public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack
@ 2013-03-06 15:02 jeremy.bennett at embecosm dot com
2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:02 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
Bug #: 15236
Summary: gdbserver write to linux memory with zero length
corrupts stack
Product: gdb
Version: unknown
Status: NEW
Severity: normal
Priority: P2
Component: server
AssignedTo: unassigned@sourceware.org
ReportedBy: jeremy.bennett@embecosm.com
Classification: Unclassified
The function linux_write_memory () allocates a buffer on the stack to hold a
copy of the data to be written.
register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
alloca (count * sizeof (PTRACE_XFER_TYPE));
"count" is the number of bytes to be written, rounded up to the nearest
multiple of sizeof (PTRACE_XFER_TYPE). I.e. sizeof (long). It later uses
buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
(PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);
The problem is that this function can be called to write zero bytes, for
example when receiving an X packet of length 0 (used to test if 8-bit write is
supported). Under these circumstances, count can be zero.
Since in this case, buffer[0] may never have been allocated, the stack is
corrupted.
Patch to follow...
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
@ 2013-03-06 15:03 ` jeremy.bennett at embecosm dot com
2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:03 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
jeremy.bennett at embecosm dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jeremy.bennett at embecosm
| |dot com
Version|unknown |HEAD
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
@ 2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
2013-03-06 16:45 ` tromey at redhat dot com
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:42 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
--- Comment #1 from jeremy.bennett at embecosm dot com 2013-03-06 15:42:14 UTC ---
Created attachment 6918
--> http://sourceware.org/bugzilla/attachment.cgi?id=6918
Patch to fix the problem
The attached patch returns successfully early if len = 0, before any stack
corruption can occur.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
@ 2013-03-06 16:45 ` tromey at redhat dot com
2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: tromey at redhat dot com @ 2013-03-06 16:45 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
Tom Tromey <tromey at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tromey at redhat dot com
--- Comment #2 from Tom Tromey <tromey at redhat dot com> 2013-03-06 16:45:42 UTC ---
The best way to get a patch reviewed & committed is to
send it to the mailing list. See the contribution instructions --
http://sourceware.org/gdb/contribute/
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
` (2 preceding siblings ...)
2013-03-06 16:45 ` tromey at redhat dot com
@ 2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
2013-03-07 9:48 ` cvs-commit at gcc dot gnu.org
2013-03-07 9:57 ` palves at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 18:04 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
--- Comment #3 from jeremy.bennett at embecosm dot com 2013-03-06 18:04:28 UTC ---
Thanks Tom - patch submitted to the mailing list.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
` (3 preceding siblings ...)
2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
@ 2013-03-07 9:48 ` cvs-commit at gcc dot gnu.org
2013-03-07 9:57 ` palves at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2013-03-07 9:48 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> 2013-03-07 09:48:05 UTC ---
CVSROOT: /cvs/src
Module name: src
Changes by: palves@sourceware.org 2013-03-07 09:47:58
Modified files:
gdb/gdbserver : ChangeLog linux-low.c
Log message:
PR gdb/15236: gdbserver write to linux memory with zero length corrupts
stack
PROBLEM:
The function linux_write_memory () in linux-low.c allocates a buffer
on the stack to hold a copy of the data to be written.
register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
alloca (count * sizeof (PTRACE_XFER_TYPE));
"count" is the number of bytes to be written, rounded up to the
nearest multiple of sizeof (PTRACE_XFER_TYPE) and allowing for not
being an aligned address. The function later uses
buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
(PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);
The problem is that this function can be called to write zero bytes on
an aligned address, for example when receiving an X packet of length 0
(used to test if 8-bit write is supported). Under these circumstances,
count can be zero.
Since in this case, buffer[0] may never have been allocated, the stack
is corrupted and gdbserver may crash.
SOLUTION:
Writing zero bytes should always succeed. The patch below returns
successfully early if the length is zero, so avoiding the stack
corruption.
Verified on the ARC GDB 7.5.1 port.
2013-03-07 Jeremy Bennett <jeremy.bennett@embecosm.com>
PR server/15236
* linux-low.c (linux_write_memory): Return early success if LEN is
zero.
Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/ChangeLog.diff?cvsroot=src&r1=1.690&r2=1.691
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/linux-low.c.diff?cvsroot=src&r1=1.231&r2=1.232
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
` (4 preceding siblings ...)
2013-03-07 9:48 ` cvs-commit at gcc dot gnu.org
@ 2013-03-07 9:57 ` palves at redhat dot com
5 siblings, 0 replies; 7+ messages in thread
From: palves at redhat dot com @ 2013-03-07 9:57 UTC (permalink / raw)
To: gdb-prs
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
Pedro Alves <palves at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |palves at redhat dot com
Resolution| |FIXED
Target Milestone|--- |7.6
--- Comment #5 from Pedro Alves <palves at redhat dot com> 2013-03-07 09:57:31 UTC ---
Patch checked in.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-03-07 9:57 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
2013-03-06 16:45 ` tromey at redhat dot com
2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
2013-03-07 9:48 ` cvs-commit at gcc dot gnu.org
2013-03-07 9:57 ` palves at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).