From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id cTmDMIGCyl/8PQAAWB0awg (envelope-from ) for ; Fri, 04 Dec 2020 13:40:01 -0500 Received: by simark.ca (Postfix, from userid 112) id B19691F0AB; Fri, 4 Dec 2020 13:40:01 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id BF7F91E552 for ; Fri, 4 Dec 2020 13:40:00 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 164E4386F805; Fri, 4 Dec 2020 18:40:00 +0000 (GMT) Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by sourceware.org (Postfix) with ESMTPS id D979B39730C1 for ; Fri, 4 Dec 2020 18:39:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org D979B39730C1 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=palves.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=alves.ped@gmail.com Received: by mail-wm1-f47.google.com with SMTP id a6so6324738wmc.2 for ; Fri, 04 Dec 2020 10:39:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=vaKasYUPJYOZXAQf8zaDulLry/VGApv/9FITsZ6jJ14=; b=grCJYZxc1nJr/yBNZIV8qVstn6/d3ivuVwvkTqLiYV5W82adZmUNH2HVQrtecFqLAv NCTwxnwncv121HjP4JC+4OP7c09VvWSxhF+3LgSFyMJ3P66+m41wBPCBT7YbGNYAQyZG COyNpyPNw1PpyQnknXZkZEwk4h7zBRfO6meI/CEgUe4t7rzVV5Q0IkiJKLm09KA1B5fH XFhVcgGoLSceeYXKiqdn3EuKSindL3Yydpnb7IS7ZFRv8koEP/0uaDMzPac2I829vf+l lpvMUrPm4Lfx/EQ9ZA9XCU/0f+/X/GvOjy/o9rxURz6SXgyZ4PeyH2oFd04SuuyXfCwE Wm0Q== X-Gm-Message-State: AOAM533Yc65dx4Rz22851ln5KTaIw2XD3W0eLHl7M16k0nbrjssM7Quo FHYXF/taReZ+e0io7TyDN1S+XTdzac1UEA== X-Google-Smtp-Source: ABdhPJy81b/X5F+dLEnNL5v4mxpAu+RD6Uqh11iJIQ23tIFJgsNqKHQXaLdP7p49Xuhl4qSn9+yZ9Q== X-Received: by 2002:a1c:4e0a:: with SMTP id g10mr5711915wmh.51.1607107196375; Fri, 04 Dec 2020 10:39:56 -0800 (PST) Received: from ?IPv6:2001:8a0:f91f:e900:642f:5bb0:6cba:b1bd? ([2001:8a0:f91f:e900:642f:5bb0:6cba:b1bd]) by smtp.gmail.com with ESMTPSA id r82sm4229155wma.18.2020.12.04.10.39.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Dec 2020 10:39:55 -0800 (PST) Subject: Re: [PATCH][gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result To: Tom de Vries , gdb-patches@sourceware.org References: <20201204173939.GA7594@delia> From: Pedro Alves Message-ID: <09568e21-6cea-573c-9ecd-75e5fb61e234@palves.net> Date: Fri, 4 Dec 2020 18:39:53 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <20201204173939.GA7594@delia> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces@sourceware.org Sender: "Gdb-patches" On 12/4/20 5:39 PM, Tom de Vries wrote: > Hi, > > When building gdb with address sanitizer and running test-case > gdb.base/completion.exp, we run into: > ... > ==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \ > 0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28 > READ of size 1 at 0x60200025c02f thread T0 > #0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \ > int, int) gdb/completer.c:2258 > ... > 0x60200025c02f is located 1 bytes to the left of 1-byte region \ > [0x60200025c030,0x60200025c031) > ... > It would be useful to show which test triggered this. I checked, and it's the new: (gdb) p/d[TAB] test. > The problem is in this code in completion_tracker::build_completion_result: > ... > bool completion_suppress_append > = (suppress_append_ws () > || match_list[0][strlen (match_list[0]) - 1] == ' '); > ... > If strlen (match_list[0]) == 0, then we access match_list[0][-1]. > > Fix this by testing if the memory access is in bounds before doing the memory > access. > > Tested on x86_64-linux. > > Any comments? My first question is -- why do we end up here in the first place? Why is m_lowest_common_denominator_unique set with the lcd empty? The answer is that the new "/FMT" completer pushes an empty completion match: if (*text == '\0') { /* We're at the end of the input string. The user has typed '/FMT' and asked for a completion. Push an empty completion string, this will cause readline to insert a space so the user now has '/FMT '. */ in_fmt = true; tracker.add_completion (make_unique_xstrdup (text)); } This could also be fixed by adding a non-empty completion and not advancing the completion word point, like: - tracker.add_completion (make_unique_xstrdup (text)); + tracker.add_completion (make_unique_xstrdup (*args)); + return true; but I'm not thinking of a real problem the empty completion match causes, so I think it's OK to properly support it. So the patch is OK. But please mention the "p/d[TAB]" scenario in the commit log.