From 3fe255fd3f9b7f93c69d11d4bb0963793fc5edd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20M=C3=BCllner?= Date: Fri, 14 Jun 2024 20:37:04 +0200 Subject: [PATCH] riscv: Allocate enough space to strcpy() string MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I triggered an ICE on Ubuntu 24.04 when compiling code that uses function attributes. Looking into the sources shows that we have a systematic issue in the attribute handling code: * we determine the length with strlen() (excluding the terminating null) * we allocate a buffer with this length * we copy the original string using strcpy() (incl. the terminating null) To quote the man page of strcpy(): "The programmer is responsible for allocating a destination buffer large enough, that is, strlen(src) + 1." The ICE looks like this: *** buffer overflow detected ***: terminated xtheadmempair_bench.c:14:1: internal compiler error: Aborted 14 | { | ^ 0xaf3b99 crash_signal /home/ubuntu/src/gcc/scaleff/gcc/toplev.cc:319 0xe5b957 strcpy /usr/include/riscv64-linux-gnu/bits/string_fortified.h:79 0xe5b957 riscv_process_target_attr /home/ubuntu/src/gcc/scaleff/gcc/config/riscv/riscv-target-attr.cc:339 0xe5baaf riscv_process_target_attr /home/ubuntu/src/gcc/scaleff/gcc/config/riscv/riscv-target-attr.cc:314 0xe5bc5f riscv_option_valid_attribute_p(tree_node*, tree_node*, tree_node*, int) /home/ubuntu/src/gcc/scaleff/gcc/config/riscv/riscv-target-attr.cc:389 0x6a31e5 handle_target_attribute /home/ubuntu/src/gcc/scaleff/gcc/c-family/c-attribs.cc:5915 0x5d3a07 decl_attributes(tree_node**, tree_node*, int, tree_node*) /home/ubuntu/src/gcc/scaleff/gcc/attribs.cc:900 0x5db403 c_decl_attributes /home/ubuntu/src/gcc/scaleff/gcc/c/c-decl.cc:5501 0x5e8965 start_function(c_declspecs*, c_declarator*, tree_node*) /home/ubuntu/src/gcc/scaleff/gcc/c/c-decl.cc:10562 0x6318ed c_parser_declaration_or_fndef /home/ubuntu/src/gcc/scaleff/gcc/c/c-parser.cc:2914 0x63a8ad c_parser_external_declaration /home/ubuntu/src/gcc/scaleff/gcc/c/c-parser.cc:2048 0x63b219 c_parser_translation_unit /home/ubuntu/src/gcc/scaleff/gcc/c/c-parser.cc:1902 0x63b219 c_parse_file() /home/ubuntu/src/gcc/scaleff/gcc/c/c-parser.cc:27277 0x68fec5 c_common_parse_file() /home/ubuntu/src/gcc/scaleff/gcc/c-family/c-opts.cc:1311 Please submit a full bug report, with preprocessed source (by using -freport-bug). Please include the complete backtrace with any bug report. See for instructions. gcc/ChangeLog: * config/riscv/riscv-target-attr.cc (riscv_target_attr_parser::parse_arch): Fix allocation size of buffer. (riscv_process_one_target_attr): Likewise. (riscv_process_target_attr): Likewise. (cherry picked from commit 6762d5738b02d84ad3f51e89979b48acb68db65b) Signed-off-by: Christoph Müllner --- gcc/config/riscv/riscv-target-attr.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gcc/config/riscv/riscv-target-attr.cc b/gcc/config/riscv/riscv-target-attr.cc index 1a73d69bf50..19eb7b06d54 100644 --- a/gcc/config/riscv/riscv-target-attr.cc +++ b/gcc/config/riscv/riscv-target-attr.cc @@ -109,7 +109,7 @@ riscv_target_attr_parser::parse_arch (const char *str) { /* Parsing the extension list like "+[,+]*". */ size_t len = strlen (str); - std::unique_ptr buf (new char[len]); + std::unique_ptr buf (new char[len+1]); char *str_to_check = buf.get (); strcpy (str_to_check, str); const char *token = strtok_r (str_to_check, ",", &str_to_check); @@ -247,7 +247,7 @@ riscv_process_one_target_attr (char *arg_str, return false; } - std::unique_ptr buf (new char[len]); + std::unique_ptr buf (new char[len+1]); char *str_to_check = buf.get(); strcpy (str_to_check, arg_str); @@ -334,7 +334,7 @@ riscv_process_target_attr (tree fndecl, tree args, location_t loc, return false; } - std::unique_ptr buf (new char[len]); + std::unique_ptr buf (new char[len+1]); char *str_to_check = buf.get (); strcpy (str_to_check, TREE_STRING_POINTER (args));