Skip to content
This repository has been archived by the owner on Aug 17, 2022. It is now read-only.

Commit

Permalink
Fix one heap buffer overflow in aarch64_push_dummy_call
Browse files Browse the repository at this point in the history 
Hi,
AddressSanitizer reports an error like this,

(gdb) PASS: gdb.base/call-ar-st.exp: continue to tbreak9
print print_long_arg_list(a, b, c, d, e, f, *struct1, *struct2, *struct3, *struct4, *flags, *flags_combo, *three_char, *five_char, *int_char_combo, *d1, *d2, *d3, *f1, *f2, *f3)
=================================================================
==6236==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200008eb50 at pc 0x89e432 bp 0x7fffa3df9080 sp 0x7fffa3df9078
READ of size 5 at 0x60200008eb50 thread T0
    #0 0x89e431 in memory_xfer_partial gdb/target.c:1264
    #1 0x89e6c7 in target_xfer_partial gdb/target.c:1320
    #2 0x89f267 in target_write_partial gdb/target.c:1595^M
    #3 0x8a014b in target_write_with_progress gdb/target.c:1889^M
    #4 0x8a0262 in target_write gdb/target.c:1914^M
    #5 0x89ee59 in target_write_memory gdb/target.c:1492^M
    #6 0x9a1c74 in write_memory gdb/corefile.c:393^M
    #7 0x467ea5 in aarch64_push_dummy_call gdb/aarch64-tdep.c:1388

The problem is that an instance of stack_item_t is created to adjust
stack for alignment, the item.len is correct, but item.data is buf,
which is wrong, because item.len can be greater than the length of
buf.  This patch sets item.data to NULL, and only update sp (no
inferior memory writes on stack for this item).

gdb:

2015-12-17  Yao Qi  <[email protected]>

	* aarch64-tdep.c (struct stack_item_t): Update comments.
	(pass_on_stack): Set item.data to NULL.
	(aarch64_push_dummy_call): Call write_memory if si->data
	isn't NULL.
  • Loading branch information
Yao Qi committed Dec 17, 2015
1 parent 10c9892 commit c3c8744
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
7 changes: 7 additions & 0 deletions gdb/ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
2015-12-17 Yao Qi <[email protected]>

* aarch64-tdep.c (struct stack_item_t): Update comments.
(pass_on_stack): Set item.data to NULL.
(aarch64_push_dummy_call): Call write_memory if si->data
isn't NULL.

2015-12-16 Pedro Alves <[email protected]>

* configure.ac (compiler warning flags): When testing a
Expand Down
8 changes: 5 additions & 3 deletions gdb/aarch64-tdep.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -855,7 +855,8 @@ aarch64_dwarf2_frame_init_reg (struct gdbarch *gdbarch, int regnum,

typedef struct
{
/* Value to pass on stack. */
/* Value to pass on stack. It can be NULL if this item is for stack
padding. */
const gdb_byte *data;

/* Size in bytes of value to pass on stack. */
Expand Down Expand Up @@ -1124,7 +1125,7 @@ pass_on_stack (struct aarch64_call_info *info, struct type *type,
int pad = align - (info->nsaa & (align - 1));

item.len = pad;
item.data = buf;
item.data = NULL;

VEC_safe_push (stack_item_t, info->si, &item);
info->nsaa += pad;
Expand Down Expand Up @@ -1382,7 +1383,8 @@ aarch64_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
stack_item_t *si = VEC_last (stack_item_t, info.si);

sp -= si->len;
write_memory (sp, si->data, si->len);
if (si->data != NULL)
write_memory (sp, si->data, si->len);
VEC_pop (stack_item_t, info.si);
}

Expand Down

0 comments on commit c3c8744

Please sign in to comment.