From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 1BC873857C6D; Thu, 24 Dec 2020 17:01:09 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1BC873857C6D From: "andrew.burgess at embecosm dot com" To: gdb-prs@sourceware.org Subject: [Bug gdb/27114] New: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour Date: Thu, 24 Dec 2020 17:01:08 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: gdb X-Bugzilla-Version: HEAD X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: andrew.burgess at embecosm dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gdb-prs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-prs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2020 17:01:09 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D27114 Bug ID: 27114 Summary: DWARF Expression Evaluator Doesn't Detect Undefined Behaviour Product: gdb Version: HEAD Status: NEW Severity: normal Priority: P2 Component: gdb Assignee: unassigned at sourceware dot org Reporter: andrew.burgess at embecosm dot com Target Milestone: --- In the function dwarf_expr_context::execute_stack_op (dwarf/expr.c) consider evaluating a DW_OP_mul; two operands are popped from the DWARF expression s= tack and then we call value_binop. If we consider just integer multiplication then eventually we end up in scalar_binop (valarith.c), which just does: v =3D v1 * v2; Where v, v1, and v2 are all of type ULONGEST. It is obvious that we could experience integer overflow here if v1 and v2 a= re large. As v1 and v2 came from DWARF expressions these could have been read from the user program, for example Fortran dynamic arrays will use DWARF expressions that read from the user program, and often include multiplication to compute the array element stride (DW_AT_byte_stride). In a well behaved program we would not (usually) expect to see such overflo= w, but if the users program has suffered from memory corruption then it is possible that we could run into a case where GDB experiences this overflow. This issue is semi-related to bug 27049, in that bug GDB was reading uninitialised data from the inferior (a dynamic array had not yet been allocated), so fixing that bug was easy, don't read the properties of a non-allocated array. But in general we should not trust that data loaded f= rom the inferior will not trigger overflow (or other undefined behaviour). Just to be clear this issue is not just with multiplication, obviously other arithmetic operators could overflow too. --=20 You are receiving this mail because: You are on the CC list for the bug.=