procyberian/gcc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[PATCH] RISC-V: Do not free a riscv_arch_string when handling target-arch attribute

Browse source 
The build_target_option_node() function may return a cached node when
fndecl having the same effective global_options. Therefore, freeing
memory used in target nodes can lead to a use-after-free issue, as a
target node may be shared by multiple fndecl.
This issue occurs in gcc.target/riscv/target-attr-16.c, where all
functions have the same march, but the last function tries to free its
old x_riscv_arch_string (which is shared) when processing the second
target attribute.However, the behavior of this issue depends on how the
OS handles malloc. It's very likely that xstrdup returns the old address
just freed, coincidentally hiding the issue. We can verify the issue by
forcing xstrdup to return a new address, e.g.,

-  if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
-    free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
+  // Force it to use a new address, NFCI
+  const char *tmp = opts->x_riscv_arch_string;
   opts->x_riscv_arch_string = xstrdup (local_arch_str);

+  if (tmp != default_opts->x_riscv_arch_string)
+    free (CONST_CAST (void *, (const void *) tmp));

This patch replaces xstrdup with ggc_strdup and let gc to take care of
unused strings.

gcc/ChangeLog:

	* config/riscv/riscv-target-attr.cc
	(riscv_target_attr_parser::update_settings):
	Do not manually free any arch string.
This commit is contained in:
翁愷邑 2025-04-17 16:24:20 -06:00 committed by Jeff Law
parent 3f0eccfd90
commit 2d6f1ca17f
1 changed files with 1 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
gcc/config/riscv/riscv-target-attr.cc
View file

@ -257,11 +257,7 @@ riscv_target_attr_parser::update_settings (struct gcc_options *opts) const
{
std::string local_arch = m_subset_list->to_string (true);
const char* local_arch_str = local_arch.c_str ();
struct cl_target_option *default_opts
= TREE_TARGET_OPTION (target_option_default_node);
if (opts->x_riscv_arch_string != default_opts->x_riscv_arch_string)
free (CONST_CAST (void *, (const void *) opts->x_riscv_arch_string));
opts->x_riscv_arch_string = xstrdup (local_arch_str);
opts->x_riscv_arch_string = ggc_strdup (local_arch_str);
riscv_set_arch_by_subset_list (m_subset_list, opts);
}