public inbox for gdb-patches@sourceware.org
 help / color / mirror / Atom feed
* [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string
@ 2022-09-15 18:31 Magne Hov
  2022-09-20 19:07 ` Tom Tromey
  2022-09-21 14:58 ` [PATCH v2] " Magne Hov
  0 siblings, 2 replies; 7+ messages in thread
From: Magne Hov @ 2022-09-15 18:31 UTC (permalink / raw)
  To: gdb-patches

When a source file's dirname is solely made up of directory separators
we end up trying to dereference the last character of an empty string
with std::string::back, which results in undefined behaviour. A typical
use case where this can happen is when the root directory "/" is used as
a compilation directory.

With libstdc++.so.6.0.28 we get no out-of-bounds checks and the byte
preceding the storage of the empty string is returned. The character
value of this byte depends on heap implementation and usage, but when
this byte happens to hold the value of the directory separator character
we go on to call std::string::pop_back on the empty string which results
in an out_of_range exception which terminates GDB.

Fix this by checking for the empty string.

The testsuite has been run before and after the change and no
regressions were found.
---
 gdb/source.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdb/source.c b/gdb/source.c
index 3f498d552c4..9d69052c4f1 100644
--- a/gdb/source.c
+++ b/gdb/source.c
@@ -1149,7 +1149,7 @@ find_and_open_source (const char *filename,
       std::string cdir_filename (dirname);
 
       /* Remove any trailing directory separators.  */
-      while (IS_DIR_SEPARATOR (cdir_filename.back ()))
+      while (!cdir_filename.empty () && IS_DIR_SEPARATOR (cdir_filename.back ()))
 	cdir_filename.pop_back ();
 
       /* Add our own directory separator.  */
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-15 18:31 [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string Magne Hov
@ 2022-09-20 19:07 ` Tom Tromey
  2022-09-21 14:51   ` Magne Hov
  2022-09-21 14:58 ` [PATCH v2] " Magne Hov
  1 sibling, 1 reply; 7+ messages in thread
From: Tom Tromey @ 2022-09-20 19:07 UTC (permalink / raw)
  To: Magne Hov via Gdb-patches

>>>>> "Magne" == Magne Hov via Gdb-patches <gdb-patches@sourceware.org> writes:

Magne> When a source file's dirname is solely made up of directory separators
Magne> we end up trying to dereference the last character of an empty string
Magne> with std::string::back, which results in undefined behaviour. A typical
Magne> use case where this can happen is when the root directory "/" is used as
Magne> a compilation directory.

...
Magne> Fix this by checking for the empty string.

I wonder if this code should be changed to use path_join instead.
That function doesn't seem to have this bug:

      if (!ret.empty () && !IS_DIR_SEPARATOR (ret.back ()))
	  ret += '/';

thanks,
Tom

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-20 19:07 ` Tom Tromey
@ 2022-09-21 14:51   ` Magne Hov
  0 siblings, 0 replies; 7+ messages in thread
From: Magne Hov @ 2022-09-21 14:51 UTC (permalink / raw)
  To: Tom Tromey, Magne Hov via Gdb-patches

On Tue, Sep 20 2022, Tom Tromey wrote:

> I wonder if this code should be changed to use path_join instead.
> That function doesn't seem to have this bug:

Good point, I've rerun the test suite and I will send an updated patch.

-- 
Magne Hov | Software Engineer | Direct: +44 7395 395 648 | mhov@undo.io

Undo | Record. Replay. Resolve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-15 18:31 [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string Magne Hov
  2022-09-20 19:07 ` Tom Tromey
@ 2022-09-21 14:58 ` Magne Hov
  2022-09-21 15:52   ` Simon Marchi
  2022-09-24  8:58   ` Magne Hov
  1 sibling, 2 replies; 7+ messages in thread
From: Magne Hov @ 2022-09-21 14:58 UTC (permalink / raw)
  To: gdb-patches

When a source file's dirname is solely made up of directory separators
we end up trying to dereference the last character of an empty string
with std::string::back, which results in undefined behaviour. A typical
use case where this can happen is when the root directory "/" is used as
a compilation directory.

