This is the mail archive of the gdb-cvs@sourceware.org mailing list for the GDB project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
[binutils-gdb] Allocate buffer with proper size in amd64_pseudo_register_{read_value, write}

From: Simon Marchi <simark at sourceware dot org>
To: gdb-cvs at sourceware dot org
Date: 22 Oct 2018 02:10:41 -0000
Subject: [binutils-gdb] Allocate buffer with proper size in amd64_pseudo_register_{read_value, write}
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=925047fed0d6ab86e6fe86d3e22e1aa9dde7b3eb

commit 925047fed0d6ab86e6fe86d3e22e1aa9dde7b3eb
Author: Simon Marchi <simon.marchi@polymtl.ca>
Date:   Sun Oct 21 22:09:24 2018 -0400

    Allocate buffer with proper size in amd64_pseudo_register_{read_value,write}
    
    Running "maintenance selftest" on an amd64 build with AddressSanitizer
    enabled, I get this:
    
    ==18126==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdf72397c1 at pc 0x7fb5f437b011 bp 0x7ffdf7239740 sp 0x7ffdf7238ee8
    WRITE of size 8 at 0x7ffdf72397c1 thread T0
        #0 0x7fb5f437b010 in __interceptor_memcpy /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:737
        #1 0x55a1f899c1b3 in readable_regcache::raw_read(int, unsigned char*) /home/simark/src/binutils-gdb/gdb/regcache.c:530
        #2 0x55a1f7db241b in amd64_pseudo_register_read_value /home/simark/src/binutils-gdb/gdb/amd64-tdep.c:384
        #3 0x55a1f8413a2e in gdbarch_pseudo_register_read_value(gdbarch*, readable_regcache*, int) /home/simark/src/binutils-gdb/gdb/gdbarch.c:1992
        #4 0x55a1f899c9d1 in readable_regcache::cooked_read(int, unsigned char*) /home/simark/src/binutils-gdb/gdb/regcache.c:636
        #5 0x55a1f89a2251 in cooked_read_test /home/simark/src/binutils-gdb/gdb/regcache.c:1649
    
    In amd64_pseudo_register_read_value, when we try to read the al
    register, for example, we need to read rax and extract al from it.  We
    allocate a buffer of the size of al (1 byte):
    
      gdb_byte *raw_buf = (gdb_byte *) alloca (register_size (gdbarch, regnum));
    
    but read in it the whole rax value (8 bytes):
    
      status = regcache->raw_read (gpnum, raw_buf);
    
    Fix it by allocating a buffer correctly sized for the full register from
    which the smaller register is extracted.  The
    amd64_pseudo_register_write function had the same problem.
    
    gdb/ChangeLog:
    
    	* amd64-tdep.c (amd64_pseudo_register_read_value): Use
    	correctly-sized buffer with raw_read.
    	(amd64_pseudo_register_write): Use correctly-sized buffer for
    	raw_read/raw_write.

Diff:
---
 gdb/ChangeLog    |  7 +++++++
 gdb/amd64-tdep.c | 31 ++++++++++++++++++-------------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index d3653d7..190d760 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,10 @@
+2018-10-21  Simon Marchi  <simon.marchi@polymtl.ca>
+
+	* amd64-tdep.c (amd64_pseudo_register_read_value): Use
+	correctly-sized buffer with raw_read.
+	(amd64_pseudo_register_write): Use correctly-sized buffer for
+	raw_read/raw_write.
+
 2018-10-19  Philippe Waroquiers  <philippe.waroquiers@skynet.be>
 
 	* typeprint.c (_initialize_typeprint): Fix wrong prefixname arg
diff --git a/gdb/amd64-tdep.c b/gdb/amd64-tdep.c
index 088542d..abf3e4d 100644
--- a/gdb/amd64-tdep.c
+++ b/gdb/amd64-tdep.c
@@ -352,16 +352,12 @@ amd64_pseudo_register_read_value (struct gdbarch *gdbarch,
 				  readable_regcache *regcache,
 				  int regnum)
 {
-  gdb_byte *raw_buf = (gdb_byte *) alloca (register_size (gdbarch, regnum));
   struct gdbarch_tdep *tdep = gdbarch_tdep (gdbarch);
-  enum register_status status;
-  struct value *result_value;
-  gdb_byte *buf;
 
