From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 31221 invoked by alias); 10 Oct 2018 20:38:26 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 31195 invoked by uid 89); 10 Oct 2018 20:38:25 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-24.9 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 spammy=straightforward X-HELO: smtp.polymtl.ca Received: from smtp.polymtl.ca (HELO smtp.polymtl.ca) (132.207.4.11) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 10 Oct 2018 20:38:24 +0000 Received: from simark.ca (simark.ca [158.69.221.121]) (authenticated bits=0) by smtp.polymtl.ca (8.14.7/8.14.7) with ESMTP id w9AKcIfe023037 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 10 Oct 2018 16:38:22 -0400 Received: by simark.ca (Postfix, from userid 112) id 1DC521EA6F; Wed, 10 Oct 2018 16:38:18 -0400 (EDT) Received: from simark.ca (localhost [127.0.0.1]) by simark.ca (Postfix) with ESMTP id A94481E519; Wed, 10 Oct 2018 16:38:15 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 10 Oct 2018 20:38:00 -0000 From: Simon Marchi To: Richard Henderson Cc: gdb-patches@sourceware.org Subject: Re: [PATCH] Fix buffer overrun in fetch_register_using_p In-Reply-To: <20181010154553.11515-1-richard.henderson@linaro.org> References: <20181010154553.11515-1-richard.henderson@linaro.org> Message-ID: <3e2871a8b012f6de8acca49a1be37bf3@polymtl.ca> X-Sender: simon.marchi@polymtl.ca User-Agent: Roundcube Webmail/1.3.6 X-IsSubscribed: yes X-SW-Source: 2018-10/txt/msg00267.txt.bz2 On 2018-10-10 11:45, Richard Henderson wrote: > If the packet returned from the gdbserver is too long, > the stack would be clobbered and gdb would crash. > > gdb/ > * remote.c (remote_target::fetch_register_using_p): Error if > more data is received than expected in the packet. > --- > > I am adding SVE support to QEMU's gdbserver stub, and managed to > tickle this bug in the process. > > > r~ > > --- > gdb/remote.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/gdb/remote.c b/gdb/remote.c > index 724f41cf71..d68faf1046 100644 > --- a/gdb/remote.c > +++ b/gdb/remote.c > @@ -7958,7 +7958,8 @@ remote_target::fetch_register_using_p (struct > regcache *regcache, > struct gdbarch *gdbarch = regcache->arch (); > struct remote_state *rs = get_remote_state (); > char *buf, *p; > - gdb_byte *regp = (gdb_byte *) alloca (register_size (gdbarch, > reg->regnum)); > + int size = register_size (gdbarch, reg->regnum); > + gdb_byte *regp = (gdb_byte *) alloca (size); > int i; > > if (packet_support (PACKET_p) == PACKET_DISABLE) > @@ -8003,6 +8004,8 @@ remote_target::fetch_register_using_p (struct > regcache *regcache, > { > if (p[1] == 0) > error (_("fetch_register_using_p: early buf termination")); > + if (i == size) > + error (_("fetch_register_using_p: late buf termination")); Hi Richard, As a user, I don't think I would understand "late buf termination". I think it could be more straightforward, like "the received value is larger than the register size". Otherwise, this is OK, thanks for this. Simon