From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id D56CB3854E4E for ; Mon, 5 Jun 2023 09:43:15 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D56CB3854E4E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1685958195; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lQjcjZDwSjeIcjAa21KCxkkXocCOeg/3kXaB+6yr5Yc=; b=XK/R4B9EVRSVe7+PwhgHDvaYq0uoS1qAb+sXjkjC7bzVgGMWMGBNJrE6nKHdURZHSJiQLX g8JkLszMuQWcTNZEAC7yetgTug3HNQh/NGlzUcHJyymfJ3SXik6VgHnd9Fvr3t1OSNOix7 1Gr5VOUnbCDoVWCZoXMypjuaZuzBS04= Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-622-mVvfbI5PPXSBLzwAev6a3g-1; Mon, 05 Jun 2023 05:43:14 -0400 X-MC-Unique: mVvfbI5PPXSBLzwAev6a3g-1 Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-4edb90ccaadso2947863e87.3 for ; Mon, 05 Jun 2023 02:43:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685958193; x=1688550193; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lQjcjZDwSjeIcjAa21KCxkkXocCOeg/3kXaB+6yr5Yc=; b=bpIEVX6UW1WVVogA+THsVE1jKjZcw7pr1fVySfI2b+1aQ5jE6cDqZ1LltctXHpuM4z HDWzwPQm8aLAOsGm2RJ4JYWgg0Mt36KApBN2hgvUY9wQS4Bt261ZLdARXnnOA2K1mA74 B4FIRjMhRn3IDJ71YZ9kmX4xSlFMsxbrpH2UJO9g0hIYsDiOO1s3nKV4cjo+VSIqbMqm ljuHA8TI122jk8G8936HvCDUiF5YSuSYgXXdZQzT7jMXvbWZIbQXfSSpEzpN8E9Y905e X1aTstfsMLdAFckJhFzJvDtC2SWhR1Koirs+7BaTQcNMRln/kydtL3FLULp4mo1aWW+N nbwg== X-Gm-Message-State: AC+VfDyuKzJqIRU1TnuU/oBqGz0Fw1vPV0QgzyX7TCL/xcr8bNlT2J7U tOpJHHfxRBGVFMP4YrQXTQVwNQsJu+8R9d/fxKfJU776qgcJcFTlnMOxNoIDLMDfdicgOlxXLIw a285adErVSbvbElZp3+127g6ZcJRFCijj78+EvVFm115hgNU0MFD80/82nEXHJ1RIlDTfi58lun XJVDdcaA== X-Received: by 2002:ac2:5a06:0:b0:4f4:b28f:6b9c with SMTP id q6-20020ac25a06000000b004f4b28f6b9cmr5442497lfn.29.1685958192922; Mon, 05 Jun 2023 02:43:12 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ULX8zOGDpPfBPasErU37DCIV3nMpA0szRqO4DEWE17lp8qybMdmwk63SVny4NSR+y9OVurA== X-Received: by 2002:ac2:5a06:0:b0:4f4:b28f:6b9c with SMTP id q6-20020ac25a06000000b004f4b28f6b9cmr5442482lfn.29.1685958192399; Mon, 05 Jun 2023 02:43:12 -0700 (PDT) Received: from localhost (11.72.115.87.dyn.plus.net. [87.115.72.11]) by smtp.gmail.com with ESMTPSA id p5-20020a1c7405000000b003f6f6a6e769sm10208577wmc.17.2023.06.05.02.43.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jun 2023 02:43:12 -0700 (PDT) From: Andrew Burgess To: gdb-patches@sourceware.org Cc: Simon Marchi , Tom Tromey , Eli Zaretskii Subject: Re: [PATCH 4/4] gdb: check max-value-size when reading strings for printf In-Reply-To: <3166d8c1916f3d92550c436cf47c70ceece0e0ea.1685611213.git.aburgess@redhat.com> References: <3166d8c1916f3d92550c436cf47c70ceece0e0ea.1685611213.git.aburgess@redhat.com> Date: Mon, 05 Jun 2023 10:43:11 +0100 Message-ID: <87bkhu453k.fsf@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-11.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Tom suggested this change should have a NEWS entry, so I added one. There's no changes to the rest of the patch. Thanks, Andrew --- commit b7206ddf6228c44a5bec7f9c3d05747f1ddd5025 Author: Andrew Burgess Date: Wed May 31 21:41:48 2023 +0100 gdb: check max-value-size when reading strings for printf I noticed that the printf code for strings, printf_c_string and printf_wide_c_string, don't take max-value-size into account, but do load a complete string from the inferior into a GDB buffer. As such it would be possible for an badly behaved inferior to cause GDB to try and allocate an excessively large buffer, potentially crashing GDB, or at least causing GDB to swap lots, which isn't great. We already have a setting to protect against this sort of thing, the 'max-value-size'. So this commit updates the two function mentioned above to check the max-value-size and give an error if the max-value-size is exceeded. If the max-value-size is exceeded, I chose to continue reading inferior memory to figure out how long the string actually is, we just don't