Hi, I've backported r268189 to GCC8:
aarch64: fix use-after-free in -march=native (PR driver/89014) Running: $ valgrind ./xgcc -B. -c test.c -march=native on aarch64 shows a use-after-free in host_detect_local_cpu due to the std::string result of aarch64_get_extension_string_for_isa_flags only living until immediately after a c_str call. This leads to corrupt "-march=" values being passed to cc1. This patch fixes the use-after-free, though it appears to also need Tamar's patch here: https://gcc.gnu.org/ml/gcc-patches/2018-12/msg01302.html in order to generate valid values for cc1. This may have worked by accident in the past, if the corrupt "-march=" value happened to be 0-terminated in the "right" place; with this patch it now appears to reliably break without Tamar's patch. Backport from mainline 2019-01-23 David Malcolm <dmalc...@redhat.com> PR driver/89014 * config/aarch64/driver-aarch64.c (host_detect_local_cpu): Fix use-after-free of the result of aarch64_get_extension_string_for_isa_flags. Modified: branches/gcc-8-branch/gcc/ChangeLog branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c -- --- branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c 2019/11/29 15:02:35 278853 +++ branches/gcc-8-branch/gcc/config/aarch64/driver-aarch64.c 2019/11/29 17:22:30 278854 @@ -179,7 +179,6 @@ unsigned int variants[2] = { ALL_VARIANTS, ALL_VARIANTS }; unsigned int n_variants = 0; bool processed_exts = false; - const char *ext_string = ""; unsigned long extension_flags = 0; unsigned long default_flags = 0; @@ -357,11 +356,12 @@ if (tune) return res; - ext_string - = aarch64_get_extension_string_for_isa_flags (extension_flags, - default_flags).c_str (); - - res = concat (res, ext_string, NULL); + { + std::string extension + = aarch64_get_extension_string_for_isa_flags (extension_flags, + default_flags); + res = concat (res, extension.c_str (), NULL); + } return res;
