* [PATCH] Fix bug in arm_push_dummy_call by -fsanitize=address
@ 2015-11-13 8:18 Yao Qi
2015-11-16 14:45 ` Yao Qi
0 siblings, 1 reply; 2+ messages in thread
From: Yao Qi @ 2015-11-13 8:18 UTC (permalink / raw)
To: gdb-patches
When I build GDB with -fsanitize=address, and run testsuite,
some gdb.base/*.exp test triggers the ERROR below,
=================================================================
==7646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000242810 at pc 0x487844 bp 0x7fffe32e84e0 sp 0x7fffe32e84d8
READ of size 4 at 0x603000242810 thread T0^[[1m^[[0m^M
#0 0x487843 in push_stack_item /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3405
#1 0x48998a in arm_push_dummy_call /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3960
In that path, GDB passes value on stack, in an INT_REGISTER_SIZE slot,
but the value contents' length can be less than INT_REGISTER_SIZE, so
the contents will be accessed out of the bound. This patch adds an
array buf[INT_REGISTER_SIZE], and copy val to buf before writing them
to stack.
Regression tested on arm-linux.
gdb:
2015-11-13 Yao Qi <yao.qi@linaro.org>
* arm-tdep.c (arm_push_dummy_call): New array buf. Store regval
to buf. Pass buf instead of val to push_stack_item.
---
gdb/arm-tdep.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
index 9c8208a..58dcc6c 100644
--- a/gdb/arm-tdep.c
+++ b/gdb/arm-tdep.c
@@ -3928,13 +3928,13 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
while (len > 0)
{
int partial_len = len < INT_REGISTER_SIZE ? len : INT_REGISTER_SIZE;
+ CORE_ADDR regval
+ = extract_unsigned_integer (val, partial_len, byte_order);
if (may_use_core_reg && argreg <= ARM_LAST_ARG_REGNUM)
{
/* The argument is being passed in a general purpose
register. */
- CORE_ADDR regval
- = extract_unsigned_integer (val, partial_len, byte_order);
if (byte_order == BFD_ENDIAN_BIG)
regval <<= (INT_REGISTER_SIZE - partial_len) * 8;
if (arm_debug)
@@ -3948,11 +3948,16 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
}
else
{
+ gdb_byte buf[INT_REGISTER_SIZE];
+
+ memset (buf, 0, sizeof (buf));
+ store_unsigned_integer (buf, partial_len, byte_order, regval);
+
/* Push the arguments onto the stack. */
if (arm_debug)
fprintf_unfiltered (gdb_stdlog, "arg %d @ sp + %d\n",
argnum, nstack);
- si = push_stack_item (si, val, INT_REGISTER_SIZE);
+ si = push_stack_item (si, buf, INT_REGISTER_SIZE);
nstack += INT_REGISTER_SIZE;
}
--
1.9.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] Fix bug in arm_push_dummy_call by -fsanitize=address
2015-11-13 8:18 [PATCH] Fix bug in arm_push_dummy_call by -fsanitize=address Yao Qi
@ 2015-11-16 14:45 ` Yao Qi
0 siblings, 0 replies; 2+ messages in thread
From: Yao Qi @ 2015-11-16 14:45 UTC (permalink / raw)
To: Yao Qi; +Cc: gdb-patches
Yao Qi <qiyaoltc@gmail.com> writes:
> 2015-11-13 Yao Qi <yao.qi@linaro.org>
>
> * arm-tdep.c (arm_push_dummy_call): New array buf. Store regval
> to buf. Pass buf instead of val to push_stack_item.
I pushed it in.
--
Yao (齐尧)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-11-16 14:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-13 8:18 [PATCH] Fix bug in arm_push_dummy_call by -fsanitize=address Yao Qi
2015-11-16 14:45 ` Yao Qi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).