From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-bounces+public-inbox=simark.ca@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id 4Aa5BUXX92PO/DsAWB0awg
	(envelope-from <gdb-patches-bounces+public-inbox=simark.ca@sourceware.org>)
	for <public-inbox@simark.ca>; Thu, 23 Feb 2023 16:14:45 -0500
Received: by simark.ca (Postfix, from userid 112)
	id 151061E222; Thu, 23 Feb 2023 16:14:45 -0500 (EST)
Authentication-Results: simark.ca;
	dkim=pass (2048-bit key; unprotected) header.d=embecosm.com header.i=@embecosm.com header.a=rsa-sha256 header.s=google header.b=TcFZlqhA;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on simark.ca
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	RDNS_DYNAMIC,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.6
Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id B743E1E128
	for <public-inbox@simark.ca>; Thu, 23 Feb 2023 16:14:44 -0500 (EST)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 0A5FB385B518
	for <public-inbox@simark.ca>; Thu, 23 Feb 2023 21:14:44 +0000 (GMT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com
 [IPv6:2a00:1450:4864:20::530])
 by sourceware.org (Postfix) with ESMTPS id 50E7C385842B
 for <gdb-patches@sourceware.org>; Thu, 23 Feb 2023 21:14:30 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 50E7C385842B
Authentication-Results: sourceware.org;
 dmarc=none (p=none dis=none) header.from=embecosm.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=embecosm.com
Received: by mail-ed1-x530.google.com with SMTP id cq23so46926204edb.1
 for <gdb-patches@sourceware.org>; Thu, 23 Feb 2023 13:14:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=embecosm.com; s=google;
 h=mime-version:user-agent:message-id:subject:cc:to:from:date:from:to
 :cc:subject:date:message-id:reply-to;
 bh=aezEgukeS3i9/IMtyo/gZJ27RD3W2XSBcOwKF41NtQs=;
 b=TcFZlqhABmTiJWdi6/MYQNxcNJExsKK14URIfTTdcDgQ+aJ4dt1hIjWOgxgfquAIXD
 UpW41lnTGAx05ByvDuRRF5HjC4+RL+41UtlADmMOOv644U8qD2Erncf57r0+Nr3OQPXZ
 lVpAuDY/MODSOuS06WZUaRLB3o58BgSiscyfepmjsvUMCKXnGnA7mE0ccQvvECrVXgHd
 YqiuS34w/IF5yuWV2oaZAlzmV7ibD5iOVxJ9H7+lbYv23MuAPkIXup7zG0Si6HpO/zkR
 NKbqxeFcoSYLYrYCMMhnhPZleNWSh402s65MUQk7rX37vL2UuAoKHQNuLRbnZSmRtN/8
 wgoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=mime-version:user-agent:message-id:subject:cc:to:from:date
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=aezEgukeS3i9/IMtyo/gZJ27RD3W2XSBcOwKF41NtQs=;
 b=1/zJw1rYdcz/2qP9QSepIxbaTzDOhNcNVSTK51MO4nOF9tkSlpPFNzjP4pUMNPRwP5
 czKEBYShFvhGd7VPrg0Pjk9PaFXW/5iydh0/oGS9scwC3mGO4YMagl64LeUWeLnROKvg
 qy00ZN/WqF+y+NVkz/rH4FswwIzuNTvgKTwHMN7/2CCKxv43TJAJXd3p0FACy3M0B3rj
 XFBkpsCnhYx9mSeVLkEaCiA1oxVlRnqhDSAgjuwpxCyjEZ3Fyh1kHPj/y2QRXGzTDd3W
 OnCaJAJzAY2A+b9xH/2x5uTijeq9TvHAmkXSONVfIipY6dpwMfEpvVcI5z5eEk+OKRYf
 i/Lw==
X-Gm-Message-State: AO0yUKXbHDqedoAsCgIIYKJrhtaS5J0Z3B19xs+YfmCYSgG7hgYCdZeq
 vaP/pnX821zxQKC/ZMNaXFFetA==
X-Google-Smtp-Source: AK7set9uKjT3DY4013ofr8KaN/lz/fg0zbkjI/Bc1v5xhQu6zarVWL0/LPd5Eys1i0JWNYYpSzBINQ==
X-Received: by 2002:a17:906:8586:b0:8b2:7567:9c30 with SMTP id
 v6-20020a170906858600b008b275679c30mr27212062ejx.59.1677186869082; 
 Thu, 23 Feb 2023 13:14:29 -0800 (PST)
Received: from annie.orcam.me.uk (annie.orcam.me.uk. [2001:4190:8020::48])
 by smtp.gmail.com with ESMTPSA id
 cm17-20020a170907939100b008e8e9859905sm2112851ejc.184.2023.02.23.13.14.27
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 23 Feb 2023 13:14:28 -0800 (PST)
Date: Thu, 23 Feb 2023 21:14:26 +0000 (GMT)
From: "Maciej W. Rozycki" <macro@embecosm.com>
To: Simon Marchi <simark@simark.ca>, gdb-patches@sourceware.org
cc: Andrew Burgess <aburgess@redhat.com>, Tom Tromey <tom@tromey.com>, 
 Richard Bunt <Richard.Bunt@arm.com>
Subject: [PATCH] GDB: Fix out of bounds accesses with limited-length values
Message-ID: <alpine.DEB.2.20.2302231218190.15477@tpp.orcam.me.uk>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: gdb-patches@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gdb-patches mailing list <gdb-patches.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb-patches>,
 <mailto:gdb-patches-request@sourceware.org?subject=subscribe>
Errors-To: gdb-patches-bounces+public-inbox=simark.ca@sourceware.org
Sender: "Gdb-patches"
 <gdb-patches-bounces+public-inbox=simark.ca@sourceware.org>

