public inbox for gdb-cvs@sourceware.org
help / color / mirror / Atom feed
* [binutils-gdb] GDB: Fix out of bounds accesses with limited-length values
@ 2023-02-24 12:38 Maciej W. Rozycki
0 siblings, 0 replies; only message in thread
From: Maciej W. Rozycki @ 2023-02-24 12:38 UTC (permalink / raw)
To: gdb-cvs
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0676ec3c22f096bdf98b145b720feeef9493b5bb
commit 0676ec3c22f096bdf98b145b720feeef9493b5bb
Author: Maciej W. Rozycki <macro@embecosm.com>
Date: Fri Feb 24 12:37:22 2023 +0000
GDB: Fix out of bounds accesses with limited-length values
Fix accesses to limited-length values in `contents_copy_raw' and
`contents_copy_raw_bitwise' so that they observe the limit of the
original allocation.
Reported by Simon Marchi as a heap-buffer-overflow AddressSanitizer
issue triggered with gdb.ada/limited-length.exp.
Approved-By: Simon Marchi <simon.marchi@efficios.com>
Diff:
---
gdb/value.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/gdb/value.c b/gdb/value.c
index d2c2a2d7859..9d5e694e574 100644
--- a/gdb/value.c
+++ b/gdb/value.c
@@ -1168,6 +1168,11 @@ value::contents_copy_raw (struct value *dst, LONGEST dst_offset,
mean we'd be copying garbage. */
gdb_assert (!dst->m_lazy && !m_lazy);
+ ULONGEST copy_length = length;
+ ULONGEST limit = m_limited_length;
+ if (limit > 0 && src_offset + length > limit)
+ copy_length = src_offset > limit ? 0 : limit - src_offset;
+
/* The overwritten DST range gets unavailability ORed in, not
replaced. Make sure to remember to implement replacing if it
turns out actually necessary. */
@@ -1178,10 +1183,10 @@ value::contents_copy_raw (struct value *dst, LONGEST dst_offset,
/* Copy the data. */
gdb::array_view<gdb_byte> dst_contents
= dst->contents_all_raw ().slice (dst_offset * unit_size,
- length * unit_size);
+ copy_length * unit_size);
gdb::array_view<const gdb_byte> src_contents
= contents_all_raw ().slice (src_offset * unit_size,
- length * unit_size);
+ copy_length * unit_size);
gdb::copy (src_contents, dst_contents);
/* Copy the meta-data, adjusted. */
@@ -1206,6 +1211,12 @@ value::contents_copy_raw_bitwise (struct value *dst, LONGEST dst_bit_offset,
mean we'd be copying garbage. */
gdb_assert (!dst->m_lazy && !m_lazy);
+ ULONGEST copy_bit_length = bit_length;
+ ULONGEST bit_limit = m_limited_length * TARGET_CHAR_BIT;
+ if (bit_limit > 0 && src_bit_offset + bit_length > bit_limit)
+ copy_bit_length = (src_bit_offset > bit_limit ? 0
+ : bit_limit - src_bit_offset);
+
/* The overwritten DST range gets unavailability ORed in, not
replaced. Make sure to remember to implement replacing if it
turns out actually necessary. */
@@ -1220,7 +1231,7 @@ value::contents_copy_raw_bitwise (struct value *dst, LONGEST dst_bit_offset,
gdb::array_view<const gdb_byte> src_contents = contents_all_raw ();
copy_bitwise (dst_contents.data (), dst_bit_offset,
src_contents.data (), src_bit_offset,
- bit_length,
+ copy_bit_length,
type_byte_order (type ()) == BFD_ENDIAN_BIG);
/* Copy the meta-data. */
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-02-24 12:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-24 12:38 [binutils-gdb] GDB: Fix out of bounds accesses with limited-length values Maciej W. Rozycki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).