[4.8/4.9 Regression] Infinite loop generated with >=O2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gcc |
Fix Released
|
Medium
|
|||
gcc-4.8 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
After some conditional blocks, it's possible that an infinite loop is generated.
See: https:/
This problem was fixed back in December 2013 in the 4.8 branch as well as the trunk branch. However, the trusty package ended up without the fix.
This is the patch that is missing:
https:/
This has already affected a separate package, that needed to workaround the problem:
https:/
And is now causing issues for users that run into this problem as well.
Please apply the patch to the gcc-4.8 version shipped on trusty and on utopic.
CVE References
Changed in gcc: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
So, we have the following code:
void *lst_realloc(void *, int);
typedef struct smartlist_t {
void **list;
int num_used;
int capacity;
} smartlist_t;
#define MAX_CAPACITY 32
void smartlist_ ensure_ capacity( smartlist_ t *sl, int size) { CAPACITY/ 2) { sl->list, sl->capacity);
if (size > sl->capacity) {
int higher = sl->capacity;
if (size > (int)MAX_
higher = MAX_CAPACITY;
}
else {
while (size > higher) {
higher *= 2;
}
}
sl->capacity = higher;
sl->list = lst_realloc(
}
}
Compiling that: pc-linux- gnu-gcc- 4.8.2 -Os -S -o test.s test.c
$ x86_64-
Gives:
pushq %rbx
cmpl 12(%rdi), %esi
movq %rdi, %rbx
jle .L1
cmpl $16, %esi
jg .L3
.L4:
jmp .L4 <----- unexpected infinite loop if size <= capacity/2
.L3:
movl $32, 12(%rdi)
movq (%rdi), %rdi
movl $32, %esi
call lst_realloc
movq %rax, (%rbx)
.L1:
popq %rbx
ret
Originally from the smartlist_ ensure_ capacity( ) function from TOR: /gitweb. torproject. org/tor. git/blob/ e65b54ec75e3c9e 9ada33c8f3ee868 d1bea167f5: /src/common/ container. c#l61 /trac.torprojec t.org/projects/ tor/ticket/ 10259
https:/
TOR bug: https:/
Reduced by o11c (https:/ /gist.github. com/o11c/ 7729355) and got help from pinskia.