lto-wrapper: fix memory corruption.
|
|
Commit Message
Martin Liška
Nov. 10, 2021, 10:46 a.m. UTC
Patch can bootstrap on x86_64-linux-gnu and survives regression tests. Ready to be installed? The first argument of merge_and_complain is actually vector where we merge options and it should be propagated to caller properly. Fixes: ==6656== Invalid read of size 8 ==6656== at 0x408056: merge_and_complain (lto-wrapper.c:335) ==6656== by 0x408056: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1139) ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) ==6656== by 0x4061A2: main (lto-wrapper.c:2138) ==6656== Address 0x4e69b18 is 344 bytes inside a block of size 1,768 free'd ==6656== at 0x484339F: realloc (vg_replace_malloc.c:1192) ==6656== by 0x4993C0: xrealloc (xmalloc.c:181) ==6656== by 0x406A82: reserve<cl_decoded_option> (vec.h:290) ==6656== by 0x406A82: reserve (vec.h:1858) ==6656== by 0x406A82: vec<cl_decoded_option, va_heap, vl_ptr>::safe_push(cl_decoded_option const&) [clone .isra.0] (vec.h:1967) ==6656== by 0x4077E0: merge_and_complain (lto-wrapper.c:457) ==6656== by 0x4077E0: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1139) ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) ==6656== by 0x4061A2: main (lto-wrapper.c:2138) ==6656== Block was alloc'd at ==6656== at 0x483E70F: malloc (vg_replace_malloc.c:380) ==6656== by 0x4993D7: xrealloc (xmalloc.c:179) ==6656== by 0x407476: reserve<cl_decoded_option> (vec.h:290) ==6656== by 0x407476: reserve (vec.h:1858) ==6656== by 0x407476: reserve_exact (vec.h:1878) ==6656== by 0x407476: create (vec.h:1893) ==6656== by 0x407476: get_options_from_collect_gcc_options(char const*, char const*) (lto-wrapper.c:163) ==6656== by 0x407674: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1132) ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) ==6656== by 0x4061A2: main (lto-wrapper.c:2138) gcc/ChangeLog: * lto-wrapper.c (merge_and_complain): Make the first argument a reference type. --- gcc/lto-wrapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Nov 10, 2021 at 11:47 AM Martin Liška <mliska@suse.cz> wrote: > > Patch can bootstrap on x86_64-linux-gnu and survives regression tests. > > Ready to be installed? OK. Is this also latent on branches? > The first argument of merge_and_complain is actually vector where > we merge options and it should be propagated to caller properly. > > Fixes: > > ==6656== Invalid read of size 8 > ==6656== at 0x408056: merge_and_complain (lto-wrapper.c:335) > ==6656== by 0x408056: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1139) > ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) > ==6656== by 0x4061A2: main (lto-wrapper.c:2138) > ==6656== Address 0x4e69b18 is 344 bytes inside a block of size 1,768 free'd > ==6656== at 0x484339F: realloc (vg_replace_malloc.c:1192) > ==6656== by 0x4993C0: xrealloc (xmalloc.c:181) > ==6656== by 0x406A82: reserve<cl_decoded_option> (vec.h:290) > ==6656== by 0x406A82: reserve (vec.h:1858) > ==6656== by 0x406A82: vec<cl_decoded_option, va_heap, vl_ptr>::safe_push(cl_decoded_option const&) [clone .isra.0] (vec.h:1967) > ==6656== by 0x4077E0: merge_and_complain (lto-wrapper.c:457) > ==6656== by 0x4077E0: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1139) > ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) > ==6656== by 0x4061A2: main (lto-wrapper.c:2138) > ==6656== Block was alloc'd at > ==6656== at 0x483E70F: malloc (vg_replace_malloc.c:380) > ==6656== by 0x4993D7: xrealloc (xmalloc.c:179) > ==6656== by 0x407476: reserve<cl_decoded_option> (vec.h:290) > ==6656== by 0x407476: reserve (vec.h:1858) > ==6656== by 0x407476: reserve_exact (vec.h:1878) > ==6656== by 0x407476: create (vec.h:1893) > ==6656== by 0x407476: get_options_from_collect_gcc_options(char const*, char const*) (lto-wrapper.c:163) > ==6656== by 0x407674: find_and_merge_options(int, long, char const*, vec<cl_decoded_option, va_heap, vl_ptr>, vec<cl_decoded_option, va_heap, vl_ptr>*, char const*) (lto-wrapper.c:1132) > ==6656== by 0x408AFC: run_gcc(unsigned int, char**) (lto-wrapper.c:1505) > ==6656== by 0x4061A2: main (lto-wrapper.c:2138) > > gcc/ChangeLog: > > * lto-wrapper.c (merge_and_complain): Make the first argument > a reference type. > --- > gcc/lto-wrapper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/gcc/lto-wrapper.c b/gcc/lto-wrapper.c > index 7b9e4883f38..54f642d7692 100644 > --- a/gcc/lto-wrapper.c > +++ b/gcc/lto-wrapper.c > @@ -224,7 +224,7 @@ merge_flto_options (vec<cl_decoded_option> &decoded_options, > ontop of DECODED_OPTIONS. */ > > static void > -merge_and_complain (vec<cl_decoded_option> decoded_options, > +merge_and_complain (vec<cl_decoded_option> &decoded_options, > vec<cl_decoded_option> fdecoded_options, > vec<cl_decoded_option> decoded_cl_options) > { > -- > 2.33.1 >
On 11/10/21 12:31, Richard Biener wrote:
> Is this also latent on branches?
No, I made the refactoring early in this stage 1 in
r12-741-g227a2ecf663d69972b851f51f1934d18927b62cd
Martin
diff --git a/gcc/lto-wrapper.c b/gcc/lto-wrapper.c index 7b9e4883f38..54f642d7692 100644 --- a/gcc/lto-wrapper.c +++ b/gcc/lto-wrapper.c @@ -224,7 +224,7 @@ merge_flto_options (vec<cl_decoded_option> &decoded_options, ontop of DECODED_OPTIONS. */ static void -merge_and_complain (vec<cl_decoded_option> decoded_options, +merge_and_complain (vec<cl_decoded_option> &decoded_options, vec<cl_decoded_option> fdecoded_options, vec<cl_decoded_option> decoded_cl_options) {