RFR: 8247732: validate user-input intrinsic_ids in ControlIntrinsic [v7]
Xin Liu
xliu at openjdk.java.net
Thu Dec 3 00:26:17 UTC 2020
On Thu, 3 Dec 2020 00:20:54 GMT, Xin Liu <xliu at openjdk.org> wrote:
>> src/hotspot/share/compiler/compilerDirectives.hpp line 197:
>>
>>> 195: for (ControlIntrinsicIter iter(option, disabled_all); *iter != NULL && _valid; ++iter) {
>>> 196: if (vmIntrinsics::_none == vmIntrinsics::find_id(*iter)) {
>>> 197: _bad = NEW_C_HEAP_ARRAY(char, strlen(*iter) + 1, mtCompiler);
>>
>> Hi,
>>
>> I wanted something like this:
>>
>> size_t len = MIN(strlen(*iter), 64); // cap len to a value we know is enough for all intrinsic names
>> _bad = NEW_C_HEAP_ARRAY(char, len + 1, mtCompiler);
>> strncpy(_bad, *iter, len + 1); // use strncpy to cap copy length
>
> okay. I see. I make change to ensure the _bad is a bound string. here is a test. the _bad is limited to 64 even user-input is overflown.
> java -XX:+UnlockDiagnosticVMOptions -XX:ControlIntrinsic=+_dtan,+_0123456789012345678901234567890123456789012345678901234567890123456789 -version
> Unrecognized intrinsic detected in ControlIntrinsic: _012345678901234567890123456789012345678901234567890123456789012
limited the bound string 64 bytes instead of 65 in case it takes another cacheline.
-------------
PR: https://git.openjdk.java.net/jdk/pull/1179
More information about the hotspot-compiler-dev
mailing list