From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-prs-return-13239-listarch-gdb-prs=sources.redhat.com@sourceware.org>
Received: (qmail 20356 invoked by alias); 6 Mar 2013 15:02:52 -0000
Received: (qmail 20334 invoked by uid 48); 6 Mar 2013 15:02:51 -0000
From: "jeremy.bennett at embecosm dot com" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug server/15236] New: gdbserver write to linux memory with zero
 length corrupts stack
Date: Wed, 06 Mar 2013 15:02:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gdb
X-Bugzilla-Component: server
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jeremy.bennett at embecosm dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-15236-4717@http.sourceware.org/bugzilla/>
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
Mailing-List: contact gdb-prs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-prs.sourceware.org>
List-Subscribe: <mailto:gdb-prs-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-prs/>
List-Post: <mailto:gdb-prs@sourceware.org>
List-Help: <mailto:gdb-prs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: gdb-prs-owner@sourceware.org
X-SW-Source: 2013-q1/txt/msg00387.txt.bz2

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

             Bug #: 15236
           Summary: gdbserver write to linux memory with zero length
                    corrupts stack
           Product: gdb
           Version: unknown
            Status: NEW
          Severity: normal
          Priority: P2
         Component: server
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jeremy.bennett@embecosm.com
    Classification: Unclassified


The function linux_write_memory () allocates a buffer on the stack to hold a
copy of the data to be written.

  register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

"count" is the number of bytes to be written, rounded up to the nearest
multiple of sizeof (PTRACE_XFER_TYPE). I.e. sizeof (long). It later uses 

  buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
                      (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

The problem is that this function can be called to write zero bytes, for
example when receiving an X packet of length 0 (used to test if 8-bit write is
supported). Under these circumstances, count can be zero.

Since in this case, buffer[0] may never have been allocated, the stack is
corrupted.

Patch to follow...

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.