From: Joel Brobecker <brobecker@adacore.com>
To: Simon Marchi <simark@simark.ca>
Cc: gdb-patches@sourceware.org
Subject: Re: pushed: Add support for DWARF-based fixed point types
Date: Mon, 23 Nov 2020 08:27:11 +0400 [thread overview]
Message-ID: <20201123042711.GA967337@adacore.com> (raw)
In-Reply-To: <5e62ef60-93d7-ad52-4f9d-b23266ae4fc8@simark.ca>
[-- Attachment #1: Type: text/plain, Size: 1233 bytes --]
> We pass mpz_export a buffer of 8 bytes (statically allocated in
> write_fp_test), but GMP decides it needs to write 16 bytes, hence the
> overflow.
>
> I tried to read the GMP doc, but I am familiar with its concepts, so I
> don't really understand if we are using the API correctly or not.
I found the source of the problem, which was in a way subtle-enough
that you really have to pay attention to these details (which,
luckily, are handled automatically thanks to our minor C++-ification
of GMP in gmp-utils), and yet so obvious once you find it.
Attached is the patch that I will push later today (need to run RSN,
and don't want to make a mistake because I'm rushing).
I think this error might be highlighting a weakness, though. I need
to investigate more, but I'm thinking it might be wise to add some
checks during export that the buffer size is large enough to fit
the value. In other words, I'm thinking of having our own
safe_mpz_export which double-checks the size of the buffer according
to the formula given by the documentation, and raises an error if
too small.
The fact that GMP happily goes beyond the end of the buffer is
a bit unexpected, still. Maybe something to report to the GMP team.
Later!
--
Joel
[-- Attachment #2: 0001-Fix-stack-smashing-error-during-gdb_mpq_write_fixed_.patch --]
[-- Type: text/x-diff, Size: 2944 bytes --]
From 1cb4f9e076dbd87808783e6f4f54b4b22c45d0e5 Mon Sep 17 00:00:00 2001
From: Joel Brobecker <brobecker@adacore.com>
Date: Mon, 23 Nov 2020 08:02:10 +0400
Subject: [PATCH] Fix stack smashing error during gdb_mpq_write_fixed_point
selftest
When building GDB using Ubuntu 20.04's system libgmp and compiler,
running the "maintenance selftest" command triggers the following error:
| Running selftest gdb_mpq_write_fixed_point.
| *** stack smashing detected ***: terminated
| [1] 1092790 abort (core dumped) ./gdb gdb
This happens while trying to construct an mpq_t object (a rational)
from two integers representing the numerator and denominator.
In our test, the numerator is -8, and the denominator is 1.
The problem was that the rational was constructed using the wrong
function. This is what we were doing prior to this patch:
mpq_set_ui (v.val, numerator, denominator);
The 'u' in "ui" stands for *unsigned*, which is wrong because
numerator and denominator's type is "int".
As a result of the above, instead of getting a rational value of -8,
we get a rational with a very large positive value (gmp_printf
says "18446744073709551608").
From there, the test performs an operation which is expected to
write this value into a buffer which was not dimensioned to fit
such a number, thus leading GMP into a buffer overflow.
This was verified by applying the formula that GMP's documentation
gives for the required memory buffer size needed during export:
| When an application is allocating space itself the required size can
| be determined with a calculation like the following. Since
| mpz_sizeinbase always returns at least 1, count here will be at
| least one, which avoids any portability problems with malloc(0),
| though if z is zero no space at all is actually needed (or written).
|
| numb = 8*size - nail;
| count = (mpz_sizeinbase (z, 2) + numb-1) / numb;
| p = malloc (count * size);
With the very large number, mpz_sizeinbase returns 66 and thus
the malloc size becomes 16 bytes instead of the 8 we allocated.
This patch fixes the issue by using the correct "set" function.
gdb/ChangeLog:
* unittests/gmp-utils-selftests.c (write_fp_test): Use mpq_set_si
instead of mpq_set_ui to initialize our GMP rational.
---
gdb/unittests/gmp-utils-selftests.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gdb/unittests/gmp-utils-selftests.c b/gdb/unittests/gmp-utils-selftests.c
index af5bc65d2f9..175ab3f9827 100644
--- a/gdb/unittests/gmp-utils-selftests.c
+++ b/gdb/unittests/gmp-utils-selftests.c
@@ -400,7 +400,7 @@ write_fp_test (int numerator, unsigned int denominator,
memset (buf, 0, len);
gdb_mpq v;
- mpq_set_ui (v.val, numerator, denominator);
+ mpq_set_si (v.val, numerator, denominator);
mpq_canonicalize (v.val);
v.write_fixed_point (buf, len, byte_order, 0, scaling_factor);
--
2.25.1
next prev parent reply other threads:[~2020-11-23 4:27 UTC|newest]
Thread overview: 140+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-08 6:30 RFA: " Joel Brobecker
2020-11-08 6:30 ` [PATCH 1/9] gdb/configure: Add --with-libgmp-prefix option Joel Brobecker
2020-11-08 6:30 ` [PATCH 2/9] gdb: Make GMP a required dependency for building GDB Joel Brobecker
2020-12-15 6:55 ` Sebastian Huber
2020-12-15 8:57 ` Joel Brobecker
2020-11-08 6:30 ` [PATCH 3/9] gmp-utils: New API to simply use of GMP's integer/rational/float objects Joel Brobecker
2020-11-10 20:15 ` Simon Marchi
2020-11-13 8:12 ` Joel Brobecker
2020-11-13 15:04 ` Tom Tromey
2020-11-13 15:06 ` Simon Marchi
2020-11-16 16:18 ` Tom Tromey
2020-11-16 16:34 ` Luis Machado
2020-11-18 3:52 ` Joel Brobecker
2020-11-08 6:30 ` [PATCH 4/9] Move uinteger_pow gdb/valarith.c to gdb/utils.c and make it public Joel Brobecker
2020-11-08 6:30 ` [PATCH 5/9] Add support for printing value of DWARF-based fixed-point type objects Joel Brobecker
2020-11-10 21:06 ` Simon Marchi
2020-11-14 10:48 ` Joel Brobecker
2020-11-14 13:20 ` Simon Marchi
2020-11-14 11:30 ` Joel Brobecker
2020-11-14 16:14 ` Simon Marchi
2020-11-15 5:30 ` Joel Brobecker
2020-11-15 6:33 ` Joel Brobecker
2020-11-16 0:13 ` Simon Marchi
2020-11-08 6:30 ` [PATCH 6/9] fix printing of DWARF fixed-point type objects with format modifier Joel Brobecker
2020-11-10 22:50 ` Simon Marchi
2020-11-08 6:30 ` [PATCH 7/9] Add ptype support for DWARF-based fixed-point types Joel Brobecker
2020-11-10 23:00 ` Simon Marchi
2020-11-15 6:57 ` Joel Brobecker
2020-11-15 7:09 ` Joel Brobecker
2020-11-16 0:16 ` Simon Marchi
2020-11-16 4:03 ` Joel Brobecker
2020-11-08 6:30 ` [PATCH 8/9] Add support for fixed-point type arithmetic Joel Brobecker
2020-11-10 23:18 ` Simon Marchi
2020-11-08 6:30 ` [PATCH 9/9] Add support for fixed-point type comparison operators Joel Brobecker
2020-11-10 23:21 ` RFA: Add support for DWARF-based fixed point types Simon Marchi
2020-11-11 4:53 ` Joel Brobecker
2020-11-15 8:35 ` pushed: " Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 1/9] gdb/configure: Add --with-libgmp-prefix option Joel Brobecker
2020-11-15 15:52 ` Bernd Edlinger
2020-11-16 3:45 ` Joel Brobecker
2020-11-16 14:20 ` Bernd Edlinger
2020-11-17 7:41 ` [PATCH] Enable GDB build with in-tree GMP and MPFR Bernd Edlinger
2020-11-18 3:44 ` Joel Brobecker
2020-11-18 8:14 ` Bernd Edlinger
