diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2014-06-26 15:08:47 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-06-29 09:04:21 +0100 |
commit | 0ae5aadc6b1faa893dcdea768d9ce22463f0cdff (patch) | |
tree | ec2237bb7105fe75c9a19e8f1359a50557a05c31 | |
parent | 184dddfb9a852d954900ff68abfdf36ea143a647 (diff) | |
download | poky-0ae5aadc6b1faa893dcdea768d9ce22463f0cdff.tar.gz |
recipes-devtools: fix segfault in lib32-gcc with "." multilib_dir
When enabling a lib32-gcc in a 64 bit build, without doing any
other configuration, the mutilib dir is unspecified, which is
represented internally in gcc as "." and as such uncovers an
invalid free on a non-malloc'd pointer.
As suggested by the gcc folks, simply make sure the "." case
is also stored in a malloc'd pointer, so that the intended
runtime behaviour of the code remains unchanged.
Patch has been accepted by upstream maintainers of gcc.
(From OE-Core rev: bf1473d0c1b099b8d919835cc430b99606134aab)
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-4.9.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-4.9/0053-gcc-fix-segfault-from-calling-free-on-non-malloc-d-a.patch | 66 |
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-4.9.inc b/meta/recipes-devtools/gcc/gcc-4.9.inc index 185dbba822..cbf1355fcb 100644 --- a/meta/recipes-devtools/gcc/gcc-4.9.inc +++ b/meta/recipes-devtools/gcc/gcc-4.9.inc | |||
@@ -66,6 +66,7 @@ SRC_URI = "${GNU_MIRROR}/gcc/gcc-${PV}/gcc-${PV}.tar.bz2 \ | |||
66 | file://0050-Revert-Use-dbx_reg_number-for-spanning-registers.patch \ | 66 | file://0050-Revert-Use-dbx_reg_number-for-spanning-registers.patch \ |
67 | file://0051-eabispe.patch \ | 67 | file://0051-eabispe.patch \ |
68 | file://0052-Fix-GCC-targeting-E500-SPE-errors-with-the-_Decimal64-type.patch \ | 68 | file://0052-Fix-GCC-targeting-E500-SPE-errors-with-the-_Decimal64-type.patch \ |
69 | file://0053-gcc-fix-segfault-from-calling-free-on-non-malloc-d-a.patch \ | ||
69 | " | 70 | " |
70 | SRC_URI[md5sum] = "9709b49ae0e904cbb0a6a1b62853b556" | 71 | SRC_URI[md5sum] = "9709b49ae0e904cbb0a6a1b62853b556" |
71 | SRC_URI[sha256sum] = "b9b047a97bade9c1c89970bc8e211ff57b7b8998a1730a80a653d329f8ed1257" | 72 | SRC_URI[sha256sum] = "b9b047a97bade9c1c89970bc8e211ff57b7b8998a1730a80a653d329f8ed1257" |
diff --git a/meta/recipes-devtools/gcc/gcc-4.9/0053-gcc-fix-segfault-from-calling-free-on-non-malloc-d-a.patch b/meta/recipes-devtools/gcc/gcc-4.9/0053-gcc-fix-segfault-from-calling-free-on-non-malloc-d-a.patch new file mode 100644 index 0000000000..23b445c9eb --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-4.9/0053-gcc-fix-segfault-from-calling-free-on-non-malloc-d-a.patch | |||
@@ -0,0 +1,66 @@ | |||
1 | From a22a222c8f9299f6c07a0274388ade7d4ab8c28d Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Gortmaker <paul.gortmaker@windriver.com> | ||
3 | Date: Fri, 20 Jun 2014 16:41:08 -0400 | ||
4 | Subject: [PATCH] gcc: fix segfault from calling free on non-malloc'd area | ||
5 | |||
6 | We see the following on a 32bit gcc installed on 64 bit host: | ||
7 | |||
8 | Reading symbols from ./i586-pokymllib32-linux-gcc...done. | ||
9 | (gdb) run | ||
10 | Starting program: x86-pokymllib32-linux/lib32-gcc/4.9.0-r0/image/usr/bin/i586-pokymllib32-linux-gcc | ||
11 | |||
12 | Program received signal SIGSEGV, Segmentation fault. | ||
13 | 0xf7e957e0 in free () from /lib/i386-linux-gnu/libc.so.6 | ||
14 | (gdb) bt | ||
15 | #0 0xf7e957e0 in free () from /lib/i386-linux-gnu/libc.so.6 | ||
16 | #1 0x0804b73c in set_multilib_dir () at gcc-4.9.0/gcc/gcc.c:7827 | ||
17 | #2 main (argc=1, argv=0xffffd504) at gcc-4.9.0/gcc/gcc.c:6688 | ||
18 | (gdb) | ||
19 | |||
20 | The problem arises because we conditionally assign the pointer we | ||
21 | eventually free, and the conditional may assign the pointer to the | ||
22 | non-malloc'd internal string "." which fails when we free it here: | ||
23 | |||
24 | if (multilib_dir == NULL && multilib_os_dir != NULL | ||
25 | && strcmp (multilib_os_dir, ".") == 0) | ||
26 | { | ||
27 | free (CONST_CAST (char *, multilib_os_dir)); | ||
28 | ... | ||
29 | |||
30 | As suggested by Jakub, ensure the "." case is also malloc'd via | ||
31 | xstrdup() and hence the pointer for the "." case can be freed. | ||
32 | |||
33 | Cc: Jakub Jelinek <jakub@redhat.com> | ||
34 | Cc: Jeff Law <law@redhat.com> | ||
35 | Cc: Matthias Klose <doko@ubuntu.com> | ||
36 | CC: Tobias Burnus <burnus@net-b.de> | ||
37 | Upstream-Status: Accepted [ https://gcc.gnu.org/ml/gcc-patches/2014-06/msg02069.html ] | ||
38 | Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> | ||
39 | |||
40 | diff --git a/gcc/gcc.c b/gcc/gcc.c | ||
41 | index 9ac18e60d801..168acf7eb0c9 100644 | ||
42 | --- a/gcc/gcc.c | ||
43 | +++ b/gcc/gcc.c | ||
44 | @@ -7790,10 +7790,15 @@ set_multilib_dir (void) | ||
45 | q2++; | ||
46 | if (*q2 == ':') | ||
47 | ml_end = q2; | ||
48 | - new_multilib_os_dir = XNEWVEC (char, ml_end - q); | ||
49 | - memcpy (new_multilib_os_dir, q + 1, ml_end - q - 1); | ||
50 | - new_multilib_os_dir[ml_end - q - 1] = '\0'; | ||
51 | - multilib_os_dir = *new_multilib_os_dir ? new_multilib_os_dir : "."; | ||
52 | + if (ml_end - q == 1) | ||
53 | + multilib_os_dir = xstrdup ("."); | ||
54 | + else | ||
55 | + { | ||
56 | + new_multilib_os_dir = XNEWVEC (char, ml_end - q); | ||
57 | + memcpy (new_multilib_os_dir, q + 1, ml_end - q - 1); | ||
58 | + new_multilib_os_dir[ml_end - q - 1] = '\0'; | ||
59 | + multilib_os_dir = new_multilib_os_dir; | ||
60 | + } | ||
61 | |||
62 | if (q2 < end && *q2 == ':') | ||
63 | { | ||
64 | -- | ||
65 | 1.9.2 | ||
66 | |||