Merge pull request #1587 from bettio/fix-use-after-free

Fix use after free in `bs_append` and `bs_get_binary2`

CI should pass also with OTP-21 now.

Note: this appears to be an OTP-21 compiler bug, however the fix is still an
improvement on opcode parameters handling.

These changes are made under both the "Apache 2.0" and the "GNU Lesser General
Public License 2.1 or later" license terms (dual license).

SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later

Author: bettio

CHANGELOG.md

@@ -59,6 +59,7 @@ memory error
 - Fixed concurrency and memory leak related to links and monitors
 - Fixed issues with parsing of line references for stack traces
 - Fixed memory corruption issue with `erlang:make_tuple/2`
+- Fix potential use after free with code generated from OTP <= 24
 
 ### Changed
 

src/libAtomVM/opcodesswitch.h

@@ -4337,9 +4337,6 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
                 uint32_t unit;
                 DECODE_LITERAL(unit, pc);
                 term src;
-                #ifdef IMPL_EXECUTE_LOOP
-                    const uint8_t *src_pc = pc;
-                #endif
                 DECODE_COMPACT_TERM(src, pc)
                 term flags;
                 UNUSED(flags);
@@ -4367,8 +4364,10 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
 
                     size_t src_size = term_binary_size(src);
                     TRIM_LIVE_REGS(live);
+                    // there is always room for a MAX_REG + 1 register, used as working register
+                    x_regs[live] = src;
                     // TODO: further investigate extra_val
-                    if (UNLIKELY(memory_ensure_free_with_roots(ctx, src_size + term_binary_heap_size(size_val / 8) + extra_val, live, x_regs, MEMORY_CAN_SHRINK) != MEMORY_GC_OK)) {
+                    if (UNLIKELY(memory_ensure_free_with_roots(ctx, src_size + term_binary_heap_size(size_val / 8) + extra_val, live + 1, x_regs, MEMORY_CAN_SHRINK) != MEMORY_GC_OK)) {
                         RAISE_ERROR(OUT_OF_MEMORY_ATOM);
                     }
                 #endif
@@ -4378,7 +4377,7 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
 
                 #ifdef IMPL_EXECUTE_LOOP
                     TRACE("bs_append/8, fail=%u size=%li unit=%u src=0x%lx dreg=%c%i\n", (unsigned) fail, size_val, (unsigned) unit, src, T_DEST_REG(dreg));
-                    DECODE_COMPACT_TERM(src, src_pc)
+                    src = x_regs[live];
                     term t = term_create_empty_binary(src_size + size_val / 8, &ctx->heap, ctx->global);
                     memcpy((void *) term_binary_data(t), (void *) term_binary_data(src), src_size);
 
@@ -5104,9 +5103,6 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
                 uint32_t fail;
                 DECODE_LABEL(fail, pc)
                 term src;
-                #ifdef IMPL_EXECUTE_LOOP
-                    const uint8_t *src_pc = pc;
-                #endif
                 DECODE_COMPACT_TERM(src, pc);
                 uint32_t live;
                 DECODE_LITERAL(live, pc);
@@ -5158,8 +5154,10 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
                         term_set_match_state_offset(src, bs_offset + size_val * unit);
 
                         TRIM_LIVE_REGS(live);
+                        // there is always room for a MAX_REG + 1 register, used as working register
+                        x_regs[live] = bs_bin;
                         size_t heap_size = term_sub_binary_heap_size(bs_bin, size_val);
-                        if (UNLIKELY(memory_ensure_free_with_roots(ctx, heap_size, live, x_regs, MEMORY_CAN_SHRINK) != MEMORY_GC_OK)) {
+                        if (UNLIKELY(memory_ensure_free_with_roots(ctx, heap_size, live + 1, x_regs, MEMORY_CAN_SHRINK) != MEMORY_GC_OK)) {
                             RAISE_ERROR(OUT_OF_MEMORY_ATOM);
                         }
                 #endif
@@ -5168,9 +5166,7 @@ HOT_FUNC int scheduler_entry_point(GlobalContext *glb)
                 DECODE_DEST_REGISTER(dreg, pc);
 
                 #ifdef IMPL_EXECUTE_LOOP
-                        // re-compute src
-                        DECODE_COMPACT_TERM(src, src_pc);
-                        bs_bin = term_get_match_state_binary(src);
+                        bs_bin = x_regs[live];
 
                         term t = term_maybe_create_sub_binary(bs_bin, bs_offset / unit, size_val, &ctx->heap, ctx->global);
                         WRITE_REGISTER(dreg, t);