From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id qZd4Ke8hXWlkRi8AWB0awg (envelope-from ) for ; Tue, 06 Jan 2026 09:53:35 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=dZy7rfoK; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=BlrGEtTC; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=dZy7rfoK; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=BlrGEtTC; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id A56EE1E0B6; Tue, 06 Jan 2026 09:53:35 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=ham autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 028131E048 for ; Tue, 06 Jan 2026 09:53:35 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 74C7B4BA2E1E for ; Tue, 6 Jan 2026 14:53:34 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 74C7B4BA2E1E Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=dZy7rfoK; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=BlrGEtTC; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=dZy7rfoK; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=BlrGEtTC Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by sourceware.org (Postfix) with ESMTPS id C72294BA2E04 for ; Tue, 6 Jan 2026 14:53:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C72294BA2E04 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C72294BA2E04 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767711185; cv=none; b=EL6EMdzpIMwjRh/1bdAG015C3kGQvDNKftxcnVYI6alDEf+/JNfEVzA9xgLJHCSYIT87dS5RRXFknOMZAHI6jLxZAW2dwVeTnRvymJYvGK4GtXs2H4zazuzynqqi2qZPWMMYIouAPfDtLb5D8e/KhJ6VJ9bAQ+Bv+Kfe/s28/Bs= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767711185; c=relaxed/simple; bh=s2geEa7StTsjcUkNo86SW975ibEqN7Q99MOy+p7l2fk=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature: Message-ID:Date:MIME-Version:Subject:From:To; b=qCVrImg12HVui/rTD8SBKL73SwBF7mytmH1wPF5/ucsojITtpQh5IRZrEuyRuvZsZrzsi1TA41NcWtjfDxFgwtEpf/kTKv0kmGKc9pa5lr6g8BptQZiNW1z8KA0OC2EjGCvgO6fGMM0atCC6rSqAHgo6hvUJfHUGl2c62t+ow9s= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C72294BA2E04 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 9E5B0339F5; Tue, 6 Jan 2026 14:53:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767711184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oUEyOrR36IIksJ4EanNOQDjiZYOSrwGiWAvXj7omPE8=; b=dZy7rfoKUVSZgDlt4baJPE6g51shqFyHPiVAk2lE55zeli7sO6xWxqcY8l4j8+kbz6HyVe WBrnt6ciQQfjesuQ+3VewopU/nvdv+qy8TSLCbSNsnReMvs+Lb/BgL0cYF/qQHAGkR3dIc CQjGj7F5o3k4oiqZOQ7oIRWauHlvm48= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767711184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oUEyOrR36IIksJ4EanNOQDjiZYOSrwGiWAvXj7omPE8=; b=BlrGEtTC871gyOWXQclXUIqInuolrr5ehEditA9wlG60HS1JXCrVKOD+2Om+co/j4j+7RQ sSuMaPrVDxCIlADQ== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767711184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oUEyOrR36IIksJ4EanNOQDjiZYOSrwGiWAvXj7omPE8=; b=dZy7rfoKUVSZgDlt4baJPE6g51shqFyHPiVAk2lE55zeli7sO6xWxqcY8l4j8+kbz6HyVe WBrnt6ciQQfjesuQ+3VewopU/nvdv+qy8TSLCbSNsnReMvs+Lb/BgL0cYF/qQHAGkR3dIc CQjGj7F5o3k4oiqZOQ7oIRWauHlvm48= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767711184; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oUEyOrR36IIksJ4EanNOQDjiZYOSrwGiWAvXj7omPE8=; b=BlrGEtTC871gyOWXQclXUIqInuolrr5ehEditA9wlG60HS1JXCrVKOD+2Om+co/j4j+7RQ sSuMaPrVDxCIlADQ== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 898013EA63; Tue, 6 Jan 2026 14:53:04 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id g4xGINAhXWmXCgAAD6G6ig (envelope-from ); Tue, 06 Jan 2026 14:53:04 +0000 Message-ID: <47da20a5-103a-47a8-83c5-8709030b4bee@suse.de> Date: Tue, 6 Jan 2026 15:53:04 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p From: Tom de Vries To: Andrew Burgess , gdb-patches@sourceware.org References: <20260103145559.2722584-1-tdevries@suse.de> <874iozygr7.fsf@redhat.com> <7beac4be-7924-48b5-804b-6400efd02834@suse.de> Content-Language: en-US In-Reply-To: <7beac4be-7924-48b5-804b-6400efd02834@suse.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-4.27 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.17)[-0.858]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:email,suse.de:mid] X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org On 1/6/26 9:47 AM, Tom de Vries wrote: > On 1/5/26 8:57 PM, Andrew Burgess wrote: >> Tom de Vries writes: >> >>> PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: >>> ... >>>    while (*input != '\0') >>> ... >>> >>> Fix this by introducing a lambda function at that safely handles all >>> char >>> array accesses. >> >> Sorry to be a bore, but after reading this commit, and the bug report, >> it's still not obvious to me where the overflow actually occurs. >> >> I totally accept that this code is broken, but as I introduced this bug, >> I wanted to learn from this mistake, but this commit doesn't really >> explain what mistake is being fixed. >> >> Do you think you could explain what's actually going wrong here? >> > > Hi Andrew, > > agreed, it's not spelled out, sorry about that. > > So, the heap-buffer-overflow happens with: > ... > (gdb) p args > $1 = "\"first arg\" \"\" \"third-arg\" \"'\" \"\\\"\" \" \" \"\" " > ... > and it's the fact that we don't check for '\0' after skip_spaces that is > the problem.  