From: "Maciej W. Rozycki" <macro@embecosm.com>
To: Simon Marchi <simark@simark.ca>, gdb-patches@sourceware.org
Cc: Andrew Burgess <aburgess@redhat.com>, Tom Tromey <tom@tromey.com>,
Richard Bunt <Richard.Bunt@arm.com>
Subject: [PATCH] GDB: Fix out of bounds accesses with limited-length values
Date: Thu, 23 Feb 2023 21:14:26 +0000 (GMT) [thread overview]
Message-ID: <alpine.DEB.2.20.2302231218190.15477@tpp.orcam.me.uk> (raw)
Fix accesses to limited-length values in `contents_copy_raw' and
`contents_copy_raw_bitwise' so that they observe the limit of the
original allocation.
Reported by Simon Marchi as a heap-buffer-overflow AddressSanitizer
issue triggered with gdb.ada/limited-length.exp.
---
Hi,
Verified to remove the original issue and not to cause any regressions
with and w/o AddressSanitizer and native `x86_64-linux-gnu'. OK to apply?
Maciej
---
gdb/value.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
gdb-limited-length-array-value-contents-copy-fix.diff
Index: src/gdb/value.c
===================================================================
--- src.orig/gdb/value.c
+++ src/gdb/value.c
@@ -1168,6 +1168,11 @@ value::contents_copy_raw (struct value *
mean we'd be copying garbage. */
gdb_assert (!dst->m_lazy && !m_lazy);
+ ULONGEST copy_length = length;
+ ULONGEST limit = m_limited_length;
+ if (limit > 0 && src_offset + length > limit)
+ copy_length = src_offset > limit ? 0 : limit - src_offset;
+
/* The overwritten DST range gets unavailability ORed in, not
replaced. Make sure to remember to implement replacing if it
turns out actually necessary. */
@@ -1178,10 +1183,10 @@ value::contents_copy_raw (struct value *
/* Copy the data. */
gdb::array_view<gdb_byte> dst_contents
= dst->contents_all_raw ().slice (dst_offset * unit_size,
- length * unit_size);
+ copy_length * unit_size);
gdb::array_view<const gdb_byte> src_contents
= contents_all_raw ().slice (src_offset * unit_size,
- length * unit_size);
+ copy_length * unit_size);
gdb::copy (src_contents, dst_contents);
/* Copy the meta-data, adjusted. */
@@ -1206,6 +1211,12 @@ value::contents_copy_raw_bitwise (struct
mean we'd be copying garbage. */
gdb_assert (!dst->m_lazy && !m_lazy);
+ ULONGEST copy_bit_length = bit_length;
+ ULONGEST bit_limit = m_limited_length * TARGET_CHAR_BIT;
+ if (bit_limit > 0 && src_bit_offset + bit_length > bit_limit)
+ copy_bit_length = (src_bit_offset > bit_limit ? 0
+ : bit_limit - src_bit_offset);
+
/* The overwritten DST range gets unavailability ORed in, not
replaced. Make sure to remember to implement replacing if it
turns out actually necessary. */
@@ -1220,7 +1231,7 @@ value::contents_copy_raw_bitwise (struct
gdb::array_view<const gdb_byte> src_contents = contents_all_raw ();
copy_bitwise (dst_contents.data (), dst_bit_offset,
src_contents.data (), src_bit_offset,
- bit_length,
+ copy_bit_length,
type_byte_order (type ()) == BFD_ENDIAN_BIG);
/* Copy the meta-data. */
next reply other threads:[~2023-02-23 21:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-23 21:14 Maciej W. Rozycki [this message]
2023-02-23 21:34 ` Simon Marchi
2023-02-24 12:39 ` Maciej W. Rozycki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.2302231218190.15477@tpp.orcam.me.uk \
--to=macro@embecosm.com \
--cc=Richard.Bunt@arm.com \
--cc=aburgess@redhat.com \
--cc=gdb-patches@sourceware.org \
--cc=simark@simark.ca \
--cc=tom@tromey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).