Mirror of the gdb-patches mailing list
 help / color / mirror / Atom feed
From: Pedro Alves <pedro@palves.net>
To: Tom de Vries <tdevries@suse.de>, gdb-patches@sourceware.org
Subject: Re: [PATCH][gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result
Date: Fri, 4 Dec 2020 18:39:53 +0000	[thread overview]
Message-ID: <09568e21-6cea-573c-9ecd-75e5fb61e234@palves.net> (raw)
In-Reply-To: <20201204173939.GA7594@delia>

On 12/4/20 5:39 PM, Tom de Vries wrote:
> Hi,
> 
> When building gdb with address sanitizer and running test-case
> gdb.base/completion.exp, we run into:
> ...
> ==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \
>   0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28
> READ of size 1 at 0x60200025c02f thread T0
>     #0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \
>                      int, int) gdb/completer.c:2258
>   ...
> 0x60200025c02f is located 1 bytes to the left of 1-byte region \
>   [0x60200025c030,0x60200025c031)
> ...
> 

It would be useful to show which test triggered this.  I checked, and it's
the new:

 (gdb) p/d[TAB]

test.

> The problem is in this code in completion_tracker::build_completion_result:
> ...
>       bool completion_suppress_append
>         = (suppress_append_ws ()
>            || match_list[0][strlen (match_list[0]) - 1] == ' ');
> ...
> If strlen (match_list[0]) == 0, then we access match_list[0][-1].
> 
> Fix this by testing if the memory access is in bounds before doing the memory
> access.
> 
> Tested on x86_64-linux.
> 
> Any comments?

My first question is -- why do we end up here in the first place?
Why is m_lowest_common_denominator_unique set with the lcd empty?

The answer is that the new "/FMT" completer pushes an empty
completion match:

	  if (*text == '\0')
	    {
	      /* We're at the end of the input string.  The user has typed
		 '/FMT' and asked for a completion.  Push an empty
		 completion string, this will cause readline to insert a
		 space so the user now has '/FMT '.  */
	      in_fmt = true;
	      tracker.add_completion (make_unique_xstrdup (text));
	    }

This could also be fixed by adding a non-empty completion and not advancing
the completion word point, like:

 -             tracker.add_completion (make_unique_xstrdup (text));
 +             tracker.add_completion (make_unique_xstrdup (*args));
 +             return true;

but I'm not thinking of a real problem the empty completion match
causes, so I think it's OK to properly support it.

So the patch is OK.  But please mention the "p/d[TAB]" scenario in
the commit log.

      reply	other threads:[~2020-12-04 18:40 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-04 17:39 Tom de Vries
2020-12-04 18:39 ` Pedro Alves [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=09568e21-6cea-573c-9ecd-75e5fb61e234@palves.net \
    --to=pedro@palves.net \
    --cc=gdb-patches@sourceware.org \
    --cc=tdevries@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox