From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8980 invoked by alias); 14 Sep 2012 09:17:30 -0000 Received: (qmail 8970 invoked by uid 22791); 14 Sep 2012 09:17:29 -0000 X-SWARE-Spam-Status: No, hits=-7.1 required=5.0 tests=AWL,BAYES_00,KHOP_RCVD_UNTRUST,RCVD_IN_DNSWL_HI,RCVD_IN_HOSTKARMA_W,RP_MATCHES_RCVD,SPF_HELO_PASS,TW_CP X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 14 Sep 2012 09:17:12 +0000 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q8E9HCiO019302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 14 Sep 2012 05:17:12 -0400 Received: from spoyarek (spoyarek.pnq.redhat.com [10.65.192.188]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q8E9HAkZ001405 for ; Fri, 14 Sep 2012 05:17:11 -0400 Date: Fri, 14 Sep 2012 09:17:00 -0000 From: Siddhesh Poyarekar To: gdb-patches@sourceware.org Subject: [PATCH] Replace potentially unsafe alloca with xmalloc/xfree in value_concat Message-ID: <20120914144629.67e493d0@spoyarek> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/vhqUtG=rD5f3OH60/JeSiK3" Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2012-09/txt/msg00274.txt.bz2 --MP_/vhqUtG=rD5f3OH60/JeSiK3 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-length: 718 Hi, Here is another instance of an alloca that may not be safe. The value_concat function allocates space on stack to concatenate two strings (or duplicate a string/char/bool n times). This is not safe because the requested space could cause alloca to move the stack pointer beyond stack boundary. Attached patch replaces the alloca with xmalloc/xfree. I don't have a test case to demonstrate this, but I think the only language this can probably be demonstrated in is ADA, a language that I have never used. I have however verified that this does not cause any regressions in the testsuite. OK to commit? Regards, Siddhesh gdb/ChangeLog: * valarith.c (value_concat): Replace unsafe ALLOCA with XMALLOC/XFREE. --MP_/vhqUtG=rD5f3OH60/JeSiK3 Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=unsafe-alloca.patch Content-length: 1834 ? unsafe-alloca.patch Index: gdb/valarith.c =================================================================== RCS file: /cvs/src/src/gdb/valarith.c,v retrieving revision 1.105 diff -u -r1.105 valarith.c --- gdb/valarith.c 16 Aug 2012 07:36:20 -0000 1.105 +++ gdb/valarith.c 14 Sep 2012 08:31:38 -0000 @@ -668,9 +668,11 @@ if (TYPE_CODE (type2) == TYPE_CODE_STRING || TYPE_CODE (type2) == TYPE_CODE_CHAR) { + struct cleanup *back_to; count = longest_to_int (value_as_long (inval1)); inval2len = TYPE_LENGTH (type2); - ptr = (char *) alloca (count * inval2len); + ptr = (char *) xmalloc (count * inval2len); + back_to = make_cleanup (xfree, ptr); if (TYPE_CODE (type2) == TYPE_CODE_CHAR) { char_type = type2; @@ -693,6 +695,7 @@ } } outval = value_string (ptr, count * inval2len, char_type); + do_cleanups (back_to); } else if (TYPE_CODE (type2) == TYPE_CODE_BOOL) { @@ -706,6 +709,8 @@ else if (TYPE_CODE (type1) == TYPE_CODE_STRING || TYPE_CODE (type1) == TYPE_CODE_CHAR) { + struct cleanup *back_to; + /* We have two character strings to concatenate. */ if (TYPE_CODE (type2) != TYPE_CODE_STRING && TYPE_CODE (type2) != TYPE_CODE_CHAR) @@ -714,7 +719,8 @@ } inval1len = TYPE_LENGTH (type1); inval2len = TYPE_LENGTH (type2); - ptr = (char *) alloca (inval1len + inval2len); + ptr = (char *) xmalloc (inval1len + inval2len); + back_to = make_cleanup (xfree, ptr); if (TYPE_CODE (type1) == TYPE_CODE_CHAR) { char_type = type1; @@ -737,6 +743,7 @@ memcpy (ptr + inval1len, value_contents (inval2), inval2len); } outval = value_string (ptr, inval1len + inval2len, char_type); + do_cleanups (back_to); } else if (TYPE_CODE (type1) == TYPE_CODE_BOOL) { --MP_/vhqUtG=rD5f3OH60/JeSiK3--