On 23/02/18 13:16, Jakub Jelinek wrote:
On Thu, Feb 22, 2018 at 01:34:00PM -0800, John Reiser wrote:
Looking at the code:
===== gcc/libgcc/unwind.inc
  _Unwind_ForcedUnwind_Phase2 (struct _Unwind_Exception *exc,
                               struct _Unwind_Context *context,
                               unsigned long *frames_p)
  {
    _Unwind_Stop_Fn stop = (_Unwind_Stop_Fn) (_Unwind_Ptr) exc->private_1;
  <<skip to line 170:>>
        stop_code = (*stop) (1, action, exc->exception_class, exc,
                             context, stop_argument);
=====
we see that function pointer 'stop' is cast from an untyped word 'private_1'
with no checking at all, not even for NULL or < PAGE_SIZE, etc.
This is a giant red flag for unreliable code.


Wrong.  Just look at what the callers do:
   if (exc->private_1 == 0)
     code = _Unwind_RaiseException_Phase2 (exc, &cur_context, &frames);
   else
     code = _Unwind_ForcedUnwind_Phase2 (exc, &cur_context, &frames);
and
   if (exc->private_1 == 0)
     return _Unwind_RaiseException (exc);

   uw_init_context (&this_context);
   cur_context = this_context;

   code = _Unwind_ForcedUnwind_Phase2 (exc, &cur_context, &frames);
So, _Unwind_ForcedUnwind_Phase2 is not called if private_1 is NULL.

Judging by the valgrind report it is undefined, and likely has the
value 0x120 or something close to that, which is clearly bogus but
good enough to get past the null check ;-)

Can I get detailed info on how to reproduce this (most importantly, which
src.rpm you are trying to build)?

I believe it's cyrus-imapd.

Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to