From patchwork Wed Oct 10 15:45:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 29698 Received: (qmail 750 invoked by alias); 10 Oct 2018 15:46:14 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 131052 invoked by uid 89); 10 Oct 2018 15:45:58 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-24.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.2 spammy=H*r:sk:1-v6so2, HX-Received:sk:13-v6mr, SVE, H*r:sk:mail-pl X-HELO: mail-pl1-f193.google.com Received: from mail-pl1-f193.google.com (HELO mail-pl1-f193.google.com) (209.85.214.193) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 10 Oct 2018 15:45:57 +0000 Received: by mail-pl1-f193.google.com with SMTP id 1-v6so2726804plv.7 for ; Wed, 10 Oct 2018 08:45:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id; bh=pfbI+0yg8e2O1eVdEMkfcyxaEQuyxTm6rgsS1aTlneo=; b=ZerNGL4ZyctIzzpCyJ+IlY6J/1ILiN36pq5uvBydkT4lDXpNIBk+axCR/QhSTMWhjb Gd+toYiayxzrR3NVTEG5IMBBN15PKSpgdl5om35ueTwXNU69kxZjG4VNtj5qsnDD6Y7Q jojtzgLzGWzI4GUN01DqaG0SWzgZYcfwCEMO0= Return-Path: Received: from cloudburst.twiddle.net (97-113-8-179.tukw.qwest.net. [97.113.8.179]) by smtp.gmail.com with ESMTPSA id b14-v6sm27510631pgn.49.2018.10.10.08.45.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Oct 2018 08:45:54 -0700 (PDT) From: Richard Henderson To: gdb-patches@sourceware.org Subject: [PATCH] Fix buffer overrun in fetch_register_using_p Date: Wed, 10 Oct 2018 08:45:53 -0700 Message-Id: <20181010154553.11515-1-richard.henderson@linaro.org> If the packet returned from the gdbserver is too long, the stack would be clobbered and gdb would crash. gdb/ * remote.c (remote_target::fetch_register_using_p): Error if more data is received than expected in the packet. --- I am adding SVE support to QEMU's gdbserver stub, and managed to tickle this bug in the process. r~ --- gdb/remote.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gdb/remote.c b/gdb/remote.c index 724f41cf71..d68faf1046 100644 --- a/gdb/remote.c +++ b/gdb/remote.c @@ -7958,7 +7958,8 @@ remote_target::fetch_register_using_p (struct regcache *regcache, struct gdbarch *gdbarch = regcache->arch (); struct remote_state *rs = get_remote_state (); char *buf, *p; - gdb_byte *regp = (gdb_byte *) alloca (register_size (gdbarch, reg->regnum)); + int size = register_size (gdbarch, reg->regnum); + gdb_byte *regp = (gdb_byte *) alloca (size); int i; if (packet_support (PACKET_p) == PACKET_DISABLE) @@ -8003,6 +8004,8 @@ remote_target::fetch_register_using_p (struct regcache *regcache, { if (p[1] == 0) error (_("fetch_register_using_p: early buf termination")); + if (i == size) + error (_("fetch_register_using_p: late buf termination")); regp[i++] = fromhex (p[0]) * 16 + fromhex (p[1]); p += 2;