From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id 6QOTJjQYXGl8tC0AWB0awg (envelope-from ) for ; Mon, 05 Jan 2026 14:59:48 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CqhuhYY9; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 906AB1E0B6; Mon, 05 Jan 2026 14:59:48 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=no autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id B67DA1E08D for ; Mon, 05 Jan 2026 14:59:47 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 561B14BA2E2C for ; Mon, 5 Jan 2026 19:59:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 561B14BA2E2C Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CqhuhYY9 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTP id 7A7334BA2E37 for ; Mon, 5 Jan 2026 19:57:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7A7334BA2E37 Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7A7334BA2E37 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767643056; cv=none; b=r24ZJ1TjIHAR9nL7PhT2YFtBG6coWSk1LxrWVVp97ttFjJBgVWm5x79OaCmE9JmyykLgKULfvOQScnVek8+6BbKv94WmX4iis3ym5zfhK85kLDbgLfelAI/pgCRxmE8S5Er7CZOvWifUnsc10nYlBxP7+QkjeFSDLDoKtnUW+Bk= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767643056; c=relaxed/simple; bh=ix0RinzrBu5PiKxwQjguy+1qi0bLgxrA+60a0Y3xRNM=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=O2hTm8nktgp983T6oNt4LxJko7dzST5Rrr+DMXGyNpv1TWrLVucMKtQ+JPp7dm/b1JHCh/u2nwQcdHBzfRcwDvG0tYQlF+IGZDGNEz9yL0nDdnf4Ebb4W5uUkZrVL5C4NhNU58hrpFBZaK9WTUfC65elR0aBoTtFVyGkEyuPibc= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7A7334BA2E37 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1767643056; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QayDQrViC+9/+syO+eXANJ/vng1LmBaH5lSjOWOjWAA=; b=CqhuhYY9KBHoh1IhccRXRWY3Qwn7JCYIhUyU9R9zPUXAXqj8rLO8c2FMtfYav1ODEKn86v 7c9YABdgCupR3Ss7rxNTCtL74AU9ZK2XvSeBzQNe/fdAHsGTtR4ltm+XzbaYWzZcSCCtw9 I43ubz3W6jVVf7758l15p0qVLvI0a/c= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-688-AcpEQ8RtNOi0TMTWMSUQKA-1; Mon, 05 Jan 2026 14:57:35 -0500 X-MC-Unique: AcpEQ8RtNOi0TMTWMSUQKA-1 X-Mimecast-MFC-AGG-ID: AcpEQ8RtNOi0TMTWMSUQKA_1767643054 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-477771366cbso1888205e9.0 for ; Mon, 05 Jan 2026 11:57:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767643053; x=1768247853; h=mime-version:message-id:date:references:in-reply-to:subject:to:from :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QayDQrViC+9/+syO+eXANJ/vng1LmBaH5lSjOWOjWAA=; b=gPxIIOtZ5itVwj3IecPagkXnVJhEZXbNpUqAfU3biK2uyUfqKsiwN9FamM8R5rucMo 8kyuR19i643mVv+EYTs7WI5mzEYHZ9d9doM3XPsdUMsVEHHM2pTpaES55ObzVX9iSxzu FkicqPeQgEv6IBJpL/35AtdbNrQUDlXVMSGyMXpDKtNxEVR/nsfrfwKRokw2EHPXdGOq 6wLdKAZpyQnRD/47lsOgvX0a/Yf8ET5Q+X61z7Rt1MZB/qMi//Lb3xDZKgfbpUr40xMu sV912eqhzPislaMSCWUjOfPTBYLnCbK3vewe3osQEG4FNrbSUaYahJudy1j4W0iX+5vU InJQ== X-Forwarded-Encrypted: i=1; AJvYcCXsV9GHwDHUxr0GBe0cv9VvlNXOY1EkN4k5XyTVxEbI3op4v/YI7toItQq8EN4GncVQ6zHXRNGQhukgGg==@sourceware.org X-Gm-Message-State: AOJu0YxQAMKX8y6h8qGFEa9U6yBje3dVcQlidAyQfuFpHt9mCSSI18cg OmdoXCziFDx1yp4oGU/OhmhAM0hDrNvAj2y5Fo4Po/P/51W14yf34mNPGqMxAmiBU1hJH+epejN Rj3wgm/CGLcLFdaHtolJ3XHOT6KYiLn6FN1T0xh3V1Exjh8XjLjsBUw2HWj/ZBPxMbazHwWI= X-Gm-Gg: AY/fxX5GsLwpIPnRzMMER0yy2cxfvvlUhFUcldXQ8uMLzY9Kqv2KfoM3ZaxdOueuMhM aJXLKaeXOgm0B6uN1qb0Yq5IigoUyCaPzcmUsedCB770zSFUjn1FAfP0tAKT+/uufCUoTHULLZW hYKrlP1eNngScXX6HmZYxY/KqivafW4zaD7VFvo6zXK2yOW/K1i6ZpuYrRc6pDgR8/WfX105Jez xZ/pkkdxgXZtFWf2TuKiaHLpLa6p+x6pA4q7w3BFjxAl/WQT0JrMoKDfHRCsXqFFMUmZ+Yyp1oO 3KxKW7Cc3gSiVu2CK5DZuq5hTFxC/Olfrv4EF0jD6qNk9CKZAC172ICrZ93VQ+ma8KY8uienljJ kxlDKQgrzM5y+hi62ogXOtSd2z/VQ X-Received: by 2002:a05:600c:6095:b0:475:da1a:53f9 with SMTP id 5b1f17b1804b1-47d7f077b2amr5060515e9.14.1767643053596; Mon, 05 Jan 2026 11:57:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IGnR7uwV/PNbp02ZPpbbCFzjsemY0sOE3lGaIYQznQTL2OiMkXlFjLIfwv4ImkrAIug0x/J2w== X-Received: by 2002:a05:600c:6095:b0:475:da1a:53f9 with SMTP id 5b1f17b1804b1-47d7f077b2amr5060365e9.14.1767643053193; Mon, 05 Jan 2026 11:57:33 -0800 (PST) Received: from localhost (84.81.93.209.dyn.plus.net. [209.93.81.84]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47d7f68f69dsm3784965e9.1.2026.01.05.11.57.