This is the mail archive of the
gdb-testers@sourceware.org
mailing list for the GDB project.
[binutils-gdb/gdb-7.12-branch] Fix heap-buffer-overflow in explicit_location_lex_one
- From: sergiodj+buildbot at sergiodj dot net
- To: gdb-testers at sourceware dot org
- Date: Mon, 15 Aug 2016 08:16:13 -0400
- Subject: [binutils-gdb/gdb-7.12-branch] Fix heap-buffer-overflow in explicit_location_lex_one
- Authentication-results: sourceware.org; auth=none
*** TEST RESULTS FOR COMMIT 23d4200c35e9325436f8bb3f9382dd5e4847a21f ***
Author: Yao Qi <yao.qi@linaro.org>
Branch: gdb-7.12-branch
Commit: 23d4200c35e9325436f8bb3f9382dd5e4847a21f
Fix heap-buffer-overflow in explicit_location_lex_one
I build GDB with -fsanitize=address, and see the error in tests,
(gdb) PASS: gdb.linespec/ls-errs.exp: lang=C++: break 3 foo
break -line 3 foo^M
=================================================================^M
==4401==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000047487 at pc 0x819d8e bp 0x7fff4e4e6bb0 sp 0x7fff4e4e6ba8^M
READ of size 1 at 0x603000047487 thread T0^[[1m^[[0m^M
#0 0x819d8d in explicit_location_lex_one /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:502^M
#1 0x81a185 in string_to_explicit_location(char const**, language_defn const*, int) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:556^M
#2 0x81ac10 in string_to_event_location(char**, language_defn const*) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:687^
the code in question is:
> /* Special case: C++ operator,. */
> if (language->la_language == language_cplus
> && strncmp (*inp, "operator", 8) <--- [1]
> && (*inp)[9] == ',')
> (*inp) += 9;
> ++(*inp);
The error is caused by the access to (*inp)[9] if 9 is out of its bounds.
However [1] looks odd to me, because if strncmp returns true (non-zero),
the following check "(*inp)[9] == ','" makes no sense any more. I
suspect it was a typo in the code we meant to "strncmp () == 0". Another
problem in the code above is that if *inp is "operator,", we first
increment *inp by 9, and then increment it by one again, which is wrong
to me. We should only increment *inp by 8 to skip "operator", and go
back to the loop header to decide where we stop.
gdb:
2016-08-15 Yao Qi <yao.qi@linaro.org>
* location.c (explicit_location_lex_one): Compare the return
value of strncmp with zero. Don't check (*inp)[9]. Increment
*inp by 8.
- Follow-Ups:
- Failures on Fedora-x86_64-native-gdbserver-m32, branch gdb-7.12-branch
- Failures on Fedora-x86_64-native-extended-gdbserver-m32, branch gdb-7.12-branch
- Failures on Fedora-x86_64-cc-with-index, branch gdb-7.12-branch
- Failures on Fedora-i686, branch gdb-7.12-branch
- Failures on Ubuntu-AArch64-m64, branch gdb-7.12-branch
- Failures on Debian-i686, branch gdb-7.12-branch
- Failures on Fedora-x86_64-m32, branch gdb-7.12-branch
- Failures on Debian-x86_64-native-extended-gdbserver-m64, branch gdb-7.12-branch
- Failures on Debian-i686-native-extended-gdbserver, branch gdb-7.12-branch
- Failures on Fedora-x86_64-m64, branch gdb-7.12-branch
- Failures on Debian-s390x-native-extended-gdbserver-m64, branch gdb-7.12-branch
- Failures on Fedora-ppc64be-m64, branch gdb-7.12-branch
- Failures on Fedora-ppc64be-native-gdbserver-m64, branch gdb-7.12-branch
- Failures on Fedora-ppc64le-native-extended-gdbserver-m64, branch gdb-7.12-branch
- Failures on Fedora-ppc64be-native-extended-gdbserver-m64, branch gdb-7.12-branch
- Failures on Fedora-ppc64be-cc-with-index, branch gdb-7.12-branch