-  result_value = allocate_value (register_type (gdbarch, regnum));
+  value *result_value = allocate_value (register_type (gdbarch, regnum));
   VALUE_LVAL (result_value) = lval_register;
   VALUE_REGNUM (result_value) = regnum;
-  buf = value_contents_raw (result_value);
+  gdb_byte *buf = value_contents_raw (result_value);
 
   if (i386_byte_regnum_p (gdbarch, regnum))
     {
@@ -370,9 +366,11 @@ amd64_pseudo_register_read_value (struct gdbarch *gdbarch,
       /* Extract (always little endian).  */
       if (gpnum >= AMD64_NUM_LOWER_BYTE_REGS)
 	{
+	  gpnum -= AMD64_NUM_LOWER_BYTE_REGS;
+	  gdb_byte raw_buf[register_size (gdbarch, gpnum)];
+
 	  /* Special handling for AH, BH, CH, DH.  */
-	  status = regcache->raw_read (gpnum - AMD64_NUM_LOWER_BYTE_REGS,
-				       raw_buf);
+	  register_status status = regcache->raw_read (gpnum, raw_buf);
 	  if (status == REG_VALID)
 	    memcpy (buf, raw_buf + 1, 1);
 	  else
@@ -381,7 +379,8 @@ amd64_pseudo_register_read_value (struct gdbarch *gdbarch,
 	}
       else
 	{
-	  status = regcache->raw_read (gpnum, raw_buf);
+	  gdb_byte raw_buf[register_size (gdbarch, gpnum)];
+	  register_status status = regcache->raw_read (gpnum, raw_buf);
 	  if (status == REG_VALID)
 	    memcpy (buf, raw_buf, 1);
 	  else
@@ -392,8 +391,9 @@ amd64_pseudo_register_read_value (struct gdbarch *gdbarch,
   else if (i386_dword_regnum_p (gdbarch, regnum))
     {
       int gpnum = regnum - tdep->eax_regnum;
+      gdb_byte raw_buf[register_size (gdbarch, gpnum)];
       /* Extract (always little endian).  */
-      status = regcache->raw_read (gpnum, raw_buf);
+      register_status status = regcache->raw_read (gpnum, raw_buf);
       if (status == REG_VALID)
 	memcpy (buf, raw_buf, 4);
       else
@@ -412,7 +412,6 @@ amd64_pseudo_register_write (struct gdbarch *gdbarch,
 			     struct regcache *regcache,
 			     int regnum, const gdb_byte *buf)
 {
-  gdb_byte *raw_buf = (gdb_byte *) alloca (register_size (gdbarch, regnum));
   struct gdbarch_tdep *tdep = gdbarch_tdep (gdbarch);
 
   if (i386_byte_regnum_p (gdbarch, regnum))
@@ -421,15 +420,20 @@ amd64_pseudo_register_write (struct gdbarch *gdbarch,
 
       if (gpnum >= AMD64_NUM_LOWER_BYTE_REGS)
 	{
+	  gpnum -= AMD64_NUM_LOWER_BYTE_REGS;
+	  gdb_byte raw_buf[register_size (gdbarch, gpnum)];
+
 	  /* Read ... AH, BH, CH, DH.  */
-	  regcache->raw_read (gpnum - AMD64_NUM_LOWER_BYTE_REGS, raw_buf);
+	  regcache->raw_read (gpnum, raw_buf);
 	  /* ... Modify ... (always little endian).  */
 	  memcpy (raw_buf + 1, buf, 1);
 	  /* ... Write.  */
-	  regcache->raw_write (gpnum - AMD64_NUM_LOWER_BYTE_REGS, raw_buf);
+	  regcache->raw_write (gpnum, raw_buf);
 	}
       else
 	{
+	  gdb_byte raw_buf[register_size (gdbarch, gpnum)];
+
 	  /* Read ...  */
 	  regcache->raw_read (gpnum, raw_buf);
 	  /* ... Modify ... (always little endian).  */
@@ -441,6 +445,7 @@ amd64_pseudo_register_write (struct gdbarch *gdbarch,
   else if (i386_dword_regnum_p (gdbarch, regnum))
     {
       int gpnum = regnum - tdep->eax_regnum;
+      gdb_byte raw_buf[register_size (gdbarch, gpnum)];
 
       /* Read ...  */
       regcache->raw_read (gpnum, raw_buf);
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]