[src/trunk]: src/usr.bin/xlint/lint1 lint: fix use-after-free bug in GCC stat...

[rillig <rillig%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b5abb108cb6d
branches:  trunk
changeset: 377513:b5abb108cb6d
user:      rillig <rillig%NetBSD.org@localhost>
date:      Sat Jul 15 13:51:36 2023 +0000

description:
lint: fix use-after-free bug in GCC statement expressions

diffstat:

 tests/usr.bin/xlint/lint1/gcc_statement_expression.c |  15 ++++++++++-----
 usr.bin/xlint/lint1/Makefile                         |   3 ++-
 usr.bin/xlint/lint1/cgram.y                          |   7 ++++---
 usr.bin/xlint/lint1/externs1.h                       |   3 ++-
 usr.bin/xlint/lint1/tree.c                           |  10 ++++++++--
 5 files changed, 26 insertions(+), 12 deletions(-)

diffs (119 lines):

diff -r 722b645d7ee1 -r b5abb108cb6d tests/usr.bin/xlint/lint1/gcc_statement_expression.c
--- a/tests/usr.bin/xlint/lint1/gcc_statement_expression.c      Sat Jul 15 13:49:26 2023 +0000
+++ b/tests/usr.bin/xlint/lint1/gcc_statement_expression.c      Sat Jul 15 13:51:36 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: gcc_statement_expression.c,v 1.1 2023/07/15 12:24:57 rillig Exp $      */
+/*     $NetBSD: gcc_statement_expression.c,v 1.2 2023/07/15 13:51:36 rillig Exp $      */
 # 3 "gcc_statement_expression.c"
 
 /*
@@ -19,9 +19,14 @@ use_inner_type_from_outside(void)
                                int member;
                        } inner;
                } outer = { { 3 } };
-               // TODO: Move the '.inner.member' out of the statement
-               //  expression, without a use-after-free crash.
-               outer.inner.member;
-       });
+               outer;
+       }).inner.member;
+       /* expect-1: error: type 'struct outer' does not have member 'inner' [101] */
+       /* expect-2: error: type 'int' does not have member 'member' [101] */
+       /*
+        * FIXME: The above types must not be removed from the symbol table
+        * yet; at least, their member names must still be known.
+        */
+
        return x;
 }
diff -r 722b645d7ee1 -r b5abb108cb6d usr.bin/xlint/lint1/Makefile
--- a/usr.bin/xlint/lint1/Makefile      Sat Jul 15 13:49:26 2023 +0000
+++ b/usr.bin/xlint/lint1/Makefile      Sat Jul 15 13:51:36 2023 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.98 2023/07/11 17:33:45 rillig Exp $
+#      $NetBSD: Makefile,v 1.99 2023/07/15 13:51:36 rillig Exp $
 
 .include <bsd.own.mk>
 
@@ -27,6 +27,7 @@ LINTFLAGS.scan.c+=    -X 351          # 'extern' de
 CPPFLAGS+=     -DIS_LINT1
 CPPFLAGS+=     -I${.CURDIR} -I${.OBJDIR}
 CPPFLAGS+=     ${DEBUG:D-DDEBUG -DYYDEBUG}
+CPPFLAGS+=     ${DEBUG_MEM:D-DDEBUG_MEM}
 
 COPTS.err.c+=  ${${ACTIVE_CC} == "clang":? -Wno-format-nonliteral :}
 
diff -r 722b645d7ee1 -r b5abb108cb6d usr.bin/xlint/lint1/cgram.y
--- a/usr.bin/xlint/lint1/cgram.y       Sat Jul 15 13:49:26 2023 +0000
+++ b/usr.bin/xlint/lint1/cgram.y       Sat Jul 15 13:51:36 2023 +0000
@@ -1,5 +1,5 @@
 %{
-/* $NetBSD: cgram.y,v 1.463 2023/07/15 13:35:24 rillig Exp $ */
+/* $NetBSD: cgram.y,v 1.464 2023/07/15 13:51:36 rillig Exp $ */
 
 /*
  * Copyright (c) 1996 Christopher G. Demetriou.  All Rights Reserved.
@@ -35,7 +35,7 @@
 
 #include <sys/cdefs.h>
 #if defined(__RCSID)
-__RCSID("$NetBSD: cgram.y,v 1.463 2023/07/15 13:35:24 rillig Exp $");
+__RCSID("$NetBSD: cgram.y,v 1.464 2023/07/15 13:51:36 rillig Exp $");
 #endif
 
 #include <limits.h>
@@ -1791,7 +1791,8 @@ compound_statement_lbrace:
 compound_statement_rbrace:
        T_RBRACE {
                end_declaration_level();
-               level_free_all(mem_block_level);
+               if (!in_statement_expr())
+                       level_free_all(mem_block_level);        /* leak */
                mem_block_level--;
                debug_step("%s: mem_block_level = %zu",
                    "compound_statement_rbrace", mem_block_level);
diff -r 722b645d7ee1 -r b5abb108cb6d usr.bin/xlint/lint1/externs1.h
--- a/usr.bin/xlint/lint1/externs1.h    Sat Jul 15 13:49:26 2023 +0000
+++ b/usr.bin/xlint/lint1/externs1.h    Sat Jul 15 13:51:36 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: externs1.h,v 1.196 2023/07/15 13:35:24 rillig Exp $    */
+/*     $NetBSD: externs1.h,v 1.197 2023/07/15 13:51:36 rillig Exp $    */
 
 /*
  * Copyright (c) 1994, 1995 Jochen Pohl
@@ -299,6 +299,7 @@ sym_t       *find_member(const type_t *, const
 void begin_statement_expr(void);
 void do_statement_expr(tnode_t *);
 tnode_t *end_statement_expr(void);
+bool in_statement_expr(void);
 
 /*
  * func.c
diff -r 722b645d7ee1 -r b5abb108cb6d usr.bin/xlint/lint1/tree.c
--- a/usr.bin/xlint/lint1/tree.c        Sat Jul 15 13:49:26 2023 +0000
+++ b/usr.bin/xlint/lint1/tree.c        Sat Jul 15 13:51:36 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tree.c,v 1.568 2023/07/15 13:35:24 rillig Exp $        */
+/*     $NetBSD: tree.c,v 1.569 2023/07/15 13:51:36 rillig Exp $        */
 
 /*
  * Copyright (c) 1994, 1995 Jochen Pohl
@@ -37,7 +37,7 @@
 
 #include <sys/cdefs.h>
 #if defined(__RCSID)
-__RCSID("$NetBSD: tree.c,v 1.568 2023/07/15 13:35:24 rillig Exp $");
+__RCSID("$NetBSD: tree.c,v 1.569 2023/07/15 13:51:36 rillig Exp $");
 #endif
 
 #include <float.h>
@@ -4839,3 +4839,9 @@ end:
        debug_leave();
        return tn;
 }
+
+bool
+in_statement_expr(void)
+{
+       return stmt_exprs != NULL;
+}