From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30258 invoked by alias); 14 May 2010 22:01:07 -0000 Received: (qmail 30104 invoked by uid 22791); 14 May 2010 22:01:05 -0000 X-SWARE-Spam-Status: No, hits=-5.6 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,TW_CP,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 14 May 2010 22:01:02 +0000 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o4EM10V2014932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 14 May 2010 18:01:00 -0400 Received: from host0.dyn.jankratochvil.net (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o4EM0wnO027812 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 May 2010 18:00:59 -0400 Received: from host0.dyn.jankratochvil.net (localhost [127.0.0.1]) by host0.dyn.jankratochvil.net (8.14.4/8.14.4) with ESMTP id o4EM0v16002516; Sat, 15 May 2010 00:00:57 +0200 Received: (from jkratoch@localhost) by host0.dyn.jankratochvil.net (8.14.4/8.14.4/Submit) id o4EM0vxX002515; Sat, 15 May 2010 00:00:57 +0200 Date: Fri, 14 May 2010 22:35:00 -0000 From: Jan Kratochvil To: Tom Tromey Cc: gdb-patches@sourceware.org Subject: Re: RFC: fix bug in pieced value with offset Message-ID: <20100514220057.GA31601@host0.dyn.jankratochvil.net> References: <20100514110537.GA25586@host0.dyn.jankratochvil.net> <20100514192324.GA25176@host0.dyn.jankratochvil.net> <20100514201405.GA30274@host0.dyn.jankratochvil.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-08-17) X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2010-05/txt/msg00315.txt.bz2 On Fri, 14 May 2010 22:31:43 +0200, Tom Tromey wrote: > What do you think of this revision? Except one severe problem I find it OK now myself. > case DWARF_VALUE_STACK: > { > struct gdbarch *gdbarch = get_type_arch (value_type (v)); > - size_t n = p->size; > - if (n > c->addr_size) > - n = c->addr_size; > - store_unsigned_integer (contents + offset, n, > - gdbarch_byte_order (gdbarch), > - p->v.expr.value); > + size_t n = this_size; > + if (n > c->addr_size - source_offset) > + n = c->addr_size - source_offset; As the strict sanity checks are not included this expression may be an exploitable memory corruption by overflown N in the case of: DW_OP_piece size larger than CU address size and value_offset (still in the scope of this DW_OP_piece size) also larger than CU address size. Suggesting something like: # size_t n = this_size; # if (n > c->addr_size - source_offset) # n = c->addr_size >= source_offset ? c->addr_size - source_offset : 0; > case DWARF_VALUE_LITERAL: > { > - size_t n = p->size; > - if (n > p->v.literal.length) > - n = p->v.literal.length; > - memcpy (contents + offset, p->v.literal.data, n); > + if (this_size > p->v.literal.length - source_offset) > + this_size = p->v.literal.length - source_offset; again some: # if (this_size > p->v.literal.length - source_offset) # this_size = p->v.literal.length >= source_offset # ? p->v.literal.length - source_offset : 0; (DWARF_VALUE_STACK now does not modify THIS_SIZE while DWARF_VALUE_LITERAL modifies it - thus corrupting OFFSET - but both only in the cases of invalid DWARF I was suggesting to error() anyway so it probably does not matter.) > +if { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {}] != "" } { > + return -1 > +} > + > +clean_restart ${testfile}.x pitpick: Therefore it could use prepare_for_testing now. Thanks, Jan