Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150525224629.GW17573@brightrain.aerifal.cx>
Date: Mon, 25 May 2015 18:46:29 -0400
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: ppc soft-float regression

On Mon, May 25, 2015 at 05:45:12PM -0400, Rich Felker wrote:
> @@ -74,6 +77,16 @@ void _dlstart_c(size_t *sp, size_t *dynv)
>  		*rel_addr = (size_t)base + rel[2];
>  	}
>  
> +	/* Prepare storage for stages 2 to save clobbered REL
> +	 * addends so they can be reused in stage 3. There should
> +	 * be very few. If something goes wrong and there are a
> +	 * huge number, pass a null pointer to trigger stage 2
> +	 * to abort instead of risking stack overflow. */
> +	int too_many_addends = symbolic_rel_cnt > 4096;
> +	size_t naddends = too_many_addends ? 1 : symbolic_rel_cnt;
> +	size_t addends[naddends];
> +	size_t *paddends = too_many_addends ? 0 : addends;
> +
>  	const char *strings = (void *)(base + dyn[DT_STRTAB]);
>  	const Sym *syms = (void *)(base + dyn[DT_SYMTAB]);

This logic could lead to a zero-sized VLA (thus UB); instead, trying:

	int too_many_addends = symbolic_rel_cnt > 4096;
	size_t naddends = too_many_addends ? 0 : symbolic_rel_cnt;
	size_t addends[naddends+1];
	size_t *paddends = too_many_addends ? 0 : addends;

Avoiding the wasteful +1 would involve more conditionals so I think
it's best just avoiding it. Alternatively this might be
simpler/smaller:

	size_t addends[symbolic_rel_cnt & LIMIT-1 | 1];
	size_t *paddends = symbolic_rel_cnt >= LIMIT ? 0 : addends;

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.