2020-12-01 19:29 ` Bernd Edlinger
2020-12-01 19:32 ` Simon Marchi
2020-12-01 19:38 ` Bernd Edlinger
2020-12-01 20:29 ` Bernd Edlinger
2020-12-01 20:30 ` Simon Marchi
2020-12-02 3:21 ` Joel Brobecker
2020-12-08 20:39 ` [PING] " Bernd Edlinger
2020-12-14 17:40 ` [PATCH v2] " Bernd Edlinger
2020-12-14 18:47 ` Simon Marchi
2020-12-14 21:35 ` Tom Tromey
2020-12-14 22:17 ` Simon Marchi
2020-12-15 2:33 ` Joel Brobecker
2020-12-15 14:39 ` Simon Marchi
2020-12-15 16:24 ` Bernd Edlinger
2020-12-16 7:33 ` Joel Brobecker
2020-12-16 18:16 ` Bernd Edlinger
2020-12-25 12:05 ` Bernd Edlinger
2020-12-27 22:01 ` Simon Marchi
2020-12-29 8:36 ` Bernd Edlinger
2020-12-29 14:50 ` Simon Marchi
2021-01-10 14:12 ` Bernd Edlinger
2021-01-10 15:32 ` Simon Marchi
2021-01-11 3:22 ` Joel Brobecker
2021-01-16 18:01 ` Bernd Edlinger
2020-12-15 15:33 ` Bernd Edlinger
2020-12-15 15:10 ` Bernd Edlinger
2020-11-15 8:35 ` [pushed/v2 2/9] gdb: Make GMP a required dependency for building GDB Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 3/9] gmp-utils: New API to simply use of GMP's integer/rational/float objects Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 4/9] Move uinteger_pow gdb/valarith.c to gdb/utils.c and make it public Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 5/9] Add support for printing value of DWARF-based fixed-point type objects Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 6/9] fix printing of DWARF fixed-point type objects with format modifier Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 7/9] Add ptype support for DWARF-based fixed-point types Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 8/9] Add support for fixed-point type arithmetic Joel Brobecker
2020-11-15 8:35 ` [pushed/v2 9/9] Add support for fixed-point type comparison operators Joel Brobecker
2020-11-16 23:48 ` pushed: Add support for DWARF-based fixed point types Pedro Alves
2020-11-17 14:25 ` Simon Marchi
2020-11-18 3:47 ` Joel Brobecker
2020-11-22 13:12 ` [RFA] Add TYPE_CODE_FIXED_POINT handling in print_type_scalar Joel Brobecker
2020-11-22 14:35 ` Simon Marchi
2020-11-24 3:04 ` Joel Brobecker
2020-11-22 14:00 ` pushed: Add support for DWARF-based fixed point types Joel Brobecker
2020-11-22 20:11 ` Simon Marchi
2020-11-23 4:27 ` Joel Brobecker [this message]
2020-11-23 16:12 ` Simon Marchi
2020-11-24 2:39 ` Joel Brobecker
2020-11-29 15:45 ` RFA: wrap mpz_export into gdb_mpz::safe_export Joel Brobecker
2020-11-29 15:45 ` [RFA 1/2] Fix TARGET_CHAR_BIT/HOST_CHAR_BIT confusion in gmp-utils.c Joel Brobecker
2020-11-30 15:42 ` Simon Marchi
2020-12-05 8:05 ` Joel Brobecker
2020-11-29 15:45 ` [RFA 2/2] gmp-utils: protect gdb_mpz exports against out-of-range values Joel Brobecker
2020-11-30 15:56 ` Simon Marchi
2020-12-01 3:37 ` Joel Brobecker
2020-12-01 4:02 ` Simon Marchi
2020-12-01 7:11 ` Joel Brobecker
2020-12-05 8:10 ` [RFAv2 " Joel Brobecker
2020-12-05 23:26 ` Simon Marchi
2020-12-06 4:58 ` Joel Brobecker
2020-11-30 12:44 ` RFA: wrap mpz_export into gdb_mpz::safe_export Christian Biesinger