I think it should be possible to reproduce the problem > with args == " ". > > So a minimal fix for this problem is: > ... > diff --git a/gdb/infcmd.c b/gdb/infcmd.c > index 1a7daf1461b..fdcd4e4ba96 100644 > --- a/gdb/infcmd.c > +++ b/gdb/infcmd.c > @@ -131,6 +131,8 @@ args_complete_p (const std::string &args) >    while (*input != '\0') >      { >        input = skip_spaces (input); > +      if (*input == '\0') > +    break; > >        if (squote) >      { > ... > > But the strchr problem is also there, so this: > ... > diff --git a/gdb/infcmd.c b/gdb/infcmd.c > index 1a7daf1461b..4bcd523f79b 100644 > --- a/gdb/infcmd.c > +++ b/gdb/infcmd.c > @@ -177,6 +177,8 @@ args_complete_p (const std::string &args) >          dquote = true; >      } > > +      if (*input == '\0') > +    break; >        ++input; >      } > > ... > would catch both, I think.  Not that I'm suggesting this fix. > I've submitted a v2 ( https://sourceware.org/pipermail/gdb-patches/2026-January/223715.html ) handling both problems explicitly. Thanks, - Tom > Thanks, > - Tom > >> Thanks, >> Andrew >> >> >> >> >>> >>> Also: >>> - factor out char array accesses using new variables c and next_c, and >>> - check for end-of-string after skip_spaces. >>> >>> Tested on x86_64-linux. >>> >>> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33754 >>> --- >>>   gdb/infcmd.c | 24 +++++++++++++++++------- >>>   1 file changed, 17 insertions(+), 7 deletions(-) >>> >>> diff --git a/gdb/infcmd.c b/gdb/infcmd.c >>> index 875bbe1ee69..ceacfd05683 100644 >>> --- a/gdb/infcmd.c >>> +++ b/gdb/infcmd.c >>> @@ -126,17 +126,27 @@ static bool >>>   args_complete_p (const std::string &args) >>>   { >>>     const char *input = args.c_str (); >>> +  const char *end = input + args.length (); >>>     bool squote = false, dquote = false; >>> -  while (*input != '\0') >>> +  auto at = [&] (const char *s) >>> +    { >>> +      return s > end ? '\0' : *s; >>> +    }; >>> + >>> +  while (at (input) != '\0') >>>       { >>>         input = skip_spaces (input); >>> +      char c = at (input); >>> +      if (c == '\0') >>> +    break; >>> +      char next_c = at (input + 1); >>>         if (squote) >>>       { >>>         /* Inside a single quoted argument, look for the closing single >>>            quote.  */ >>> -      if (*input == '\'') >>> +      if (c == '\'') >>>           squote = false; >>>       } >>>         else if (dquote) >>> @@ -148,10 +158,10 @@ args_complete_p (const std::string &args) >>>            and we don't skip the entire '\\' then we'll only skip the >>>            first '\', in which case we might see the second '\' as a >>> '\"' >>>            sequence, which would be wrong.  */ >>> -      if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) >>> +      if (c == '\\' && strchr ("\"\\", next_c) != nullptr) >>>           ++input; >>>         /* Otherwise, just look for the closing double quote.  */ >>> -      else if (*input == '"') >>> +      else if (c == '"') >>>           dquote = false; >>>       } >>>         else >>> @@ -162,7 +172,7 @@ args_complete_p (const std::string &args) >>>            a quoted argument.  The '\\' we need to skip so we don't just >>>            skip the first '\' and then incorrectly consider the second >>>            '\' are part of a '\"' or '\'' sequence.  */ >>> -      if (*input == '\\' && strchr ("\"\\'", *(input + 1)) != nullptr) >>> +      if (c == '\\' && strchr ("\"\\'", next_c) != nullptr) >>>           ++input; >>>         /* Otherwise, check for the start of a single or double quoted >>>            argument.  Single quotes have no special meaning on Windows >>> @@ -170,10 +180,10 @@ args_complete_p (const std::string &args) >>>            host to determine what is, or isn't a special character, when >>>            really, this is a function of the target.  */ >>>   #ifndef _WIN32 >>> -      else if (*input == '\'') >>> +      else if (c == '\'') >>>           squote = true; >>>   #endif >>> -      else if (*input == '"') >>> +      else if (c == '"') >>>           dquote = true; >>>       } >>> >>> base-commit: 0a153c58a0ab68c6fa349d2ad0bf6a42e043ab23 >>> -- >>> 2.51.0 >> >