With libstdc++.so.6.0.28 we get no out-of-bounds checks and the byte
preceding the storage of the empty string is returned. The character
value of this byte depends on heap implementation and usage, but when
this byte happens to hold the value of the directory separator character
we go on to call std::string::pop_back on the empty string which results
in an out_of_range exception which terminates GDB.

Fix this by using path_join. prepare_path_for_appending ensures that the
filename component is relative.

The testsuite has been run before and after the change and no
regressions were found.
---
 gdb/source.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/gdb/source.c b/gdb/source.c
index 3f498d552c4..25ad1ecb3da 100644
--- a/gdb/source.c
+++ b/gdb/source.c
@@ -1146,15 +1146,7 @@ find_and_open_source (const char *filename,
 	 helpful if part of the compilation directory was removed,
 	 e.g. using gcc's -fdebug-prefix-map, and we have added the missing
 	 prefix to source_path.  */
-      std::string cdir_filename (dirname);
-
-      /* Remove any trailing directory separators.  */
-      while (IS_DIR_SEPARATOR (cdir_filename.back ()))
-	cdir_filename.pop_back ();
-
-      /* Add our own directory separator.  */
-      cdir_filename.append (SLASH_STRING);
-      cdir_filename.append (filename_start);
+      std::string cdir_filename = path_join (dirname, filename_start);
 
       result = openp (path, OPF_SEARCH_IN_PATH | OPF_RETURN_REALPATH,
 		      cdir_filename.c_str (), OPEN_MODE, fullname);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-21 14:58 ` [PATCH v2] " Magne Hov
@ 2022-09-21 15:52   ` Simon Marchi
  2022-09-22 13:11     ` Magne Hov
  2022-09-24  8:58   ` Magne Hov
  1 sibling, 1 reply; 7+ messages in thread
From: Simon Marchi @ 2022-09-21 15:52 UTC (permalink / raw)
  To: Magne Hov, gdb-patches

On 2022-09-21 10:58, Magne Hov via Gdb-patches wrote:
> When a source file's dirname is solely made up of directory separators
> we end up trying to dereference the last character of an empty string
> with std::string::back, which results in undefined behaviour. A typical
> use case where this can happen is when the root directory "/" is used as
> a compilation directory.
> 
> With libstdc++.so.6.0.28 we get no out-of-bounds checks and the byte
> preceding the storage of the empty string is returned. The character
> value of this byte depends on heap implementation and usage, but when
> this byte happens to hold the value of the directory separator character
> we go on to call std::string::pop_back on the empty string which results
> in an out_of_range exception which terminates GDB.
> 
> Fix this by using path_join. prepare_path_for_appending ensures that the
> filename component is relative.
> 
> The testsuite has been run before and after the change and no
> regressions were found.
> ---
>  gdb/source.c | 10 +---------
>  1 file changed, 1 insertion(+), 9 deletions(-)
> 
> diff --git a/gdb/source.c b/gdb/source.c
> index 3f498d552c4..25ad1ecb3da 100644
> --- a/gdb/source.c
> +++ b/gdb/source.c
> @@ -1146,15 +1146,7 @@ find_and_open_source (const char *filename,
>  	 helpful if part of the compilation directory was removed,
>  	 e.g. using gcc's -fdebug-prefix-map, and we have added the missing
>  	 prefix to source_path.  */
> -      std::string cdir_filename (dirname);
> -
> -      /* Remove any trailing directory separators.  */
> -      while (IS_DIR_SEPARATOR (cdir_filename.back ()))
> -	cdir_filename.pop_back ();
> -
> -      /* Add our own directory separator.  */
> -      cdir_filename.append (SLASH_STRING);
> -      cdir_filename.append (filename_start);
> +      std::string cdir_filename = path_join (dirname, filename_start);
>  
>        result = openp (path, OPF_SEARCH_IN_PATH | OPF_RETURN_REALPATH,
>  		      cdir_filename.c_str (), OPEN_MODE, fullname);

Thanks, this is OK, nice cleanup.

