public inbox for gdb-prs@sourceware.org help / color / mirror / Atom feed
From: "andrew.burgess at embecosm dot com" <sourceware-bugzilla@sourceware.org> To: gdb-prs@sourceware.org Subject: [Bug gdb/27114] New: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour Date: Thu, 24 Dec 2020 17:01:08 +0000 [thread overview] Message-ID: <bug-27114-4717@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=27114 Bug ID: 27114 Summary: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour Product: gdb Version: HEAD Status: NEW Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: andrew.burgess at embecosm dot com Target Milestone: --- In the function dwarf_expr_context::execute_stack_op (dwarf/expr.c) consider evaluating a DW_OP_mul; two operands are popped from the DWARF expression stack and then we call value_binop. If we consider just integer multiplication then eventually we end up in scalar_binop (valarith.c), which just does: v = v1 * v2; Where v, v1, and v2 are all of type ULONGEST. It is obvious that we could experience integer overflow here if v1 and v2 are large. As v1 and v2 came from DWARF expressions these could have been read from the user program, for example Fortran dynamic arrays will use DWARF expressions that read from the user program, and often include multiplication to compute the array element stride (DW_AT_byte_stride). In a well behaved program we would not (usually) expect to see such overflow, but if the users program has suffered from memory corruption then it is possible that we could run into a case where GDB experiences this overflow. This issue is semi-related to bug 27049, in that bug GDB was reading uninitialised data from the inferior (a dynamic array had not yet been allocated), so fixing that bug was easy, don't read the properties of a non-allocated array. But in general we should not trust that data loaded from the inferior will not trigger overflow (or other undefined behaviour). Just to be clear this issue is not just with multiplication, obviously other arithmetic operators could overflow too. -- You are receiving this mail because: You are on the CC list for the bug.
reply other threads:[~2020-12-24 17:01 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-27114-4717@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=gdb-prs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).