[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libjit] jump table corruption
|
From: |
Aleksey Demakov |
|
Subject: |
Re: [Libjit] jump table corruption |
|
Date: |
Thu, 23 Nov 2017 23:21:01 +0300 |
Hi David,
Thanks for spotting the bug. Did you see how this is done in
jit-rules-x86.ins? I think this should work for x86-64 too.
Regards,
Aleksey
On Wed, Nov 22, 2017 at 11:48 AM, David Meyer <address@hidden> wrote:
> I tracked the problem to a subtle space allocation problem in
> JIT_OP_JUMP_TABLE in jit-rules-x86-64.ins.
>
> The code checks to ensure it has 64 bytes of space on entry, but this space
> can be used up by the call to _jit_gen_alloc (which reduces gen->mem_limit),
> causing the subsequent instruction insertions to be written past
> gen->mem_limit.
>
> This fixes the problem:
>
>
>
> diff --git a/jit/jit-rules-x86-64.ins b/jit/jit-rules-x86-64.ins
>
> index b97a6d6..258653f 100644
>
> --- a/jit/jit-rules-x86-64.ins
>
> +++ b/jit/jit-rules-x86-64.ins
>
> @@ -3307,7 +3307,7 @@ JIT_OP_JUMP_TABLE: ternary, branch
>
>
>
> labels = (jit_label_t *) $2;
>
> num_labels = $3;
>
> -
>
> + _jit_gen_check_space(gen, 64 + sizeof(void *) * $3);
>
> patch_jump_table = (unsigned char *)_jit_gen_alloc(gen,
> sizeof(void *) * $3);
>
> if(!patch_jump_table)
>
> {