[v2,1/2] RISC-V: Fix buffer overflow on print_insn_riscv

Message ID fc849c94f4adcac1c4ccc5508c7a145a2f13b2a9.1664876744.git.research_trasio@irq.a4lg.com
State Accepted, archived
Headers
Series RISC-V: Fix buffer overflow after 176-bit instruction support |

Checks

Context Check Description
snail/binutils-gdb-check success Github commit url

Commit Message

Tsukasa OI Oct. 4, 2022, 9:45 a.m. UTC
  Because riscv_insn_length started to support instructions up to 176-bit,
we need to increase packet buffer size to 176-bit in size.

include/ChangeLog:

	* opcode/riscv.h (RISCV_MAX_INSN_LEN): Max instruction length for
	use in buffer size.

opcodes/ChangeLog:

	* riscv-dis.c (print_insn_riscv): Increase buffer size for max
	176-bit length instructions.
---
 include/opcode/riscv.h | 2 ++
 opcodes/riscv-dis.c    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
  

Comments

Jan Beulich Oct. 4, 2022, 9:58 a.m. UTC | #1
On 04.10.2022 11:45, Tsukasa OI wrote:
> --- a/include/opcode/riscv.h
> +++ b/include/opcode/riscv.h
> @@ -55,6 +55,8 @@ static const char * const riscv_pred_succ[16] =
>    "i", "iw", "ir", "irw", "io", "iow", "ior", "iorw"
>  };
>  
> +#define RISCV_MAX_INSN_LEN 22  /* max 176-bit encoding.  */

To be honest this still doesn't look sufficient to me: There's still
no connection between this constant and riscv_insn_length(). Yet both
want changing at the same time when it comes to insn length aspects.
As said in reply to v1 - comments may be one way of dealing with this.
We don't have BUILD_BUG_ON() or alike (and even if we had it wouldn't
be usable in a portable way), so an actual build time check might not
be feasible. A runtime check also doesn't look realistic, as

    gas_assert (riscv_insn_length(~0) == RISCV_MAX_INSN_LEN);

wouldn't be correct, and I'm unconvinced of using other than the most
simple ~0 as an argument here.

Jan
  
Tsukasa OI Oct. 4, 2022, 10:13 a.m. UTC | #2
On 2022/10/04 18:58, Jan Beulich wrote:
> On 04.10.2022 11:45, Tsukasa OI wrote:
>> --- a/include/opcode/riscv.h
>> +++ b/include/opcode/riscv.h
>> @@ -55,6 +55,8 @@ static const char * const riscv_pred_succ[16] =
>>    "i", "iw", "ir", "irw", "io", "iow", "ior", "iorw"
>>  };
>>  
>> +#define RISCV_MAX_INSN_LEN 22  /* max 176-bit encoding.  */
> 
> To be honest this still doesn't look sufficient to me: There's still
> no connection between this constant and riscv_insn_length(). Yet both
> want changing at the same time when it comes to insn length aspects.
> As said in reply to v1 - comments may be one way of dealing with this.
> We don't have BUILD_BUG_ON() or alike (and even if we had it wouldn't
> be usable in a portable way), so an actual build time check might not
> be feasible. A runtime check also doesn't look realistic, as
> 
>     gas_assert (riscv_insn_length(~0) == RISCV_MAX_INSN_LEN);
> 
> wouldn't be correct, and I'm unconvinced of using other than the most
> simple ~0 as an argument here.
> 
> Jan
> 

I have to agree that the constant with no direct connection with
riscv_insn_length is not good but I don't come up with better solution
than this (with given constraints).
In any case, keeping this stack buffer overflow is definitely a bad idea
and we have to do something to deal with it in a days.

