From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by sourceware.org (Postfix) with ESMTPS id 50E7C385842B for ; Thu, 23 Feb 2023 21:14:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 50E7C385842B Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=embecosm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=embecosm.com Received: by mail-ed1-x530.google.com with SMTP id cq23so46926204edb.1 for ; Thu, 23 Feb 2023 13:14:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embecosm.com; s=google; h=mime-version:user-agent:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=aezEgukeS3i9/IMtyo/gZJ27RD3W2XSBcOwKF41NtQs=; b=TcFZlqhABmTiJWdi6/MYQNxcNJExsKK14URIfTTdcDgQ+aJ4dt1hIjWOgxgfquAIXD UpW41lnTGAx05ByvDuRRF5HjC4+RL+41UtlADmMOOv644U8qD2Erncf57r0+Nr3OQPXZ lVpAuDY/MODSOuS06WZUaRLB3o58BgSiscyfepmjsvUMCKXnGnA7mE0ccQvvECrVXgHd YqiuS34w/IF5yuWV2oaZAlzmV7ibD5iOVxJ9H7+lbYv23MuAPkIXup7zG0Si6HpO/zkR NKbqxeFcoSYLYrYCMMhnhPZleNWSh402s65MUQk7rX37vL2UuAoKHQNuLRbnZSmRtN/8 wgoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aezEgukeS3i9/IMtyo/gZJ27RD3W2XSBcOwKF41NtQs=; b=1/zJw1rYdcz/2qP9QSepIxbaTzDOhNcNVSTK51MO4nOF9tkSlpPFNzjP4pUMNPRwP5 czKEBYShFvhGd7VPrg0Pjk9PaFXW/5iydh0/oGS9scwC3mGO4YMagl64LeUWeLnROKvg qy00ZN/WqF+y+NVkz/rH4FswwIzuNTvgKTwHMN7/2CCKxv43TJAJXd3p0FACy3M0B3rj XFBkpsCnhYx9mSeVLkEaCiA1oxVlRnqhDSAgjuwpxCyjEZ3Fyh1kHPj/y2QRXGzTDd3W OnCaJAJzAY2A+b9xH/2x5uTijeq9TvHAmkXSONVfIipY6dpwMfEpvVcI5z5eEk+OKRYf i/Lw== X-Gm-Message-State: AO0yUKXbHDqedoAsCgIIYKJrhtaS5J0Z3B19xs+YfmCYSgG7hgYCdZeq vaP/pnX821zxQKC/ZMNaXFFetA== X-Google-Smtp-Source: AK7set9uKjT3DY4013ofr8KaN/lz/fg0zbkjI/Bc1v5xhQu6zarVWL0/LPd5Eys1i0JWNYYpSzBINQ== X-Received: by 2002:a17:906:8586:b0:8b2:7567:9c30 with SMTP id v6-20020a170906858600b008b275679c30mr27212062ejx.59.1677186869082; Thu, 23 Feb 2023 13:14:29 -0800 (PST) Received: from annie.orcam.me.uk (annie.orcam.me.uk. [2001:4190:8020::48]) by smtp.gmail.com with ESMTPSA id cm17-20020a170907939100b008e8e9859905sm2112851ejc.184.2023.02.23.13.14.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Feb 2023 13:14:28 -0800 (PST) Date: Thu, 23 Feb 2023 21:14:26 +0000 (GMT) From: "Maciej W. Rozycki" To: Simon Marchi , gdb-patches@sourceware.org cc: Andrew Burgess , Tom Tromey , Richard Bunt Subject: [PATCH] GDB: Fix out of bounds accesses with limited-length values Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Fix accesses to limited-length values in `contents_copy_raw' and `contents_copy_raw_bitwise' so that they observe the limit of the original allocation. Reported by Simon Marchi as a heap-buffer-overflow AddressSanitizer issue triggered with gdb.ada/limited-length.exp. --- Hi, Verified to remove the original issue and not to cause any regressions with and w/o AddressSanitizer and native `x86_64-linux-gnu'. OK to apply? Maciej --- gdb/value.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) gdb-limited-length-array-value-contents-copy-fix.diff Index: src/gdb/value.c =================================================================== --- src.orig/gdb/value.c +++ src/gdb/value.c @@ -1168,6 +1168,11 @@ value::contents_copy_raw (struct value * mean we'd be copying garbage. */ gdb_assert (!dst->m_lazy && !m_lazy); + ULONGEST copy_length = length; + ULONGEST limit = m_limited_length; + if (limit > 0 && src_offset + length > limit) + copy_length = src_offset > limit ? 0 : limit - src_offset; + /* The overwritten DST range gets unavailability ORed in, not replaced. Make sure to remember to implement replacing if it turns out actually necessary. */ @@ -1178,10 +1183,10 @@ value::contents_copy_raw (struct value * /* Copy the data. */ gdb::array_view dst_contents = dst->contents_all_raw ().slice (dst_offset * unit_size, - length * unit_size); + copy_length * unit_size); gdb::array_view src_contents = contents_all_raw ().slice (src_offset * unit_size, - length * unit_size); + copy_length * unit_size); gdb::copy (src_contents, dst_contents); /* Copy the meta-data, adjusted. */ @@ -1206,6 +1211,12 @@ value::contents_copy_raw_bitwise (struct mean we'd be copying garbage. */ gdb_assert (!dst->m_lazy && !m_lazy); + ULONGEST copy_bit_length = bit_length; + ULONGEST bit_limit = m_limited_length * TARGET_CHAR_BIT; + if (bit_limit > 0 && src_bit_offset + bit_length > bit_limit) + copy_bit_length = (src_bit_offset > bit_limit ? 0 + : bit_limit - src_bit_offset); + /* The overwritten DST range gets unavailability ORed in, not replaced. Make sure to remember to implement replacing if it turns out actually necessary. */ @@ -1220,7 +1231,7 @@ value::contents_copy_raw_bitwise (struct gdb::array_view src_contents = contents_all_raw (); copy_bitwise (dst_contents.data (), dst_bit_offset, src_contents.data (), src_bit_offset, - bit_length, + copy_bit_length, type_byte_order (type ()) == BFD_ENDIAN_BIG); /* Copy the meta-data. */