[Bug backtrace/28721] New: Stack buffer overrun in i386_unwind_pc

[Bug backtrace/28721] New: Stack buffer overrun in i386_unwind_pc

[jinoh.kang.kr at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28721

            Bug ID: 28721
           Summary: Stack buffer overrun in i386_unwind_pc
           Product: gdb
           Version: HEAD
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: backtrace
          Assignee: unassigned at sourceware dot org
          Reporter: jinoh.kang.kr at gmail dot com
  Target Milestone: ---
             Flags: security?

Created attachment 13876
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13876&action=edit
Sample program that triggers crash

i386_unwind_pc calls frame_unwind_register with a 8-byte buffer, which can
overrun if a wider register (e.g. [XYZ]MM registers) is specified as the return
address register.

An example debugging session that reproduces the crash:

  $ gcc -o test gdb-unwind-pc-overrun.S   # from attachment
  $ gdb -q ./test
  Reading symbols from ./test...
  (No debugging symbols found in ./test)
  (gdb) start
  Temporary breakpoint 1 at 0x401106
  Starting program: /home/user/trxu/test 

  Temporary breakpoint 1, 0x0000000000401106 in main ()
  (gdb) stepi   # (or bt)
  *** stack smashing detected ***: terminated
  Aborted (core dumped)

This bug should be trivial to fix: use frame_unwind_register_unsigned instead
(unless there are semantic differences between frame_unwind_register and
frame_unwind_register_unsigned that I missed).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backtrace/28721] Stack buffer overrun in i386_unwind_pc

[tromey at sourceware dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=28721

Tom Tromey <tromey at sourceware dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |tromey at sourceware dot org

--- Comment #1 from Tom Tromey <tromey at sourceware dot org> ---
Hi.  Would you consider sending a patch to gdb-patches?
Also, is this something that's actually used?  Or just a
sort of theoretical bug?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug backtrace/28721] Stack buffer overrun in i386_unwind_pc

[jinoh.kang.kr at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=28721

--- Comment #2 from Jinoh Kang <jinoh.kang.kr at gmail dot com> ---
(In reply to Tom Tromey from comment #1)
> Hi.  Would you consider sending a patch to gdb-patches?

Not sure about the most optimal approach, but I'll try.

> Also, is this something that's actually used?  Or just a
> sort of theoretical bug?

Simply compile and debug the attached program to reproduce the crash.

-- 
You are receiving this mail because:
You are on the CC list for the bug.