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 05 Jan 2026 11:57:32 -0800 (PST) From: Andrew Burgess To: Tom de Vries , gdb-patches@sourceware.org Subject: Re: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p In-Reply-To: <20260103145559.2722584-1-tdevries@suse.de> References: <20260103145559.2722584-1-tdevries@suse.de> Date: Mon, 05 Jan 2026 19:57:32 +0000 Message-ID: <874iozygr7.fsf@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: IOTVB0rHWL0ZavMW9q6Idyqfr7frvGZ_xZi2WrGaS6U_1767643054 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org Tom de Vries writes: > PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: > ... > while (*input != '\0') > ... > > Fix this by introducing a lambda function at that safely handles all char > array accesses. Sorry to be a bore, but after reading this commit, and the bug report, it's still not obvious to me where the overflow actually occurs. I totally accept that this code is broken, but as I introduced this bug, I wanted to learn from this mistake, but this commit doesn't really explain what mistake is being fixed. Do you think you could explain what's actually going wrong here? Thanks, Andrew > > Also: > - factor out char array accesses using new variables c and next_c, and > - check for end-of-string after skip_spaces. > > Tested on x86_64-linux. > > Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33754 > --- > gdb/infcmd.c | 24 +++++++++++++++++------- > 1 file changed, 17 insertions(+), 7 deletions(-) > > diff --git a/gdb/infcmd.c b/gdb/infcmd.c > index 875bbe1ee69..ceacfd05683 100644 > --- a/gdb/infcmd.c > +++ b/gdb/infcmd.c > @@ -126,17 +126,27 @@ static bool > args_complete_p (const std::string &args) > { > const char *input = args.c_str (); > + const char *end = input + args.length (); > bool squote = false, dquote = false; > > - while (*input != '\0') > + auto at = [&] (const char *s) > + { > + return s > end ? '\0' : *s; > + }; > + > + while (at (input) != '\0') > { > input = skip_spaces (input); > + char c = at (input); > + if (c == '\0') > + break; > + char next_c = at (input + 1); > > if (squote) > { > /* Inside a single quoted argument, look for the closing single > quote. */ > - if (*input == '\'') > + if (c == '\'') > squote = false; > } > else if (dquote) > @@ -148,10 +158,10 @@ args_complete_p (const std::string &args) > and we don't skip the entire '\\' then we'll only skip the > first '\', in which case we might see the second '\' as a '\"' > sequence, which would be wrong. */ > - if (*input == '\\' && strchr ("\"\\", *(input + 1)) != nullptr) > + if (c == '\\' && strchr ("\"\\", next_c) != nullptr) > ++input; > /* Otherwise, just look for the closing double quote. */ > - else if (*input == '"') > + else if (c == '"') > dquote = false; > } > else > @@ -162,7 +172,7 @@ args_complete_p (const std::string &args) > a quoted argument. The '\\' we need to skip so we don't just > skip the first '\' and then incorrectly consider the second > '\' are part of a '\"' or '\'' sequence. */ > - if (*input == '\\' && strchr ("\"\\'", *(input + 1)) != nullptr) > + if (c == '\\' && strchr ("\"\\'", next_c) != nullptr) > ++input; > /* Otherwise, check for the start of a single or double quoted > argument. Single quotes have no special meaning on Windows > @@ -170,10 +180,10 @@ args_complete_p (const std::string &args) > host to determine what is, or isn't a special character, when > really, this is a function of the target. */ > #ifndef _WIN32 > - else if (*input == '\'') > + else if (c == '\'') > squote = true; > #endif > - else if (*input == '"') > + else if (c == '"') > dquote = true; > } > > > base-commit: 0a153c58a0ab68c6fa349d2ad0bf6a42e043ab23 > -- > 2.51.0