[Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack

public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed

* [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack
@ 2013-03-06 15:02 jeremy.bennett at embecosm dot com
  2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
                   ` (5 more replies)
  0 siblings, 6 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:02 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

             Bug #: 15236
           Summary: gdbserver write to linux memory with zero length
                    corrupts stack
           Product: gdb
           Version: unknown
            Status: NEW
          Severity: normal
          Priority: P2
         Component: server
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jeremy.bennett@embecosm.com
    Classification: Unclassified


The function linux_write_memory () allocates a buffer on the stack to hold a
copy of the data to be written.

  register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

"count" is the number of bytes to be written, rounded up to the nearest
multiple of sizeof (PTRACE_XFER_TYPE). I.e. sizeof (long). It later uses 

  buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
                      (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

The problem is that this function can be called to write zero bytes, for
example when receiving an X packet of length 0 (used to test if 8-bit write is
supported). Under these circumstances, count can be zero.

Since in this case, buffer[0] may never have been allocated, the stack is
corrupted.

Patch to follow...

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
@ 2013-03-06 15:03 ` jeremy.bennett at embecosm dot com
  2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:03 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

jeremy.bennett at embecosm dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeremy.bennett at embecosm
                   |                            |dot com
            Version|unknown                     |HEAD

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
  2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
@ 2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
  2013-03-06 16:45 ` tromey at redhat dot com
                   ` (3 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 15:42 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

--- Comment #1 from jeremy.bennett at embecosm dot com 2013-03-06 15:42:14 UTC ---
Created attachment 6918
  --> http://sourceware.org/bugzilla/attachment.cgi?id=6918
Patch to fix the problem

The attached patch returns successfully early if len = 0, before any stack
corruption can occur.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
  2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
  2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
@ 2013-03-06 16:45 ` tromey at redhat dot com
  2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 7+ messages in thread
From: tromey at redhat dot com @ 2013-03-06 16:45 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

Tom Tromey <tromey at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tromey at redhat dot com

--- Comment #2 from Tom Tromey <tromey at redhat dot com> 2013-03-06 16:45:42 UTC ---
The best way to get a patch reviewed & committed is to
send it to the mailing list.  See the contribution instructions --
http://sourceware.org/gdb/contribute/

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
                   ` (2 preceding siblings ...)
  2013-03-06 16:45 ` tromey at redhat dot com
@ 2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
  2013-03-07  9:48 ` cvs-commit at gcc dot gnu.org
  2013-03-07  9:57 ` palves at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: jeremy.bennett at embecosm dot com @ 2013-03-06 18:04 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

--- Comment #3 from jeremy.bennett at embecosm dot com 2013-03-06 18:04:28 UTC ---
Thanks Tom - patch submitted to the mailing list.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
                   ` (3 preceding siblings ...)
  2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
@ 2013-03-07  9:48 ` cvs-commit at gcc dot gnu.org
  2013-03-07  9:57 ` palves at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2013-03-07  9:48 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> 2013-03-07 09:48:05 UTC ---
CVSROOT:    /cvs/src
Module name:    src
Changes by:    palves@sourceware.org    2013-03-07 09:47:58

Modified files:
    gdb/gdbserver  : ChangeLog linux-low.c 

Log message:
    PR gdb/15236: gdbserver write to linux memory with zero length corrupts
stack

    PROBLEM:

    The function linux_write_memory () in linux-low.c allocates a buffer
    on the stack to hold a copy of the data to be written.

    register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

    "count" is the number of bytes to be written, rounded up to the
    nearest multiple of sizeof (PTRACE_XFER_TYPE) and allowing for not
    being an aligned address. The function later uses

    buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
    (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

    The problem is that this function can be called to write zero bytes on
    an aligned address, for example when receiving an X packet of length 0
    (used to test if 8-bit write is supported). Under these circumstances,
    count can be zero.

    Since in this case, buffer[0] may never have been allocated, the stack
    is corrupted and gdbserver may crash.

    SOLUTION:

    Writing zero bytes should always succeed. The patch below returns
    successfully early if the length is zero, so avoiding the stack
    corruption.

    Verified on the ARC GDB 7.5.1 port.

    2013-03-07  Jeremy Bennett  <jeremy.bennett@embecosm.com>

    PR server/15236

    * linux-low.c (linux_write_memory): Return early success if LEN is
    zero.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/ChangeLog.diff?cvsroot=src&r1=1.690&r2=1.691
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/linux-low.c.diff?cvsroot=src&r1=1.231&r2=1.232

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [Bug server/15236] gdbserver write to linux memory with zero length corrupts stack
  2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
                   ` (4 preceding siblings ...)
  2013-03-07  9:48 ` cvs-commit at gcc dot gnu.org
@ 2013-03-07  9:57 ` palves at redhat dot com
  5 siblings, 0 replies; 7+ messages in thread
From: palves at redhat dot com @ 2013-03-07  9:57 UTC (permalink / raw)
  To: gdb-prs

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

Pedro Alves <palves at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |palves at redhat dot com
         Resolution|                            |FIXED
   Target Milestone|---                         |7.6

--- Comment #5 from Pedro Alves <palves at redhat dot com> 2013-03-07 09:57:31 UTC ---
Patch checked in.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2013-03-07  9:57 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-06 15:02 [Bug server/15236] New: gdbserver write to linux memory with zero length corrupts stack jeremy.bennett at embecosm dot com
2013-03-06 15:03 ` [Bug server/15236] " jeremy.bennett at embecosm dot com
2013-03-06 15:42 ` jeremy.bennett at embecosm dot com
2013-03-06 16:45 ` tromey at redhat dot com
2013-03-06 18:04 ` jeremy.bennett at embecosm dot com
2013-03-07  9:48 ` cvs-commit at gcc dot gnu.org
2013-03-07  9:57 ` palves at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).