2020-11-20 14:08 ` pushed: Add support for DWARF-based fixed point types Pedro Alves
2020-11-20 14:14 ` Joel Brobecker
2020-11-22 11:56 ` RFA/doco: Various changes related to GMP and fixed point type support Joel Brobecker
2020-11-22 11:56 ` [RFA/doco 1/4] gdb/NEWS: Document that building GDB now requires GMP Joel Brobecker
2020-11-22 15:31 ` Eli Zaretskii
2020-11-24 3:11 ` Joel Brobecker
2020-11-22 11:56 ` [RFA/doco 2/4] gdb/NEWS: Document that GDB now supports DWARF-based fixed point types Joel Brobecker
2020-11-22 15:33 ` Eli Zaretskii
2020-11-24 3:12 ` Joel Brobecker
2020-11-22 11:56 ` [RFA/doco 3/4] gdb/README: Document the --with-libgmp-prefix configure option Joel Brobecker
2020-11-22 15:32 ` Eli Zaretskii
2020-11-24 3:11 ` Joel Brobecker
2020-11-22 11:56 ` [RFA/doco 4/4] gdb/README: Fix the URL of the MPFR website (now https) Joel Brobecker
2020-11-22 15:33 ` Eli Zaretskii
2020-11-24 3:11 ` Joel Brobecker
2020-11-15 8:49 ` RFA: Various enhancements to the fixed-point support implementation Joel Brobecker
2020-11-15 8:49 ` [RFA 1/6] change gmp_string_asprintf to return an std::string Joel Brobecker
2020-11-16 0:41 ` Simon Marchi
2020-11-16 3:55 ` Joel Brobecker
2020-11-16 20:10 ` Simon Marchi
2020-11-15 8:49 ` [RFA 2/6] gmp-utils: Convert the read/write methods to using gdb::array_view Joel Brobecker
2020-11-16 0:52 ` Simon Marchi
2020-11-16 23:05 ` Pedro Alves
2020-11-17 14:32 ` Simon Marchi
2020-11-15 8:49 ` [RFA 3/6] gdbtypes.h: Get rid of the TYPE_FIXED_POINT_INFO macro Joel Brobecker
2020-11-15 8:49 ` [RFA 4/6] Make fixed_point_type_base_type a method of struct type Joel Brobecker
2020-11-15 8:49 ` [RFA 5/6] Make function fixed_point_scaling_factor " Joel Brobecker
2020-11-15 8:49 ` [RFA 6/6] valarith.c: Replace INIT_VAL_WITH_FIXED_POINT_VAL macro by lambda Joel Brobecker
2020-11-16 1:01 ` RFA: Various enhancements to the fixed-point support implementation Simon Marchi
2020-11-22 11:14 ` RFA v2: " Joel Brobecker
2020-11-22 11:14 ` [RFA v2 1/6] change and rename gmp_string_asprintf to return an std::string Joel Brobecker
2020-11-22 11:14 ` [RFA v2 2/6] gmp-utils: Convert the read/write methods to using gdb::array_view Joel Brobecker
2020-11-22 11:14 ` [RFA v2 3/6] gdbtypes.h: Get rid of the TYPE_FIXED_POINT_INFO macro Joel Brobecker
2020-11-22 11:14 ` [RFA v2 4/6] Make fixed_point_type_base_type a method of struct type Joel Brobecker
2020-11-22 11:14 ` [RFA v2 5/6] Make function fixed_point_scaling_factor " Joel Brobecker
2020-11-22 11:14 ` [RFA v2 6/6] valarith.c: Replace INIT_VAL_WITH_FIXED_POINT_VAL macro by lambda Joel Brobecker
2020-11-23 16:46 ` RFA v2: Various enhancements to the fixed-point support implementation Simon Marchi
2020-11-24 2:56 ` Joel Brobecker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201123042711.GA967337@adacore.com \
--to=brobecker@adacore.com \
--cc=gdb-patches@sourceware.org \
--cc=simark@simark.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).