public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
From: "andrew.burgess at embecosm dot com" <sourceware-bugzilla@sourceware.org>
To: gdb-prs@sourceware.org
Subject: [Bug gdb/27114] New: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour
Date: Thu, 24 Dec 2020 17:01:08 +0000 [thread overview]
Message-ID: <bug-27114-4717@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=27114
Bug ID: 27114
Summary: DWARF Expression Evaluator Doesn't Detect Undefined
Behaviour
Product: gdb
Version: HEAD
Status: NEW
Severity: normal
Priority: P2
Component: gdb
Assignee: unassigned at sourceware dot org
Reporter: andrew.burgess at embecosm dot com
Target Milestone: ---
In the function dwarf_expr_context::execute_stack_op (dwarf/expr.c) consider
evaluating a DW_OP_mul; two operands are popped from the DWARF expression stack
and then we call value_binop.
If we consider just integer multiplication then eventually we end up in
scalar_binop (valarith.c), which just does:
v = v1 * v2;
Where v, v1, and v2 are all of type ULONGEST.
It is obvious that we could experience integer overflow here if v1 and v2 are
large.
As v1 and v2 came from DWARF expressions these could have been read from the
user program, for example Fortran dynamic arrays will use DWARF expressions
that read from the user program, and often include multiplication to compute
the array element stride (DW_AT_byte_stride).
In a well behaved program we would not (usually) expect to see such overflow,
but if the users program has suffered from memory corruption then it is
possible that we could run into a case where GDB experiences this overflow.
This issue is semi-related to bug 27049, in that bug GDB was reading
uninitialised data from the inferior (a dynamic array had not yet been
allocated), so fixing that bug was easy, don't read the properties of a
non-allocated array. But in general we should not trust that data loaded from
the inferior will not trigger overflow (or other undefined behaviour).
Just to be clear this issue is not just with multiplication, obviously other
arithmetic operators could overflow too.
--
You are receiving this mail because:
You are on the CC list for the bug.
reply other threads:[~2020-12-24 17:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-27114-4717@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=gdb-prs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).