From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id EdgJBCkZXGl8tC0AWB0awg (envelope-from ) for ; Mon, 05 Jan 2026 15:03:53 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WoYICsh3; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 0CFE71E0B6; Mon, 05 Jan 2026 15:03:53 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=no autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id A62FF1E08D for ; Mon, 05 Jan 2026 15:03:52 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 3C58D4BA2E25 for ; Mon, 5 Jan 2026 20:03:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3C58D4BA2E25 Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WoYICsh3 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTP id D2FDE4BA2E23 for ; Mon, 5 Jan 2026 20:03:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D2FDE4BA2E23 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org D2FDE4BA2E23 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767643382; cv=none; b=nnXXM7Nq26r+sOthlxO5cbw6hkCeJOZReksQUiE/nDxePxSk+aftpXovsjQVQJGDXeK1nSOi6604ulV1hwVfBzn5gDdLPMKXvBtAC1sD6PRdretIiKIxtU3Ma2boOg1ETD4rDwUNVrLfwvVN3oOEam0h4fVz+fJ8tqlmLVed8dU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767643382; c=relaxed/simple; bh=f7pexhe0/OJYWDTKjeSRPvJHQBTGTmGEH87oupMRiN4=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=QKuXZJ1rouasAIgH7lHN2Mol95sm12eQyzzfJLjesJi4cqQ49G8tYYIVBfldKfQgFlazh230coJfOvcQAeUV1A46WSWGUjjkePMV4pYJMqtmefWiQvgSiy+IV4FVv94LT9ctZtDEWeP5U53dlfsx9fNJaghBQHg5CEN/5XP3/TU= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D2FDE4BA2E23 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1767643382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Mfy4Soc7T4722ckbbXnG0n9PMCW4QblfToXFECPUNjs=; b=WoYICsh3bS3vD2qa3HuTIb3NTKRaSfEpBPuJfJY37nplhgZLWF5qOJzaI3OESJQb7FcUwp kqoBTDrBqIr7/hEHLLeq5umrhri6v04d3IWPWX9joZH8Bp7z41xxCpLVaoy4P7Ckm7Cvdk pLc4iksK6V60WXPqX+TNX2OHgfk8HD8= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-q1EO1_QfMcuHH3FY2moFoA-1; Mon, 05 Jan 2026 15:03:01 -0500 X-MC-Unique: q1EO1_QfMcuHH3FY2moFoA-1 X-Mimecast-MFC-AGG-ID: q1EO1_QfMcuHH3FY2moFoA_1767643380 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-430fcb6b2ebso121927f8f.2 for ; Mon, 05 Jan 2026 12:03:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767643380; x=1768248180; h=mime-version:message-id:date:references:in-reply-to:subject:to:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Mfy4Soc7T4722ckbbXnG0n9PMCW4QblfToXFECPUNjs=; b=gNIe8f8FKaBzTw/rcMtsEuSOouozZKQG5gYGnWlKVpes5wGXfDipfv6VuuiAIOpTOy LPWo8iiT66OVuoSqqYv5ne5LiTY7yNldMLVjvHXIjsTzxj4PfvV/3MElaH8wFPicL2Ei yCNC10v4Qi6YH0r4e6lEWLqIJjQVlvdPhDpXykUqQnFYexezZIgY/HirJrmG9HNQwzn0 LSA4pKqf9qjMtNM151ijPBItZDlW8e6/q9pbShmbWxh2iWtXfsQmvL/HnXIGuDDJkZPC ex2oaYAI0IE0DD6HlsTcPVIXTS+WgDTOsM7EknlIk7+wSfqCyK67TEg9MkjXH0uCbYE5 8sAQ== X-Forwarded-Encrypted: i=1; AJvYcCWy+8QdJzdxYxZd6Rd/6ppiJj1woNY9hYGS2E1oHBxrQqMA612qrn23nFlOb7SqlvHjPQZOq3VhT3o37A==@sourceware.org X-Gm-Message-State: AOJu0YzGo1/vaZni6I1JVcVMz5fCD5Xpl9Gamd07CmwPBF59Ypbo475I +hBI/8A5O4CnTC2ftxWWosOlKHEx7j/L84l+bmKYFYs5yK9kWBKdq/ZyqNxh19MxbPVYwKhn5ix CizoAtmwkLj6Uxz/zA6auOt5xZuPo1aRTmE5Sy917KsIkRn3Hnm4JLONRhCjuNhM= X-Gm-Gg: AY/fxX7wldB2Eih+uActTLENu2MrE82KK0wWUZ2U2xOGvLtCsCEpnLoY4Ji1PiWUrNg O4hwUXhrRlVu1xgu72PwIrdhXP8pYba+rg/AMZlPpPpdUQEOvVbygXabeUyRFm41hzt+GRa4F12 134C3FhE+vdGdR+MpvgNapIT6F6kJRV3i+zGaz+3gxCnLsqUZ12GWDMYLq4CXYn729St/Nq2hJi vxScXekKRSVJG20lN3FUqA4PHSXinHsSfn7LMQCy1Hmd8VgmqSt6qdMNoj+Gpa9QeOVj3xl9rtO naEb+T2Xh8vFm84RJ4qIwPqg5EpHJNdk8SWfuDjvpD5sO6K9N8e71qoil3UAhbt2z0ntOt47YfD