Simon

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-21 15:52   ` Simon Marchi
@ 2022-09-22 13:11     ` Magne Hov
  0 siblings, 0 replies; 7+ messages in thread
From: Magne Hov @ 2022-09-22 13:11 UTC (permalink / raw)
  To: Simon Marchi, gdb-patches

On Wed, Sep 21 2022, Simon Marchi wrote:
>>        result = openp (path, OPF_SEARCH_IN_PATH | OPF_RETURN_REALPATH,
>>  		      cdir_filename.c_str (), OPEN_MODE, fullname);
>
> Thanks, this is OK, nice cleanup.

Thanks, I'll push the patch tomorrow morning if no other concerns are raised.

>
> Simon

-- 
Magne Hov | Software Engineer | Direct: +44 7395 395 648 | mhov@undo.io

Undo | Record. Replay. Resolve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2] gdb/source.c: Fix undefined behaviour dereferencing empty string
  2022-09-21 14:58 ` [PATCH v2] " Magne Hov
  2022-09-21 15:52   ` Simon Marchi
@ 2022-09-24  8:58   ` Magne Hov
  1 sibling, 0 replies; 7+ messages in thread
From: Magne Hov @ 2022-09-24  8:58 UTC (permalink / raw)
  To: gdb-patches

On Wed, Sep 21 2022, Magne Hov wrote:

> When a source file's dirname is solely made up of directory separators
> we end up trying to dereference the last character of an empty string
> with std::string::back, which results in undefined behaviour. A typical
> use case where this can happen is when the root directory "/" is used as
> a compilation directory.
>
> With libstdc++.so.6.0.28 we get no out-of-bounds checks and the byte
> preceding the storage of the empty string is returned. The character
> value of this byte depends on heap implementation and usage, but when
> this byte happens to hold the value of the directory separator character
> we go on to call std::string::pop_back on the empty string which results
> in an out_of_range exception which terminates GDB.
>
> Fix this by using path_join. prepare_path_for_appending ensures that the
> filename component is relative.
>
> The testsuite has been run before and after the change and no
> regressions were found.
> ---
>  gdb/source.c | 10 +---------
>  1 file changed, 1 insertion(+), 9 deletions(-)
>
> diff --git a/gdb/source.c b/gdb/source.c
> index 3f498d552c4..25ad1ecb3da 100644
> --- a/gdb/source.c
> +++ b/gdb/source.c
> @@ -1146,15 +1146,7 @@ find_and_open_source (const char *filename,
>  	 helpful if part of the compilation directory was removed,
>  	 e.g. using gcc's -fdebug-prefix-map, and we have added the missing
>  	 prefix to source_path.  */
> -      std::string cdir_filename (dirname);
> -
> -      /* Remove any trailing directory separators.  */
> -      while (IS_DIR_SEPARATOR (cdir_filename.back ()))
> -	cdir_filename.pop_back ();
> -
> -      /* Add our own directory separator.  */
> -      cdir_filename.append (SLASH_STRING);
> -      cdir_filename.append (filename_start);
> +      std::string cdir_filename = path_join (dirname, filename_start);
>  
>        result = openp (path, OPF_SEARCH_IN_PATH | OPF_RETURN_REALPATH,
>  		      cdir_filename.c_str (), OPEN_MODE, fullname);
> -- 
> 2.25.1
>

This has been pushed now. Thank you all for the review.

-- 
Magne Hov | Software Engineer | Direct: +44 7395 395 648 | mhov@undo.io

Undo | Record. Replay. Resolve

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2022-09-24  8:58 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-15 18:31 [PATCH] gdb/source.c: Fix undefined behaviour dereferencing empty string Magne Hov
2022-09-20 19:07 ` Tom Tromey
2022-09-21 14:51   ` Magne Hov
2022-09-21 14:58 ` [PATCH v2] " Magne Hov
2022-09-21 15:52   ` Simon Marchi
2022-09-22 13:11     ` Magne Hov
2022-09-24  8:58   ` Magne Hov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).