From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id dQryKs5BXmksgjAAWB0awg (envelope-from ) for ; Wed, 07 Jan 2026 06:21:50 -0500 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=psx9/uQn; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KGd9DIvX; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=psx9/uQn; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KGd9DIvX; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id A0B3B1E048; Wed, 07 Jan 2026 06:21:50 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED autolearn=ham autolearn_force=no version=4.0.1 Received: from vm01.sourceware.org (vm01.sourceware.org [38.145.34.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id AC0581E048 for ; Wed, 07 Jan 2026 06:21:49 -0500 (EST) Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id 307F14BA2E27 for ; Wed, 7 Jan 2026 11:21:49 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 307F14BA2E27 Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=psx9/uQn; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KGd9DIvX; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=psx9/uQn; dkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=KGd9DIvX Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by sourceware.org (Postfix) with ESMTPS id C344B4BA2E1D for ; Wed, 7 Jan 2026 11:21:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org C344B4BA2E1D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=suse.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org C344B4BA2E1D Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=195.135.223.130 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767784880; cv=none; b=k+umHJHa0aVeEciZBYhpkYHVLjeZGS2BIj/LDe5cnFycydWJW9ucRnv4I0hS1l5pAw4NNF1FGz3wjIZYBOfh/CKnYi/JJ9IWSiXKqgjRBs7tj6RwHFNtMHorEPMFrz0dCuth6KpK5ojFznDd5blsIJL3cD68o29TgpojbrGeFns= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1767784880; c=relaxed/simple; bh=I5805hNXt9InLZc127WcreC5XgBwS41WmDUOrtyjPec=; h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature: Message-ID:Date:MIME-Version:Subject:To:From; b=I/ZzH85F04FdUu+wX15AzC++7mNnRmIsllgsEaVnRounWHlIIiF4ocQoir0kA64qvTEHWgWvNINPhSTqHUd3fuusZ4aJJQejB4wo41vSj0VB3tm9qLc9tZ5V/NdkZF5k8/Fwy6hZYeCgF1DyknNCpHi3joIDnhPCDWfo03GdliU= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C344B4BA2E1D Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id A108233D86; Wed, 7 Jan 2026 11:21:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767784879; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z9J7oKMleXbE0x9Cm355ssquhL7g50UUsuPp7v6dDO4=; b=psx9/uQnn1dVqVPup69YPHrK/21YLqb1IxT7/Oaaf6wJJIaa/h0KTDOeUMhpH4TCGiVQCO +ZBMG22M3WyJ2+hfpPcXNejG9H3LzpdZAEJuCNGsfYxL6/FQNziA81T7frpFVnF3Uxl1KX WnkL3uH3GdwNd9DAAslL9d2Gr/2WHds= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767784879; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z9J7oKMleXbE0x9Cm355ssquhL7g50UUsuPp7v6dDO4=; b=KGd9DIvXrgkc78IUxFBEAOCauwbPebJFSNUjrIm6WwCyEER7vsfZKbiv3WnFIb6iNHDmKR ARrzvnrJtTnk5nCA== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1767784879; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z9J7oKMleXbE0x9Cm355ssquhL7g50UUsuPp7v6dDO4=; b=psx9/uQnn1dVqVPup69YPHrK/21YLqb1IxT7/Oaaf6wJJIaa/h0KTDOeUMhpH4TCGiVQCO +ZBMG22M3WyJ2+hfpPcXNejG9H3LzpdZAEJuCNGsfYxL6/FQNziA81T7frpFVnF3Uxl1KX WnkL3uH3GdwNd9DAAslL9d2Gr/2WHds= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1767784879; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=z9J7oKMleXbE0x9Cm355ssquhL7g50UUsuPp7v6dDO4=; b=KGd9DIvXrgkc78IUxFBEAOCauwbPebJFSNUjrIm6WwCyEER7vsfZKbiv3WnFIb6iNHDmKR ARrzvnrJtTnk5nCA== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 892633EA63; Wed, 7 Jan 2026 11:21:19 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 9N4SIK9BXmnqCwAAD6G6ig (envelope-from ); Wed, 07 Jan 2026 11:21:19 +0000 Message-ID: Date: Wed, 7 Jan 2026 12:21:19 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] [gdb] Fix heap-buffer-overflow in args_complete_p