From: Andrew Cagney <ac131313@cygnus.com>
To: Michael Snyder <msnyder@cygnus.com>
Cc: gdb-patches@sources.redhat.com
Subject: Re: [RFA] Crasher bug in infptrace.c
Date: Wed, 02 Jan 2002 22:26:00 -0000 [thread overview]
Message-ID: <3C33F983.4030605@cygnus.com> (raw)
In-Reply-To: <200112310020.fBV0Kr119534@reddwarf.cygnus.com>
> Here's one for the books...
>
> Child_xfer_memory (one of the oldest functions in gdb) uses alloca
> to allocate a buffer that can be arbitrarily large (as large as the
> size of a memory read/write). Alloca is known to be unsafe for large
> enough chunks of memory, because it puts them on the stack -- and
> sure enough, it turns out that you can crash GDB by reading a large
> enough data object from target memory. For Linux, "large enough"
> appears to be about 8 megabytes. But this code has been as it is
> for over ten years, and I've never heard of a problem with it before.
BTW, the gdbint.texinfo document suggests that anything more than a few
k is dangerous.
http://sources.redhat.com/gdb/onlinedocs/gdbint_13.html#SEC103
> Test case attached (although because it causes GDB to core dump,
> it results in an ERROR instead of a FAIL...)
>
> I don't believe this buffer is actually needed at all, but I've
> gone with the minimum change instead of rewriting the function
> so that it doesn't use a local buffer.
>
> By the way, this code has been cloned in rs6000-nat.c, symm-nat.c,
> infttrace.c, and x86-64-linux-nat.c, so they probably have the
> same bug. I haven't touched them because I can't easily test them.
Probably a good move, perhaps add a FIXME comment to them so that the
person that does encounter the bug knows they are not seeing things :-)
> + int alloc = count * sizeof (PTRACE_XFER_TYPE);
> + PTRACE_XFER_TYPE *buffer;
> +
> /* Allocate buffer of that many longwords. */
> ! if (len < GDB_MAX_ALLOCA)
> ! {
> ! buffer = (PTRACE_XFER_TYPE *) alloca (alloc);
> ! }
> ! else
> ! {
> ! buffer = (PTRACE_XFER_TYPE *) xmalloc (alloc);
> ! make_cleanup (xfree, buffer);
> ! }
I think it would be better to just abandon the alloca() case and just
use xmalloc(). That way the same code path (xmalloc()) is always used
and mysterious / obscure bugs that end up being attributed to
len?=GDB_MAX_ALLOCA can be avoided.
Andrew
next prev parent reply other threads:[~2002-01-03 6:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-12-30 16:25 Michael Snyder
2001-12-30 22:26 ` Eli Zaretskii
2001-12-31 12:03 ` Michael Snyder
2001-12-31 12:05 ` Michael Snyder
2001-12-31 22:05 ` Eli Zaretskii
2001-12-31 21:59 ` Eli Zaretskii
2002-01-02 22:26 ` Andrew Cagney [this message]
2002-01-03 11:27 ` Michael Snyder
2002-01-03 11:58 ` Andrew Cagney
2002-01-03 12:15 ` Michael Snyder
2002-01-13 17:48 ` Andrew Cagney
2002-01-13 18:41 ` Michael Snyder
2002-01-13 19:27 ` Andrew Cagney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3C33F983.4030605@cygnus.com \
--to=ac131313@cygnus.com \
--cc=gdb-patches@sources.redhat.com \
--cc=msnyder@cygnus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox