JIT: Fix use-after-free register bug in do_get_tail#2178
Open
pguyot wants to merge 1 commit intoatomvm:mainfrom
Open
JIT: Fix use-after-free register bug in do_get_tail#2178pguyot wants to merge 1 commit intoatomvm:mainfrom
pguyot wants to merge 1 commit intoatomvm:mainfrom
Conversation
TailBytesReg0 is freed at line 3151 via {free, TailBytesReg0} in the
call_primitive for PRIM_TERM_SUB_BINARY_HEAP_SIZE. After that call,
the physical register is no longer preserved across subsequent calls
and may be reallocated.
Line 3163 was using TailBytesReg0 (the freed register) instead of
TailBytesReg1 (freshly loaded at line 3162 via get_array_element).
Both registers were potentially always the same or have the same
value across backends and this bug hasn't been observed.
Signed-off-by: Paul Guyot <pguyot@kallisys.net>
pguyot
force-pushed
the
w11/fix-use-after-free-register-do_get_tail
branch
from
c4d78bf to
a0aae20
Compare
pguyot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TailBytesReg0 is freed at line 3151 via {free, TailBytesReg0} in the call_primitive for PRIM_TERM_SUB_BINARY_HEAP_SIZE. After that call, the physical register is no longer preserved across subsequent calls and may be reallocated.
Line 3163 was using TailBytesReg0 (the freed register) instead of TailBytesReg1 (freshly loaded at line 3162 via get_array_element).
Both registers were potentially always the same or have the same value across backends and this bug hasn't been observed.
These changes are made under both the "Apache 2.0" and the "GNU Lesser General
Public License 2.1 or later" license terms (dual license).
SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later