To: Andrew Burgess , gdb-patches@sourceware.org References: <20260103145559.2722584-1-tdevries@suse.de> <874iozygr7.fsf@redhat.com> <7beac4be-7924-48b5-804b-6400efd02834@suse.de> <875x9dwvhe.fsf@redhat.com> Content-Language: en-US From: Tom de Vries In-Reply-To: <875x9dwvhe.fsf@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.29 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.19)[-0.941]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo, suse.de:email, suse.de:mid] X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org On 1/7/26 11:46 AM, Andrew Burgess wrote: > Tom de Vries writes: > >> On 1/5/26 8:57 PM, Andrew Burgess wrote: >>> Tom de Vries writes: >>> >>>> PR gdb/33754 reports a heap-buffer-overflow here in args_complete_p: >>>> ... >>>> while (*input != '\0') >>>> ... >>>> >>>> Fix this by introducing a lambda function at that safely handles all char >>>> array accesses. >>> >>> Sorry to be a bore, but after reading this commit, and the bug report, >>> it's still not obvious to me where the overflow actually occurs. >>> >>> I totally accept that this code is broken, but as I introduced this bug, >>> I wanted to learn from this mistake, but this commit doesn't really >>> explain what mistake is being fixed. >>> >>> Do you think you could explain what's actually going wrong here? >>> >> >> Hi Andrew, >> >> agreed, it's not spelled out, sorry about that. >> >> So, the heap-buffer-overflow happens with: >> ... >> (gdb) p args >> $1 = "\"first arg\" \"\" \"third-arg\" \"'\" \"\\\"\" \" \" \"\" " >> ... >> and it's the fact that we don't check for '\0' after skip_spaces that is >> the problem. I think it should be possible to reproduce the problem >> with args == " ". > > Thanks for breaking it down for me. I don't really like the original > lambda function approach that was proposed, I'd prefer to just see the > correct checks added to the loop. More inline below... > >> >> So a minimal fix for this problem is: >> ... >> diff --git a/gdb/infcmd.c b/gdb/infcmd.c >> index 1a7daf1461b..fdcd4e4ba96 100644 >> --- a/gdb/infcmd.c >> +++ b/gdb/infcmd.c >> @@ -131,6 +131,8 @@ args_complete_p (const std::string &args) >> while (*input != '\0') >> { >> input = skip_spaces (input); >> + if (*input == '\0') >> + break; > > I think I prefer this to Tom's proposed 'for' loop, but I don't feel > super strongly each way. > >> >> if (squote) >> { >> ... >> >> But the strchr problem is also there, so this: >> ... >> diff --git a/gdb/infcmd.c b/gdb/infcmd.c >> index 1a7daf1461b..4bcd523f79b 100644 >> --- a/gdb/infcmd.c >> +++ b/gdb/infcmd.c >> @@ -177,6 +177,8 @@ args_complete_p (const std::string &args) >> dquote = true; >> } >> >> + if (*input == '\0') >> + break; > > I'd replace this with 'gdb_assert (*input != '\0');', and then use > something like the extra check I proposed next to the strchr calls. Or > maybe we should add a new helper function in gdbsupport/ like: > > static char * > strchr_not_null (char *s, int c) > { > if (c == '\0') > return nullptr; > > return strchr (s, c); > } > > static const char * > strchr_not_null (const char *s, int c) > { > return strchr_not_null (const_cast (s), c); > } > > which wraps the null check. Either would be fine with me. > > I also liked the selftests you added, I extended them to: > > static void > check_str (const std::string &str, bool complete_p) > { > const char *end; > > SELF_CHECK (args_complete_p (str, &end) == complete_p); > SELF_CHECK (end == str.data () + str.size ()); > } > > static void > infcmd_args_complete_p_tests (void) > { > check_str (" ", true); > check_str ("\\", true); > check_str ("\"\\", false); > } > > which covers all the bugs that are being fixed here. > Hi Andrew, thanks for the comments. But by now, a v2 was submitted, approved and committed. So perhaps you want to submit a refactoring patch addressing some of your insights here. Otherwise, I can take it further. Let me know what you prefer. Thanks, - Tom