[Bug target/107549] New: heap-buffer-overflow in xt_true_regnum

Mon, 07 Nov 2022 02:41:09 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107549

            Bug ID: 107549
           Summary: heap-buffer-overflow in xt_true_regnum
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jcmvbkbc at gcc dot gnu.org
  Target Milestone: ---

building gcc.dg/Winfinite-recursion-2.c testcase by the gcc built with ASAN and
configured for target=xtensa-linux-uclibc gives the following report:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110002cca0a at pc
0x00000303d2eb bp 0x7fff9ebb4c40 sp 0x7fff9ebb4c38
READ of size 2 at 0x6110002cca0a thread T0
    #0 0x303d2ea in xt_true_regnum(rtx_def*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:501
    #1 0x303d9d8 in xtensa_valid_move(machine_mode, rtx_def**)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:534
    #2 0x3044e67 in xtensa_emit_move_sequence(rtx_def**, machine_mode)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:1274
    #3 0x3d80821 in gen_movsi(rtx_def*, rtx_def*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.md:1000
    #4 0xe8a545 in rtx_insn* insn_gen_fn::operator()<rtx_def*,
rtx_def*>(rtx_def*, rtx_def*) const
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/recog.h:407
    #5 0x13d970d in emit_move_insn_1(rtx_def*, rtx_def*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/expr.cc:4172
    #6 0x13dc23c in emit_move_insn(rtx_def*, rtx_def*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/expr.cc:4342
    #7 0x1aa541a in emit_move_list
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:927
    #8 0x1aa69d4 in emit_moves
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:1032
    #9 0x1aaa3b8 in ira_emit(bool)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira-emit.cc:1303
    #10 0x1a25dc6 in ira /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira.cc:5780
    #11 0x1a27748 in execute
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/ira.cc:6084
    #12 0x1e9b8dc in execute_one_pass(opt_pass*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2644
    #13 0x1e9c3bf in execute_pass_list_1
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2753
    #14 0x1e9c43a in execute_pass_list_1
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2754
    #15 0x1e9c4de in execute_pass_list(function*, opt_pass*)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/passes.cc:2764
    #16 0x1030e5d in cgraph_node::expand()
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:1834
    #17 0x1032294 in expand_all_functions
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2008
    #18 0x103418c in symbol_table::compile()
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2358
    #19 0x1034b20 in symbol_table::finalize_compilation_unit()
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/cgraphunit.cc:2543
    #20 0x23f70b5 in compile_file
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:471
    #21 0x23ff98c in do_compile
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:2125
    #22 0x24003f7 in toplev::main(int, char**)
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/toplev.cc:2277
    #23 0x4823ffb in main /home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/main.cc:39
    #24 0x7f7c3b61bd09 in __libc_start_main ../csu/libc-start.c:308
    #25 0x9e4609 in _start
(/home/jcmvbkbc/ws/tensilica/gcc/builds/gcc-13-3563-gf36bba013361-windowed-be/gcc/cc1+0x9e4609)

0x6110002cca0a is located 0 bytes to the right of 202-byte region
[0x6110002cc940,0x6110002cca0a)
allocated by thread T0 here:
    #0 0x7f7c3bdb3e8f in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x49fb608 in xmalloc
/home/jcmvbkbc/ws/tensilica/gcc/gcc/libiberty/xmalloc.c:149

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/jcmvbkbc/ws/tensilica/gcc/gcc/gcc/config/xtensa/xtensa.cc:501 in
xt_true_regnum(rtx_def*)
Shadow bytes around the buggy address:
  0x0c22800518f0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280051900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280051910: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2280051920: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2280051930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2280051940: 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280051950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280051960: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2280051970: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280051980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280051990: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa


Printing index used to access the reg_renumber array in the xt_true_regnum
confirms that it goes way beyond the current reg_info_size.

Reply via email to