Fix accesses to limited-length values in `contents_copy_raw' and 
`contents_copy_raw_bitwise' so that they observe the limit of the 
original allocation.

Reported by Simon Marchi as a heap-buffer-overflow AddressSanitizer 
issue triggered with gdb.ada/limited-length.exp.
---
Hi,

 Verified to remove the original issue and not to cause any regressions
with and w/o AddressSanitizer and native `x86_64-linux-gnu'.  OK to apply?

  Maciej
---
 gdb/value.c |   17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

gdb-limited-length-array-value-contents-copy-fix.diff
Index: src/gdb/value.c
===================================================================
--- src.orig/gdb/value.c
+++ src/gdb/value.c
@@ -1168,6 +1168,11 @@ value::contents_copy_raw (struct value *
      mean we'd be copying garbage.  */
   gdb_assert (!dst->m_lazy && !m_lazy);
 
+  ULONGEST copy_length = length;
+  ULONGEST limit = m_limited_length;
+  if (limit > 0 && src_offset + length > limit)
+    copy_length = src_offset > limit ? 0 : limit - src_offset;
+
   /* The overwritten DST range gets unavailability ORed in, not
      replaced.  Make sure to remember to implement replacing if it
      turns out actually necessary.  */
@@ -1178,10 +1183,10 @@ value::contents_copy_raw (struct value *
   /* Copy the data.  */
   gdb::array_view<gdb_byte> dst_contents
     = dst->contents_all_raw ().slice (dst_offset * unit_size,
-					  length * unit_size);
+				      copy_length * unit_size);
   gdb::array_view<const gdb_byte> src_contents
     = contents_all_raw ().slice (src_offset * unit_size,
-				 length * unit_size);
+				 copy_length * unit_size);
   gdb::copy (src_contents, dst_contents);
 
   /* Copy the meta-data, adjusted.  */
@@ -1206,6 +1211,12 @@ value::contents_copy_raw_bitwise (struct
      mean we'd be copying garbage.  */
   gdb_assert (!dst->m_lazy && !m_lazy);
 
+  ULONGEST copy_bit_length = bit_length;
+  ULONGEST bit_limit = m_limited_length * TARGET_CHAR_BIT;
+  if (bit_limit > 0 && src_bit_offset + bit_length > bit_limit)
+    copy_bit_length = (src_bit_offset > bit_limit ? 0
+		       : bit_limit - src_bit_offset);
+
   /* The overwritten DST range gets unavailability ORed in, not
      replaced.  Make sure to remember to implement replacing if it
      turns out actually necessary.  */
@@ -1220,7 +1231,7 @@ value::contents_copy_raw_bitwise (struct
   gdb::array_view<const gdb_byte> src_contents = contents_all_raw ();
   copy_bitwise (dst_contents.data (), dst_bit_offset,
 		src_contents.data (), src_bit_offset,
-		bit_length,
+		copy_bit_length,
 		type_byte_order (type ()) == BFD_ENDIAN_BIG);
 
   /* Copy the meta-data.  */