From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 66392 invoked by alias); 16 Nov 2015 15:42:11 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 66378 invoked by uid 89); 16 Nov 2015 15:42:10 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.2 X-HELO: usevmg21.ericsson.net Received: from usevmg21.ericsson.net (HELO usevmg21.ericsson.net) (198.24.6.65) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-SHA encrypted) ESMTPS; Mon, 16 Nov 2015 15:42:09 +0000 Received: from EUSAAHC003.ericsson.se (Unknown_Domain [147.117.188.81]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 0D.76.26730.04B89465; Mon, 16 Nov 2015 08:52:32 +0100 (CET) Received: from [142.133.110.144] (147.117.188.8) by smtp-am.internal.ericsson.com (147.117.188.83) with Microsoft SMTP Server id 14.3.248.2; Mon, 16 Nov 2015 10:42:06 -0500 Subject: Re: [PATCH OBV] Fix stack buffer overflow in aarch64_extract_return_value To: Yao Qi , References: <1447687997-10665-1-git-send-email-yao.qi@linaro.org> From: Simon Marchi Message-ID: <5649F94E.20308@ericsson.com> Date: Mon, 16 Nov 2015 15:42:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <1447687997-10665-1-git-send-email-yao.qi@linaro.org> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2015-11/txt/msg00323.txt.bz2 On 15-11-16 10:33 AM, Yao Qi wrote: > Hi, > I build GDB with -fsanitize=address, and run testsuite. In > gdb.base/callfuncs.exp, I see the following error, > > p/c fun1() > =================================================================^M > ==9601==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffee858530 at pc 0x6df079 bp 0x7fffee8583a0 sp 0x7fffee858398 > WRITE of size 16 at 0x7fffee858530 thread T0 > #0 0x6df078 in regcache_raw_read /home/yao/SourceCode/gnu/gdb/git/gdb/regcache.c:673 > #1 0x6dfe1e in regcache_cooked_read /home/yao/SourceCode/gnu/gdb/git/gdb/regcache.c:751 > #2 0x4696a3 in aarch64_extract_return_value /home/yao/SourceCode/gnu/gdb/git/gdb/aarch64-tdep.c:1708 > #3 0x46ae57 in aarch64_return_value /home/yao/SourceCode/gnu/gdb/git/gdb/aarch64-tdep.c:1918 > > We are extracting return value from V registers (128 bit), but only > allocate X_REGISTER_SIZE-byte array, which isn't sufficient. This > patch changes the array to V_REGISTER_SIZE. > > It's ovbious. I'll push it in. > > gdb: > > 2015-11-16 Yao Qi > > * aarch64-tdep.c (aarch64_extract_return_value): Change array > buf's length to V_REGISTER_SIZE. > --- > gdb/aarch64-tdep.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/gdb/aarch64-tdep.c b/gdb/aarch64-tdep.c > index 4b82553..4fa555d 100644 > --- a/gdb/aarch64-tdep.c > +++ b/gdb/aarch64-tdep.c > @@ -1630,7 +1630,7 @@ aarch64_extract_return_value (struct type *type, struct regcache *regs, > for (i = 0; i < elements; i++) > { > int regno = AARCH64_V0_REGNUM + i; > - bfd_byte buf[X_REGISTER_SIZE]; > + bfd_byte buf[V_REGISTER_SIZE]; > > if (aarch64_debug) > { > Hi Yao, -fsanitize=address is awesome. Do you think we could always run tests with it enabled on buildbot? Simon