From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7763
Path: news.gmane.org!not-for-mail
From: Rich Felker <dalias@libc.org>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: ppc soft-float regression
Date: Mon, 25 May 2015 18:46:29 -0400
Message-ID: <20150525224629.GW17573@brightrain.aerifal.cx>
References: <20150518201043.GX17573@brightrain.aerifal.cx>
 <20150518201422.GY17573@brightrain.aerifal.cx>
 <20150518220731.GA31132@euler>
 <20150522062346.GK17573@brightrain.aerifal.cx>
 <20150524030809.GA19134@brightrain.aerifal.cx>
 <20150525003648.GO17573@brightrain.aerifal.cx>
 <1432535489.2715.1.camel@inria.fr>
 <20150525065756.GR17573@brightrain.aerifal.cx>
 <1432539884.7942.1.camel@inria.fr>
 <20150525214512.GU17573@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1432594004 24514 80.91.229.3 (25 May 2015 22:46:44 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 25 May 2015 22:46:44 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-7775-gllmg-musl=m.gmane.org@lists.openwall.com Tue May 26 00:46:43 2015
Return-path: <musl-return-7775-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-7775-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1Yx18t-0001KJ-6s
	for gllmg-musl@m.gmane.org; Tue, 26 May 2015 00:46:43 +0200
Original-Received: (qmail 23848 invoked by uid 550); 25 May 2015 22:46:41 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 23830 invoked from network); 25 May 2015 22:46:41 -0000
Content-Disposition: inline
In-Reply-To: <20150525214512.GU17573@brightrain.aerifal.cx>
User-Agent: Mutt/1.5.21 (2010-09-15)
Original-Sender: Rich Felker <dalias@aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:7763
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/7763>

On Mon, May 25, 2015 at 05:45:12PM -0400, Rich Felker wrote:
> @@ -74,6 +77,16 @@ void _dlstart_c(size_t *sp, size_t *dynv)
>  		*rel_addr = (size_t)base + rel[2];
>  	}
>  
> +	/* Prepare storage for stages 2 to save clobbered REL
> +	 * addends so they can be reused in stage 3. There should
> +	 * be very few. If something goes wrong and there are a
> +	 * huge number, pass a null pointer to trigger stage 2
> +	 * to abort instead of risking stack overflow. */
> +	int too_many_addends = symbolic_rel_cnt > 4096;
> +	size_t naddends = too_many_addends ? 1 : symbolic_rel_cnt;
> +	size_t addends[naddends];
> +	size_t *paddends = too_many_addends ? 0 : addends;
> +
>  	const char *strings = (void *)(base + dyn[DT_STRTAB]);
>  	const Sym *syms = (void *)(base + dyn[DT_SYMTAB]);

This logic could lead to a zero-sized VLA (thus UB); instead, trying:

	int too_many_addends = symbolic_rel_cnt > 4096;
	size_t naddends = too_many_addends ? 0 : symbolic_rel_cnt;
	size_t addends[naddends+1];
	size_t *paddends = too_many_addends ? 0 : addends;

Avoiding the wasteful +1 would involve more conditionals so I think
it's best just avoiding it. Alternatively this might be
simpler/smaller:

	size_t addends[symbolic_rel_cnt & LIMIT-1 | 1];
	size_t *paddends = symbolic_rel_cnt >= LIMIT ? 0 : addends;

Rich