Tsukasa
  
Jan Beulich Oct. 4, 2022, 10:16 a.m. UTC | #3
On 04.10.2022 12:13, Tsukasa OI wrote:
> On 2022/10/04 18:58, Jan Beulich wrote:
>> On 04.10.2022 11:45, Tsukasa OI wrote:
>>> --- a/include/opcode/riscv.h
>>> +++ b/include/opcode/riscv.h
>>> @@ -55,6 +55,8 @@ static const char * const riscv_pred_succ[16] =
>>>    "i", "iw", "ir", "irw", "io", "iow", "ior", "iorw"
>>>  };
>>>  
>>> +#define RISCV_MAX_INSN_LEN 22  /* max 176-bit encoding.  */
>>
>> To be honest this still doesn't look sufficient to me: There's still
>> no connection between this constant and riscv_insn_length(). Yet both
>> want changing at the same time when it comes to insn length aspects.
>> As said in reply to v1 - comments may be one way of dealing with this.
>> We don't have BUILD_BUG_ON() or alike (and even if we had it wouldn't
>> be usable in a portable way), so an actual build time check might not
>> be feasible. A runtime check also doesn't look realistic, as
>>
>>     gas_assert (riscv_insn_length(~0) == RISCV_MAX_INSN_LEN);
>>
>> wouldn't be correct, and I'm unconvinced of using other than the most
>> simple ~0 as an argument here.
> 
> I have to agree that the constant with no direct connection with
> riscv_insn_length is not good but I don't come up with better solution
> than this (with given constraints).
> In any case, keeping this stack buffer overflow is definitely a bad idea
> and we have to do something to deal with it in a days.

Agreed. Hence could you add cross-referencing comments at both sides
while introducing the #define, as a minimal measure?

Jan
  
Jan Beulich Oct. 4, 2022, 10:18 a.m. UTC | #4
On 04.10.2022 12:16, Jan Beulich via Binutils wrote:
> On 04.10.2022 12:13, Tsukasa OI wrote:
>> On 2022/10/04 18:58, Jan Beulich wrote:
>>> On 04.10.2022 11:45, Tsukasa OI wrote:
>>>> --- a/include/opcode/riscv.h
>>>> +++ b/include/opcode/riscv.h
>>>> @@ -55,6 +55,8 @@ static const char * const riscv_pred_succ[16] =
>>>>    "i", "iw", "ir", "irw", "io", "iow", "ior", "iorw"
>>>>  };
>>>>  
>>>> +#define RISCV_MAX_INSN_LEN 22  /* max 176-bit encoding.  */
>>>
>>> To be honest this still doesn't look sufficient to me: There's still
>>> no connection between this constant and riscv_insn_length(). Yet both
>>> want changing at the same time when it comes to insn length aspects.
>>> As said in reply to v1 - comments may be one way of dealing with this.
>>> We don't have BUILD_BUG_ON() or alike (and even if we had it wouldn't
>>> be usable in a portable way), so an actual build time check might not
>>> be feasible. A runtime check also doesn't look realistic, as
>>>
>>>     gas_assert (riscv_insn_length(~0) == RISCV_MAX_INSN_LEN);
>>>
>>> wouldn't be correct, and I'm unconvinced of using other than the most
>>> simple ~0 as an argument here.
>>
>> I have to agree that the constant with no direct connection with
>> riscv_insn_length is not good but I don't come up with better solution
>> than this (with given constraints).
>> In any case, keeping this stack buffer overflow is definitely a bad idea
>> and we have to do something to deal with it in a days.
> 
> Agreed. Hence could you add cross-referencing comments at both sides
> while introducing the #define, as a minimal measure?

Or wait - why don't you move the #define _into_ riscv_insn_length(),
placed right at the position that would need touching when adding
support for wider insns (or when deciding to reduce support again)?

Jan
  

Patch

diff --git a/include/opcode/riscv.h b/include/opcode/riscv.h
index 9417dcf00c5..33415977bc7 100644
--- a/include/opcode/riscv.h
+++ b/include/opcode/riscv.h
@@ -55,6 +55,8 @@  static const char * const riscv_pred_succ[16] =
   "i", "iw", "ir", "irw", "io", "iow", "ior", "iorw"
 };
 
+#define RISCV_MAX_INSN_LEN 22  /* max 176-bit encoding.  */
+
 #define RVC_JUMP_BITS 11
 #define RVC_JUMP_REACH ((1ULL << RVC_JUMP_BITS) * RISCV_JUMP_ALIGN)
 
diff --git a/opcodes/riscv-dis.c b/opcodes/riscv-dis.c
index 6ac69490b78..f5e5af3138c 100644
--- a/opcodes/riscv-dis.c
+++ b/opcodes/riscv-dis.c
@@ -999,7 +999,7 @@  riscv_disassemble_data (bfd_vma memaddr ATTRIBUTE_UNUSED,
 int
 print_insn_riscv (bfd_vma memaddr, struct disassemble_info *info)
 {
-  bfd_byte packet[8];
+  bfd_byte packet[RISCV_MAX_INSN_LEN];
   insn_t insn = 0;
   bfd_vma dump_size;
   int status;