From patchwork Mon Nov 16 15:33:17 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yao Qi X-Patchwork-Id: 9689 Received: (qmail 5091 invoked by alias); 16 Nov 2015 15:33:24 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 5080 invoked by uid 89); 16 Nov 2015 15:33:23 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL, BAYES_00, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-pa0-f47.google.com Received: from mail-pa0-f47.google.com (HELO mail-pa0-f47.google.com) (209.85.220.47) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256 encrypted) ESMTPS; Mon, 16 Nov 2015 15:33:22 +0000 Received: by padhx2 with SMTP id hx2so178417856pad.1 for ; Mon, 16 Nov 2015 07:33:20 -0800 (PST) X-Received: by 10.66.161.35 with SMTP id xp3mr55735623pab.13.1447688000663; Mon, 16 Nov 2015 07:33:20 -0800 (PST) Received: from E107787-LIN.cambridge.arm.com (gcc1-power7.osuosl.org. [140.211.15.137]) by smtp.gmail.com with ESMTPSA id uy1sm37395044pac.39.2015.11.16.07.33.19 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 16 Nov 2015 07:33:20 -0800 (PST) From: Yao Qi X-Google-Original-From: Yao Qi To: gdb-patches@sourceware.org Subject: [PATCH OBV] Fix stack buffer overflow in aarch64_extract_return_value Date: Mon, 16 Nov 2015 15:33:17 +0000 Message-Id: <1447687997-10665-1-git-send-email-yao.qi@linaro.org> X-IsSubscribed: yes Hi, I build GDB with -fsanitize=address, and run testsuite. In gdb.base/callfuncs.exp, I see the following error, p/c fun1() =================================================================^M ==9601==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffee858530 at pc 0x6df079 bp 0x7fffee8583a0 sp 0x7fffee858398 WRITE of size 16 at 0x7fffee858530 thread T0 #0 0x6df078 in regcache_raw_read /home/yao/SourceCode/gnu/gdb/git/gdb/regcache.c:673 #1 0x6dfe1e in regcache_cooked_read /home/yao/SourceCode/gnu/gdb/git/gdb/regcache.c:751 #2 0x4696a3 in aarch64_extract_return_value /home/yao/SourceCode/gnu/gdb/git/gdb/aarch64-tdep.c:1708 #3 0x46ae57 in aarch64_return_value /home/yao/SourceCode/gnu/gdb/git/gdb/aarch64-tdep.c:1918 We are extracting return value from V registers (128 bit), but only allocate X_REGISTER_SIZE-byte array, which isn't sufficient. This patch changes the array to V_REGISTER_SIZE. It's ovbious. I'll push it in. gdb: 2015-11-16 Yao Qi * aarch64-tdep.c (aarch64_extract_return_value): Change array buf's length to V_REGISTER_SIZE. --- gdb/aarch64-tdep.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gdb/aarch64-tdep.c b/gdb/aarch64-tdep.c index 4b82553..4fa555d 100644 --- a/gdb/aarch64-tdep.c +++ b/gdb/aarch64-tdep.c @@ -1630,7 +1630,7 @@ aarch64_extract_return_value (struct type *type, struct regcache *regs, for (i = 0; i < elements; i++) { int regno = AARCH64_V0_REGNUM + i; - bfd_byte buf[X_REGISTER_SIZE]; + bfd_byte buf[V_REGISTER_SIZE]; if (aarch64_debug) {