From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 4CA04385482F; Tue, 3 Nov 2020 17:17:13 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 4CA04385482F From: "simark at simark dot ca" To: gdb-prs@sourceware.org Subject: [Bug gdb/26835] New: undefined behavior in arm_analyze_prologue: shift exponent 32 is too large for 32-bit type 'unsigned int' Date: Tue, 03 Nov 2020 17:17:13 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: simark at simark dot ca X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gdb-prs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-prs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2020 17:17:13 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D26835 Bug ID: 26835 Summary: undefined behavior in arm_analyze_prologue: shift exponent 32 is too large for 32-bit type 'unsigned int' Product: gdb Version: HEAD Status: NEW Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: simark at simark dot ca Target Milestone: --- See instructions to reproduce here: https://sourceware.org/bugzilla/show_bug.cgi?id=3D26828#c6 I have a patch that fixes it (though it needs to be tested a bit more thoroughly), but it lacks a test. Ideally, we should have the equivalent of aarch64_analyze_prologue_test, but for ARM. That requires a bit of refacto= ring of the classes that abstract memory reading in arm-tdep.c, and I don't have time for that right now. So I'm putting the patch here in case somebody wa= nts to pick it up. >>From 48596638d1998a3abcde5a4b7f5369032f9ea08b Mon Sep 17 00:00:00 2001 From: Simon Marchi Date: Tue, 3 Nov 2020 12:13:36 -0500 Subject: [PATCH] gdb/arm: avoid undefined behavior shift when decoding immediate value Change-Id: Ieb1c1799bd66f8c7421384f44f5c2777b578ff8d --- gdb/arm-tdep.c | 39 +++++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 12 deletions(-) diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c index 82e8ec4df49c..ab286eb41a57 100644 --- a/gdb/arm-tdep.c +++ b/gdb/arm-tdep.c @@ -1485,6 +1485,25 @@ arm_instruction_restores_sp (unsigned int insn) return 0; } +/* Implement immediate value decoding, as described in section A5.2.4 + (Modified immediate constants in ARM instructions) of the ARM Architect= ure + Reference Manual. */ + +static uint32_t +arm_expand_immediate (uint32_t imm) +{ + gdb_assert ((imm & 0xfffff000) =3D=3D 0); + + uint32_t unrotated_value =3D imm & 0xff; + uint32_t rotate_amount =3D (imm & 0xf00) >> 7; + + if (rotate_amount =3D=3D 0) + return unrotated_value; + + return ((unrotated_value >> rotate_amount) + | (unrotated_value << (32 - rotate_amount))); +} + /* Analyze an ARM mode prologue starting at PROLOGUE_START and continuing no further than PROLOGUE_END. If CACHE is non-NULL, fill it in. Return the first address not recognized as a prologue @@ -1535,20 +1554,18 @@ arm_analyze_prologue (struct gdbarch *gdbarch, else if ((insn & 0xfff00000) =3D=3D 0xe2800000 /* add Rd, Rn, = #n */ && pv_is_register (regs[bits (insn, 16, 19)], ARM_SP_REGNUM)) { - unsigned imm =3D insn & 0xff; /* immediate valu= e */ - unsigned rot =3D (insn & 0xf00) >> 7; /* rotate amount = */ + unsigned imm =3D insn & 0xfff; /* immediate val= ue */ int rd =3D bits (insn, 12, 15); - imm =3D (imm >> rot) | (imm << (32 - rot)); + imm =3D arm_expand_immediate (imm); regs[rd] =3D pv_add_constant (regs[bits (insn, 16, 19)], imm); continue; } else if ((insn & 0xfff00000) =3D=3D 0xe2400000 /* sub Rd, Rn, = #n */ && pv_is_register (regs[bits (insn, 16, 19)], ARM_SP_REGNUM)) { - unsigned imm =3D insn & 0xff; /* immediate valu= e */ - unsigned rot =3D (insn & 0xf00) >> 7; /* rotate amount = */ + unsigned imm =3D insn & 0xfff; /* immediate val= ue */ int rd =3D bits (insn, 12, 15); - imm =3D (imm >> rot) | (imm << (32 - rot)); + imm =3D arm_expand_immediate (imm); regs[rd] =3D pv_add_constant (regs[bits (insn, 16, 19)], -imm); continue; } @@ -1604,16 +1621,14 @@ arm_analyze_prologue (struct gdbarch *gdbarch, } else if ((insn & 0xfffff000) =3D=3D 0xe24cb000) /* sub fp, ip #= n */ { - unsigned imm =3D insn & 0xff; /* immediate valu= e */ - unsigned rot =3D (insn & 0xf00) >> 7; /* rotate amount = */ - imm =3D (imm >> rot) | (imm << (32 - rot)); + unsigned imm =3D insn & 0xfff; /* immediate valu= e */ + imm =3D arm_expand_immediate (imm); regs[ARM_FP_REGNUM] =3D pv_add_constant (regs[ARM_IP_REGNUM], -im= m); } else if ((insn & 0xfffff000) =3D=3D 0xe24dd000) /* sub sp, sp #= n */ { - unsigned imm =3D insn & 0xff; /* immediate valu= e */ - unsigned rot =3D (insn & 0xf00) >> 7; /* rotate amount = */ - imm =3D (imm >> rot) | (imm << (32 - rot)); + unsigned imm =3D insn & 0xfff; /* immediate valu= e */ + imm =3D arm_expand_immediate (imm); regs[ARM_SP_REGNUM] =3D pv_add_constant (regs[ARM_SP_REGNUM], -im= m); } else if ((insn & 0xffff7fff) =3D=3D 0xed6d0103 /* stfe f?, --=20 2.29.1 --=20 You are receiving this mail because: You are on the CC list for the bug.=