Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/xlint/lint1 tests/lint: demonstrate use-after-free i...
details: https://anonhg.NetBSD.org/src/rev/b6b6e3b490b1
branches: trunk
changeset: 377510:b6b6e3b490b1
user: rillig <rillig%NetBSD.org@localhost>
date: Sat Jul 15 12:24:57 2023 +0000
description:
tests/lint: demonstrate use-after-free in GCC statement expression
diffstat:
distrib/sets/lists/tests/mi | 3 +-
tests/usr.bin/xlint/lint1/gcc_statement_expression.c | 27 ++++++++++++++++++++
usr.bin/xlint/lint1/tree.c | 20 +++++++++++---
3 files changed, 44 insertions(+), 6 deletions(-)
diffs (100 lines):
diff -r 65aa8e40b835 -r b6b6e3b490b1 distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi Sat Jul 15 09:53:46 2023 +0000
+++ b/distrib/sets/lists/tests/mi Sat Jul 15 12:24:57 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1276 2023/07/12 18:13:39 rillig Exp $
+# $NetBSD: mi,v 1.1277 2023/07/15 12:24:57 rillig Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -6681,6 +6681,7 @@
./usr/tests/usr.bin/xlint/lint1/gcc_cast_union.exp tests-obsolete obsolete,atf
./usr/tests/usr.bin/xlint/lint1/gcc_init_compound_literal.c tests-usr.bin-tests compattestfile,atf
./usr/tests/usr.bin/xlint/lint1/gcc_init_compound_literal.exp tests-obsolete obsolete,atf
+./usr/tests/usr.bin/xlint/lint1/gcc_statement_expression.c tests-usr.bin-tests compattestfile,atf
./usr/tests/usr.bin/xlint/lint1/gcc_stmt_asm.c tests-usr.bin-tests compattestfile,atf
./usr/tests/usr.bin/xlint/lint1/gcc_stmt_asm.exp tests-obsolete obsolete,atf
./usr/tests/usr.bin/xlint/lint1/gcc_typeof.c tests-usr.bin-tests compattestfile,atf
diff -r 65aa8e40b835 -r b6b6e3b490b1 tests/usr.bin/xlint/lint1/gcc_statement_expression.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/usr.bin/xlint/lint1/gcc_statement_expression.c Sat Jul 15 12:24:57 2023 +0000
@@ -0,0 +1,27 @@
+/* $NetBSD: gcc_statement_expression.c,v 1.1 2023/07/15 12:24:57 rillig Exp $ */
+# 3 "gcc_statement_expression.c"
+
+/*
+ * Tests for the GCC extension 'statement expressions', which allows a block of
+ * statements to occur as part of an expression.
+ */
+
+
+// Ensure that the inner types are accessible from outside the block.
+// Depending on the memory management strategy, the inner types might be freed
+// too early.
+static inline int
+use_inner_type_from_outside(void)
+{
+ int x = ({
+ struct outer {
+ struct inner {
+ int member;
+ } inner;
+ } outer = { { 3 } };
+ // TODO: Move the '.inner.member' out of the statement
+ // expression, without a use-after-free crash.
+ outer.inner.member;
+ });
+ return x;
+}
diff -r 65aa8e40b835 -r b6b6e3b490b1 usr.bin/xlint/lint1/tree.c
--- a/usr.bin/xlint/lint1/tree.c Sat Jul 15 09:53:46 2023 +0000
+++ b/usr.bin/xlint/lint1/tree.c Sat Jul 15 12:24:57 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tree.c,v 1.566 2023/07/14 09:20:23 rillig Exp $ */
+/* $NetBSD: tree.c,v 1.567 2023/07/15 12:24:57 rillig Exp $ */
/*
* Copyright (c) 1994, 1995 Jochen Pohl
@@ -37,7 +37,7 @@
#include <sys/cdefs.h>
#if defined(__RCSID)
-__RCSID("$NetBSD: tree.c,v 1.566 2023/07/14 09:20:23 rillig Exp $");
+__RCSID("$NetBSD: tree.c,v 1.567 2023/07/15 12:24:57 rillig Exp $");
#endif
#include <float.h>
@@ -4794,6 +4794,8 @@ static stmt_expr *stmt_exprs;
void
begin_statement_expr(void)
{
+ debug_enter();
+
stmt_expr *se = xmalloc(sizeof(*se));
se->se_mem = expr_save_memory();
se->se_sym = NULL;
@@ -4818,13 +4820,21 @@ do_statement_expr(tnode_t *tn)
tnode_t *
end_statement_expr(void)
{
+ tnode_t *tn;
+
stmt_expr *se = stmt_exprs;
- if (se->se_sym == NULL)
- return NULL; /* after a syntax error */
- tnode_t *tn = build_name(se->se_sym, false);
+ if (se->se_sym == NULL) {
+ tn = NULL; /* after a syntax error */
+ goto end;
+ }
+
+ tn = build_name(se->se_sym, false);
(void)expr_save_memory(); /* leak */
expr_restore_memory(se->se_mem);
stmt_exprs = se->se_enclosing;
free(se);
+
+end:
+ debug_leave();
return tn;
}
Home |
Main Index |
Thread Index |
Old Index