From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id H8MzFGV0yl9bPAAAWB0awg (envelope-from ) for ; Fri, 04 Dec 2020 12:39:49 -0500 Received: by simark.ca (Postfix, from userid 112) id 461981F0AB; Fri, 4 Dec 2020 12:39:49 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 9FB531E58D for ; Fri, 4 Dec 2020 12:39:48 -0500 (EST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C6AF239730E5; Fri, 4 Dec 2020 17:39:47 +0000 (GMT) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by sourceware.org (Postfix) with ESMTPS id 8E89A3854812 for ; Fri, 4 Dec 2020 17:39:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8E89A3854812 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=tdevries@suse.de X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 9CBFEACB5 for ; Fri, 4 Dec 2020 17:39:42 +0000 (UTC) Date: Fri, 4 Dec 2020 18:39:40 +0100 From: Tom de Vries To: gdb-patches@sourceware.org Subject: [PATCH][gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result Message-ID: <20201204173939.GA7594@delia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces@sourceware.org Sender: "Gdb-patches" Hi, When building gdb with address sanitizer and running test-case gdb.base/completion.exp, we run into: ... ==5743==ERROR: AddressSanitizer: heap-buffer-overflow on address \ 0x60200025c02f at pc 0x000000cd9d64 bp 0x7fff3297da30 sp 0x7fff3297da28 READ of size 1 at 0x60200025c02f thread T0 #0 0xcd9d63 in completion_tracker::build_completion_result(char const*, \ int, int) gdb/completer.c:2258 ... 0x60200025c02f is located 1 bytes to the left of 1-byte region \ [0x60200025c030,0x60200025c031) ... The problem is in this code in completion_tracker::build_completion_result: ... bool completion_suppress_append = (suppress_append_ws () || match_list[0][strlen (match_list[0]) - 1] == ' '); ... If strlen (match_list[0]) == 0, then we access match_list[0][-1]. Fix this by testing if the memory access is in bounds before doing the memory access. Tested on x86_64-linux. Any comments? Thanks, - Tom [gdb] Fix heap-buffer-overflow in completion_tracker::build_completion_result gdb/ChangeLog: 2020-12-04 Tom de Vries PR gdb/27003 * completer.c (completion_tracker::build_completion_result): Don't access match_list[0][-1]. --- gdb/completer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gdb/completer.c b/gdb/completer.c index 262c8556bf..83b46a0e4d 100644 --- a/gdb/completer.c +++ b/gdb/completer.c @@ -2253,9 +2253,11 @@ completion_tracker::build_completion_result (const char *text, /* If the tracker wants to, or we already have a space at the end of the match, tell readline to skip appending another. */ + char *match = match_list[0]; bool completion_suppress_append = (suppress_append_ws () - || match_list[0][strlen (match_list[0]) - 1] == ' '); + || (match[0] != '\0' + && match[strlen (match) - 1] == ' ')); return completion_result (match_list, 1, completion_suppress_append); }