rs: Fix a use after free.
ClosedPublic
Actions

Authored by jhb on Sep 29 2022, 10:47 PM.

Details

Reviewers

emaste
markj
brooks

Commits

rGe5f2d5b35e79: rs: Fix a use after free.

Summary

Using a pointer passed to realloc() after realloc() even for pointer
arithmetic is UB. It also breaks in practice on CHERI systems as
the updated value of 'sp' in this case would have had the bounds from
the old allocation.

This would be much cleaner if elem were a std::vector<char *>.

Reported by: GCC -Wuse-after-free

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 47645
Build 44532: arc lint + arc unit

Event Timeline

jhb created this revision.Sep 29 2022, 10:47 PM

Herald added a subscriber: imp. · View Herald TranscriptSep 29 2022, 10:47 PM

jhb requested review of this revision.Sep 29 2022, 10:47 PM

Harbormaster completed remote builds in B47645: Diff 111251.Sep 29 2022, 10:47 PM

jhb added a parent revision: D36830: rs: Fix various harmless warnings..Sep 29 2022, 10:47 PM

jhb added a child revision: D36832: rs: Fix some pointer arith UB..

@brooks It is interesting that GCC 12 now warns about this type of UB with realloc().

The "you can't even do math" thing always seems excessive, but if gcc is going to warn on it then at least it will clean up all the CHERI realloc issues.

This revision is now accepted and ready to land.Sep 29 2022, 10:57 PM

emaste accepted this revision.Sep 29 2022, 11:36 PM

Closed by commit rGe5f2d5b35e79: rs: Fix a use after free. (authored by jhb). · Explain WhyOct 5 2022, 11:48 PM

This revision was automatically updated to reflect the committed changes.

jhb added a commit: rGe5f2d5b35e79: rs: Fix a use after free..