From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-bounces@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id 589sOhBfj19EfwAAWB0awg
	(envelope-from <gdb-patches-bounces@sourceware.org>)
	for <public-inbox@simark.ca>; Tue, 20 Oct 2020 18:05:04 -0400
Received: by simark.ca (Postfix, from userid 112)
	id E37301EFC3; Tue, 20 Oct 2020 18:05:04 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on simark.ca
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,MAILING_LIST_MULTI,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.2
Received: from sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id 443A31E58D
	for <public-inbox@simark.ca>; Tue, 20 Oct 2020 18:05:04 -0400 (EDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id E404D3857807;
	Tue, 20 Oct 2020 22:05:03 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E404D3857807
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1603231503;
	bh=pbGIFzt8pyywNWkp54xB5a1e37XL/j8xBjtNIXOFaAk=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:From;
	b=vy9mUr4MurwHW34HAT/BcwKOLtJnRnov54rjaaro++aU4yuX1brGuRcGGxJpQSQqR
	 6Qjs9gTNmd31GCBLxGxl0cmpF7UGCeiI2VQVeMQSFWbHb6SwUjdtdbKTvpKZ3kqMZ9
	 PM/SVX6ZWa9FxmymNxLmfa5AkkFtU1NSQAJFHMrM=
Received: from barracuda.ebox.ca (barracuda.ebox.ca [96.127.255.19])
 by sourceware.org (Postfix) with ESMTPS id 4B4713857807
 for <gdb-patches@sourceware.org>; Tue, 20 Oct 2020 22:05:02 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 4B4713857807
X-ASG-Debug-ID: 1603231495-0c856e1c442ab660001-fS2M51
Received: from smtp.ebox.ca (smtp.ebox.ca [96.127.255.82]) by
 barracuda.ebox.ca with ESMTP id peK1mHCKKzqifwQF (version=TLSv1
 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Tue, 20 Oct 2020 18:04:55 -0400 (EDT)
X-Barracuda-Envelope-From: simon.marchi@polymtl.ca
X-Barracuda-RBL-Trusted-Forwarder: 96.127.255.82
Received: from simark.localdomain (173-246-6-90.qc.cable.ebox.net
 [173.246.6.90]) by smtp.ebox.ca (Postfix) with ESMTP id 69655441B21;
 Tue, 20 Oct 2020 18:04:55 -0400 (EDT)
X-Barracuda-RBL-IP: 173.246.6.90
X-Barracuda-Effective-Source-IP: 173-246-6-90.qc.cable.ebox.net[173.246.6.90]
X-Barracuda-Apparent-Source-IP: 173.246.6.90
To: gdb-patches@sourceware.org
Subject: [PATCH] gdbserver: fix overlap in sprintf argument and buffer
Date: Tue, 20 Oct 2020 18:04:53 -0400
X-ASG-Orig-Subj: [PATCH] gdbserver: fix overlap in sprintf argument and buffer
Message-Id: <20201020220453.302587-1-simon.marchi@polymtl.ca>
X-Mailer: git-send-email 2.28.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Barracuda-Connect: smtp.ebox.ca[96.127.255.82]
X-Barracuda-Start-Time: 1603231495
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://96.127.255.19:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at ebox.ca
X-Barracuda-Scan-Msg-Size: 2114
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.50
X-Barracuda-Spam-Status: No, SCORE=0.50 using global scores of TAG_LEVEL=1000.0
 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=8.0 tests=WEIRD_PORT
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.85415
 Rule breakdown below
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.50 WEIRD_PORT             URI: Uses non-standard port number for HTTP
X-BeenThere: gdb-patches@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gdb-patches mailing list <gdb-patches.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=subscribe>
From: Simon Marchi via Gdb-patches <gdb-patches@sourceware.org>
Reply-To: Simon Marchi <simon.marchi@polymtl.ca>
Errors-To: gdb-patches-bounces@sourceware.org
Sender: "Gdb-patches" <gdb-patches-bounces@sourceware.org>

While trying to build on Cygwin (gcc 10.2.0), I got:

      CXX    server.o
    /home/Baube/src/binutils-gdb/gdbserver/server.cc: In function ‘void handle_general_set(char*)’:
    /home/Baube/src/binutils-gdb/gdbserver/server.cc:832:12: error: ‘sprintf’ argument 3 overlaps destination object ‘own_buf’ [-Werror=restrict]
      832 |    sprintf (own_buf, "E.Unknown thread-events mode requested: %s\n",
          |    ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      833 |      mode);
          |      ~~~~~
    /home/Baube/src/binutils-gdb/gdbserver/server.cc:553:27: note: destination object referenced by ‘restrict’-qualified argument 1 was declared here
      553 | handle_general_set (char *own_buf)
          |                     ~~~~~~^~~~~~~

There is indeed a problem: mode points somewhere into own_buf.  And by
the time mode gets formatted as a %s, whatever it points to has been
overwritten.  I hacked gdbserver to coerce it into that error path, and
this is the resulting message:

    (gdb) p own_buf
    $1 = 0x629000000200 "E.Unknown thread-events mode requested: ad-events mode requested: 00;10:9020fdf7ff7f0000;thread:p49388.49388;core:e;\n"

Fix it by formatting the error string in an std::string first.

gdbserver/ChangeLog:

	* server.cc (handle_general_set): Don't use sprintf with
	argument overlapping buffer.

Change-Id: I4fdf05c0117f63739413dd67ddae7bd6ee414824
---
 gdbserver/server.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gdbserver/server.cc b/gdbserver/server.cc
index 4a211a481873..0d8ee199af9e 100644
--- a/gdbserver/server.cc
+++ b/gdbserver/server.cc
@@ -829,8 +829,10 @@ handle_general_set (char *own_buf)
       else
 	{
 	  /* We don't know what this mode is, so complain to GDB.  */
-	  sprintf (own_buf, "E.Unknown thread-events mode requested: %s\n",
-		   mode);
+	  std::string err
+	    = string_printf ("E.Unknown thread-events mode requested: %s\n",
+			     mode);
+	  sprintf (own_buf, "%s", err.c_str ());
 	  return;
 	}
 
-- 
2.28.0