WqmPzzAKQDpdskfcTEnQ03tly/VBU X-Received: by 2002:a05:6000:290a:b0:42b:3806:2ba0 with SMTP id ffacd0b85a97d-432bca2c2f1mr1081650f8f.2.1767643380181; Mon, 05 Jan 2026 12:03:00 -0800 (PST) X-Google-Smtp-Source: AGHT+IHcsoSEaMixzmH/MD7P0wtvsBNMnxzo8nnA3dgoh6t+41fOrhN+RYdKeUrmymYY9qqmIzBdGg== X-Received: by 2002:a05:6000:290a:b0:42b:3806:2ba0 with SMTP id ffacd0b85a97d-432bca2c2f1mr1081622f8f.2.1767643379742; Mon, 05 Jan 2026 12:02:59 -0800 (PST) Received: from localhost (84.81.93.209.dyn.plus.net. [209.93.81.84]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e1adbsm319203f8f.17.2026.01.05.12.02.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 12:02:59 -0800 (PST) From: Andrew Burgess To: Tom de Vries , gdb-patches@sourceware.org Subject: Re: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p In-Reply-To: <874iozygr7.fsf@redhat.com> References: <20260103145559.2722584-1-tdevries@suse.de> <874iozygr7.fsf@redhat.com> Date: Mon, 05 Jan 2026 20:02:58 +0000 Message-ID: <871pk3ygi5.fsf@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: Gm2dskQ79R01LEbmSqi5qvi5yqtvk2hljunRTJdHIx4_1767643380 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org Andrew Burgess writes: > Tom de Vries writes: > >> PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: >> ... >> while (*input != '\0') >> ... >> >> Fix this by introducing a lambda function at that safely handles all char >> array accesses. > > Sorry to be a bore, but after reading this commit, and the bug report, > it's still not obvious to me where the overflow actually occurs. > > I totally accept that this code is broken, but as I introduced this bug, > I wanted to learn from this mistake, but this commit doesn't really > explain what mistake is being fixed. > > Do you think you could explain what's actually going wrong here? Literally after hitting send, it occurred to me, is the problem maybe these two lines: if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) ++input; And the other one in the 'else' block? I think if *(input + 1) is '\0', then the strchr call will return non-nullptr, which wasn't the desired behaviour, and could result in stepping outside the string. If this is the case then I think the correct fix would be checking if the character at 'input + 1' is NULL or not, see the possible patch below (there's no commit message or anything for it yet). Thanks, Andrew --- diff --git i/gdb/infcmd.c w/gdb/infcmd.c index 875bbe1ee69..7dd3392c96a 100644 --- i/gdb/infcmd.c +++ w/gdb/infcmd.c @@ -148,7 +148,9 @@ args_complete_p (const std::string &args) and we don't skip the entire '\\' then we'll only skip the first '\', in which case we might see the second '\' as a '\"' sequence, which would be wrong. */ - if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) + if (*input == '\\' + && *(input + 1) != '\0' + && strchr ("\"\\", *(input + 1)) != nullptr) ++input; /* Otherwise, just look for the closing double quote. */ else if (*input == '"') @@ -162,7 +164,9 @@ args_complete_p (const std::string &args) a quoted argument. The '\\' we need to skip so we don't just skip the first '\' and then incorrectly consider the second '\' are part of a '\"' or '\'' sequence. */ - if (*input == '\\' && strchr ("\"\\'", *(input + 1)) != nullptr) + if (*input == '\\' + && *(input + 1) != '\0' + && strchr ("\"\\'", *(input + 1)) != nullptr) ++input; /* Otherwise, check for the start of a single or double quoted argument. Single quotes have no special meaning on Windows