public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "fredrik.hederstierna@securitas-direct.com" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug cli/14011] New: GDB uses strcpy() with undefined behaviour, causing bug in CLI cd_command(). Date: Mon, 23 Apr 2012 09:29:00 -0000 [thread overview] Message-ID: <bug-14011-4717@http.sourceware.org/bugzilla/> (raw) http://sourceware.org/bugzilla/show_bug.cgi?id=14011 Bug #: 14011 Summary: GDB uses strcpy() with undefined behaviour, causing bug in CLI cd_command(). Product: gdb Version: 7.4 Status: NEW Severity: normal Priority: P2 Component: cli AssignedTo: unassigned@sourceware.org ReportedBy: fredrik.hederstierna@securitas-direct.com Classification: Unclassified The C standard states that the behavior of strcpy() is undefined when the source and destination objects overlap. Undefined behavior means it may work sometimes, or it may fail, or it may appear to succeed but manifest failure elsewhere in the program. I got a failure running arm-elf-gdb-4.7.0 (compiled with GCC-4.6.1-9ubuntu3) with arguments arm-elf-gdb --cd=../../build/sniffer2/ sniffer2.elf ... Reading symbols from /home/fredrikh/workspace/buile/sniffer2/sniffer2.elf...done. (gdb) Note that letter 'd' in 'build' is overwritten with letter 'e' in current_path. The path to 'buile' is non-existing causing error. I tracked down to the cd_command() function in CLI that was causing the bug. It seems like the code is doing strcpy() on overlapping regions, to eliminate ".." paths, this causing an undefined behaviour. GDB corrupted the dir-path replacing one letter: The standard solution is to replace strcpy() with memmove(), and I submit a proposed patch that fixed the bug. Index: gdb/cli/cli-cmds.c =================================================================== RCS file: /cvs/src/src/gdb/cli/cli-cmds.c,v retrieving revision 1.128 diff -r1.128 cli-cmds.c 420c420 < strcpy (p, p + 2); --- > memmove(p, p + 2, strlen(p + 2) + 1); 439c439 < strcpy (q - 1, p + 3); --- > memmove(q - 1, p + 3, strlen(p + 3) + 1); I fear though that there might be more cases in the sources where strcpy() is used this way. Maybe its a good idea to grep 'strcpy' and check that all uses are safe and non-overlapping. Another idea is to use a custom gdb_strcpy() instead, that we know always copy from left-to-right, where we do define behaviour in the overlapping case. Though is a danger to have dependencies on external C-lib implementation of string functions. Thanks & Best Regards, Fredrik Hederstierna Securitas Direct AB Malmoe Sweden -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
next reply other threads:[~2012-04-23 9:29 UTC|newest] Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top 2012-04-23 9:29 fredrik.hederstierna@securitas-direct.com [this message] 2012-04-23 10:42 ` [Bug cli/14011] " fredrik.hederstierna@securitas-direct.com 2012-04-24 15:14 ` qiyao at gcc dot gnu.org 2012-04-25 10:37 ` fredrik.hederstierna@securitas-direct.com 2012-06-01 17:58 ` tromey at redhat dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-14011-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).