store the results. The benefit of this is that when we give the user an error we can tell the user how big the string actually is, which would allow them to correctly adjust max-value-size, if that's what they choose to do. The default for max-value-size is 64k so there should be no user visible changes after this commit, unless the user was previously printing very large strings. If that is the case then the user will now need to increase max-value-size. diff --git a/gdb/NEWS b/gdb/NEWS index 649a3a9824a..82fe2a73fa2 100644 --- a/gdb/NEWS +++ b/gdb/NEWS @@ -78,6 +78,12 @@ functionality is also available for dprintf when dprintf-style is 'gdb'. +* When the printf command requires a string to be fetched from the + inferior, GDB now uses the existing 'max-value-size' setting to the + limit the memory allocated within GDB. The default 'max-value-size' + is 64k. To print longer strings you should increase + 'max-value-size'. + * New commands maintenance print record-instruction [ N ] diff --git a/gdb/printcmd.c b/gdb/printcmd.c index 61b009fb7f2..4bfdaa2c7d7 100644 --- a/gdb/printcmd.c +++ b/gdb/printcmd.c @@ -2480,17 +2480,24 @@ printf_c_string (struct ui_file *stream, const char *format, /* This is a %s argument. Build the string in STR which is currently empty. */ gdb_assert (str.size () == 0); - for (size_t len = 0;; len++) + size_t len; + for (len = 0;; len++) { gdb_byte c; QUIT; + read_memory (tem + len, &c, 1); - str.push_back (c); + if (!exceeds_max_value_size (len + 1)) + str.push_back (c); if (c == 0) break; } + if (exceeds_max_value_size (len + 1)) + error (_("printed string requires %s bytes, which is more than " + "max-value-size"), plongest (len + 1)); + /* We will have passed through the above loop at least once, and will only exit the loop when we have pushed a zero byte onto the end of STR. */ @@ -2547,13 +2554,37 @@ printf_wide_c_string (struct ui_file *stream, const char *format, for (len = 0;; len += wcwidth) { QUIT; - tem_str->resize (tem_str->size () + wcwidth); - gdb_byte *dst = tem_str->data () + len; + gdb_byte *dst; + if (!exceeds_max_value_size (len + wcwidth)) + { + tem_str->resize (tem_str->size () + wcwidth); + dst = tem_str->data () + len; + } + else + { + /* We still need to check for the null-character, so we need + somewhere to place the data read from the inferior. We + can't keep growing TEM_STR, it's gotten too big, so + instead just read the new character into the start of + TEMS_STR. This will corrupt the previously read contents, + but we're not going to print this string anyway, we just + want to know how big it would have been so we can tell the + user in the error message (see below). + + And we know there will be space in this buffer so long as + WCWIDTH is smaller than our LONGEST type, the + max-value-size can't be smaller than a LONGEST. */ + dst = tem_str->data (); + } read_memory (tem + len, dst, wcwidth); if (extract_unsigned_integer (dst, wcwidth, byte_order) == 0) break; } + if (exceeds_max_value_size (len + wcwidth)) + error (_("printed string requires %s bytes, which is more than " + "max-value-size"), plongest (len + wcwidth)); + str = tem_str->data (); } diff --git a/gdb/testsuite/gdb.base/printcmds.c b/gdb/testsuite/gdb.base/printcmds.c index fa3a62d6cdd..8445fcc1aa2 100644 --- a/gdb/testsuite/gdb.base/printcmds.c +++ b/gdb/testsuite/gdb.base/printcmds.c @@ -75,6 +75,8 @@ char *teststring = (char*)"teststring contents"; typedef char *charptr; charptr teststring2 = "more contents"; +const char *teststring3 = "this is a longer test string that we can use"; + /* Test printing of a struct containing character arrays. */ struct some_arrays { diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp index 73f145c9586..eab0264af63 100644 --- a/gdb/testsuite/gdb.base/printcmds.exp +++ b/gdb/testsuite/gdb.base/printcmds.exp @@ -901,6 +901,11 @@ proc test_printf {} { # PR cli/14977. gdb_test "printf \"%s\\n\", 0" "\\(null\\)" + + with_max_value_size 20 { + gdb_test {printf "%s", teststring3} \ + "^printed string requires 45 bytes, which is more than max-value-size" + } } #Test printing DFP values with printf diff --git a/gdb/testsuite/gdb.base/printf-wchar_t.c b/gdb/testsuite/gdb.base/printf-wchar_t.c index 4d13fd3c961..2635932c780 100644 --- a/gdb/testsuite/gdb.base/printf-wchar_t.c +++ b/gdb/testsuite/gdb.base/printf-wchar_t.c @@ -18,6 +18,8 @@ #include const wchar_t wide_str[] = L"wide string"; +const wchar_t long_wide_str[] + = L"this is a much longer wide string that we can use if needed"; int main (void) diff --git a/gdb/testsuite/gdb.base/printf-wchar_t.exp b/gdb/testsuite/gdb.base/printf-wchar_t.exp index 85c6edf292c..8a6003d5785 100644 --- a/gdb/testsuite/gdb.base/printf-wchar_t.exp +++ b/gdb/testsuite/gdb.base/printf-wchar_t.exp @@ -24,3 +24,9 @@ if {![runto_main]} { } gdb_test {printf "%ls\n", wide_str} "^wide string" + +# Check that if the max-value-size will kick in when using printf on strings. +with_max_value_size 20 { + gdb_test {printf "%ls\n", long_wide_str} \ + "^printed string requires 240 bytes, which is more than max-value-size" +} diff --git a/gdb/testsuite/lib/gdb.exp b/gdb/testsuite/lib/gdb.exp index 62e0b0b3db5..321d9707cd5 100644 --- a/gdb/testsuite/lib/gdb.exp +++ b/gdb/testsuite/lib/gdb.exp @@ -3192,6 +3192,36 @@ proc with_target_charset { target_charset body } { } } +# Run tests in BODY with max-value-size set to SIZE. When BODY is +# finished restore max-value-size. + +proc with_max_value_size { size body } { + global gdb_prompt + + set saved "" + gdb_test_multiple "show max-value-size" "" { + -re -wrap "Maximum value size is ($::decimal) bytes\\." { + set saved $expect_out(1,string) + } + -re ".*$gdb_prompt " { + fail "get max-value-size" + } + } + + gdb_test_no_output -nopass "set max-value-size $size" + + set code [catch {uplevel 1 $body} result] + + gdb_test_no_output -nopass "set max-value-size $saved" + + if {$code == 1} { + global errorInfo errorCode + return -code $code -errorinfo $errorInfo -errorcode $errorCode $result + } else { + return -code $code $result + } +} + # Switch the default spawn id to SPAWN_ID, so that gdb_test, # mi_gdb_test etc. default to using it. diff --git a/gdb/value.c b/gdb/value.c index 980722a6dd7..05e5d10ab38 100644 --- a/gdb/value.c +++ b/gdb/value.c @@ -804,7 +804,7 @@ check_type_length_before_alloc (const struct type *type) { ULONGEST length = type->length (); - if (max_value_size > -1 && length > max_value_size) + if (exceeds_max_value_size (length)) { if (type->name () != NULL) error (_("value of type `%s' requires %s bytes, which is more " @@ -815,6 +815,14 @@ check_type_length_before_alloc (const struct type *type) } } +/* See value.h. */ + +bool +exceeds_max_value_size (ULONGEST length) +{ + return max_value_size > -1 && length > max_value_size; +} + /* When this has a value, it is used to limit the number of array elements of an array that are loaded into memory when an array value is made non-lazy. */ diff --git a/gdb/value.h b/gdb/value.h index 508367a4159..cca356a93ea 100644 --- a/gdb/value.h +++ b/gdb/value.h @@ -1575,6 +1575,11 @@ extern void finalize_values (); of floating-point, fixed-point, or integer type. */ extern gdb_mpq value_to_gdb_mpq (struct value *value); +/* Return true if LEN (in bytes) exceeds the max-value-size setting, + otherwise, return false. If the user has disabled (set to unlimited) + the max-value-size setting then this function will always return false. */ +extern bool exceeds_max_value_size (ULONGEST length); + /* While an instance of this class is live, and array values that are created, that are larger than max_value_size, will be restricted in size to a particular number of elements. */