public inbox for gdb-prs@sourceware.org
help / color / mirror / Atom feed
* [Bug gdb/27114] New: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour
@ 2020-12-24 17:01 andrew.burgess at embecosm dot com
  0 siblings, 0 replies; only message in thread
From: andrew.burgess at embecosm dot com @ 2020-12-24 17:01 UTC (permalink / raw)
  To: gdb-prs

https://sourceware.org/bugzilla/show_bug.cgi?id=27114

            Bug ID: 27114
           Summary: DWARF Expression Evaluator Doesn't Detect Undefined
                    Behaviour
           Product: gdb
           Version: HEAD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: gdb
          Assignee: unassigned at sourceware dot org
          Reporter: andrew.burgess at embecosm dot com
  Target Milestone: ---

In the function dwarf_expr_context::execute_stack_op (dwarf/expr.c) consider
evaluating a DW_OP_mul; two operands are popped from the DWARF expression stack
and then we call value_binop.

If we consider just integer multiplication then eventually we end up in
scalar_binop (valarith.c), which just does:

              v = v1 * v2;

Where v, v1, and v2 are all of type ULONGEST.

It is obvious that we could experience integer overflow here if v1 and v2 are
large.

As v1 and v2 came from DWARF expressions these could have been read from the
user program, for example Fortran dynamic arrays will use DWARF expressions
that read from the user program, and often include multiplication to compute
the array element stride (DW_AT_byte_stride).

In a well behaved program we would not (usually) expect to see such overflow,
but if the users program has suffered from memory corruption then it is
possible that we could run into a case where GDB experiences this overflow.

This issue is semi-related to bug 27049, in that bug GDB was reading
uninitialised data from the inferior (a dynamic array had not yet been
allocated), so fixing that bug was easy, don't read the properties of a
non-allocated array.  But in general we should not trust that data loaded from
the inferior will not trigger overflow (or other undefined behaviour).

Just to be clear this issue is not just with multiplication, obviously other
arithmetic operators could overflow too.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-12-24 17:01 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-24 17:01 [Bug gdb/27114] New: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour andrew.burgess at embecosm dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).