oss-sec mailing list archives
Re: alloca in inline functions can be dangerous
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 14 Apr 2017 17:40:37 +0200
* Jason A. Donenfeld:
Hey folks, I'm not sure this is the right mailing list to discuss this matter, but hopefully it finds an audience here. I was debugging some code recently, when I found a very nasty interaction between alloca and inline functions. Observe the following block: static inline void process_widget(struct widget *widget, unsigned int fcount) { struct fragment fragments[fcount]; widgets_to_fragments(fragments, widget); process_fragments(fragments); } static void iterate_widgets(struct widgetlist *widgetlist) { struct widget *widget; unsigned int fcount; for (widget = widgetlist->first; widget; widget = widget->next) { fcount = widget_get_frags_required(widget); if (fcount > 256) continue; process_widget(widget, fcount); } } This seems pretty benign. However, let's look at two transformations that gcc makes. First the VLA is changed to use alloca:
Which GCC version do you use? I turned your example into something that actually compiles: struct widget { struct widget *next; }; unsigned widget_get_frags_required(struct widget *); struct fragment { int dummy; }; void widgets_to_fragments(struct fragment *, struct widget *); void process_fragments(struct fragment *); struct widgetlist { struct widget *first; }; static inline void process_widget(struct widget *widget, unsigned int fcount) { struct fragment fragments[fcount]; widgets_to_fragments(fragments, widget); process_fragments(fragments); } void iterate_widgets(struct widgetlist *widgetlist) { struct widget *widget; unsigned int fcount; for (widget = widgetlist->first; widget; widget = widget->next) { fcount = widget_get_frags_required(widget); if (fcount > 256) continue; process_widget(widget, fcount); } } I don't see the behavior your outline. The stack pointer is restored for each iteration of the loop. In my experience, GCC is pretty good at actually deallocating VLAs when a scope is exited. In any case, this is a GCC bug. I can help you to turn this into a proper bug report if it still exists in current versions.
Current thread:
- alloca in inline functions can be dangerous Jason A. Donenfeld (Apr 10)
- Re: alloca in inline functions can be dangerous Leandro Pereira (Apr 10)
- Re: alloca in inline functions can be dangerous Andreas Lausch-Waas (Apr 15)
- Re: alloca in inline functions can be dangerous Florian Weimer (Apr 14)
- Re: alloca in inline functions can be dangerous Leandro Pereira (Apr 10)