This is the mail archive of the binutils@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[RISCV] Use after free in gas/config/tc-riscv.c: riscv_set_arch()

From: "Klaus Kruse Pedersen (Klaus)" <klauskpedersen at rdamicro dot com>
To: "binutils at sourceware dot org" <binutils at sourceware dot org>
Date: Wed, 26 Jul 2017 04:48:26 +0000
Subject: [RISCV] Use after free in gas/config/tc-riscv.c: riscv_set_arch()
Authentication-results: sourceware.org; auth=none


The code below will pass a pointer to a free'd string to as_fatal()
when more than one extension is been specified:

 151 const char *extension = NULL;
[...]
 187   while (*p)
 188     {
 189       if (*p == 'x')
 190         {
 191           char *subset = xstrdup (p), *q = subset;
 192 
 193           while (*++q != '\0' && *q != '_')
 194             ;
 195           *q = '\0';
 196 
 197           if (extension)
 198             as_fatal ("-march=%s: only one non-standard extension
is supported"
 199                       " (found `%s' and `%s')", s, extension,
subset);

Problem is here:

 200           extension = subset;
 201           riscv_add_subset (subset);
 202           p += strlen (subset);
 203           free (subset);
 204         }
[...]

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blob;f=gas/c
onfig/tc-
riscv.c;h=55c41c5db3c9240e8da3cdf8906cfb745d041c6f;hb=HEAD#l187

Follow-Ups:
- Re: [RISCV] Use after free in gas/config/tc-riscv.c: riscv_set_arch()
  - From: Andrew Waterman

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]