From patchwork Fri Aug 12 12:44:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yao Qi <qiyaoltc@gmail.com>
X-Patchwork-Id: 14517
Received: (qmail 87171 invoked by alias); 12 Aug 2016 12:45:08 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 87146 invoked by uid 89); 12 Aug 2016 12:45:07 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,
	SPF_PASS autolearn=ham version=3.3.2 spammy=increment,
	Increment, strncmp, 4989
X-HELO: mail-pa0-f67.google.com
Received: from mail-pa0-f67.google.com (HELO mail-pa0-f67.google.com)
	(209.85.220.67) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Fri, 12 Aug 2016 12:44:57 +0000
Received: by mail-pa0-f67.google.com with SMTP id cf3so1453910pad.2 for
	<gdb-patches@sourceware.org>; Fri, 12 Aug 2016 05:44:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net;
	s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=J/D01gIk2hWc77biMg5h4VM9jH71vQ1a9ZjllitYLkE=;
	b=irUY+ps1XmxagrbAvMK/tO8TjfX1RF4kwSDO8K0rTT5vzPjYtdOcZKPLeHRuKzJ117
	liKkWQ+Ky60wsROdHYWiQNyhNVbsAr2WY1Uv61l3csyaZiZxFbmp4gUBNXEdKa0RM+14
	mapzjgEu+brXZPNFS3ufs4QwBhthZqa6jbLG9M5gsfnhMJTIW4+Rady/0P+JW5byElnu
	sqEEnB9qb9yUJcBXMM3PM1cWiRc1F06cBADK09I8YvoOpafZK25hwTF0QiJkLoAukpfN
	2Y5UBmGALQnrEPbC9B7+JkrhpuK+JW5/IULcDqo23ihXQSLSyWYiNQ9wKKSgeNGCzvM9
	Xypw==
X-Gm-Message-State: 
 AEkoouuLZpf+DFObXjinXdXJTjE/3Ze2eseTl4yneEjlW+irQGIuep+KX5ldaWuPJCfJnQ==
X-Received: by 10.66.66.233 with SMTP id i9mr26976356pat.45.1471005895493;
	Fri, 12 Aug 2016 05:44:55 -0700 (PDT)
Received: from E107787-LIN.cambridge.arm.com (gcc115.osuosl.org.
	[140.211.9.73]) by smtp.gmail.com with ESMTPSA id
	x66sm12935990pfb.86.2016.08.12.05.44.54 (version=TLS1_2
	cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 12 Aug 2016 05:44:54 -0700 (PDT)
From: Yao Qi <qiyaoltc@gmail.com>
X-Google-Original-From: Yao Qi <yao.qi@linaro.org>
To: gdb-patches@sourceware.org
Cc: keiths@redhat.com
Subject: [PATCH master/7.12] Fix heap-buffer-overflow in
	explicit_location_lex_one
Date: Fri, 12 Aug 2016 13:44:50 +0100
Message-Id: <1471005890-24205-1-git-send-email-yao.qi@linaro.org>
X-IsSubscribed: yes

I build GDB with -fsanitize=address, and see the error in tests,

(gdb) PASS: gdb.linespec/ls-errs.exp: lang=C++: break 3 foo
break -line 3 foo^M

=================================================================^M
==4401==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000047487 at pc 0x819d8e bp 0x7fff4e4e6bb0 sp 0x7fff4e4e6ba8^M
READ of size 1 at 0x603000047487 thread T0^[[1m^[[0m^M
    #0 0x819d8d in explicit_location_lex_one /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:502^M
    #1 0x81a185 in string_to_explicit_location(char const**, language_defn const*, int) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:556^M
    #2 0x81ac10 in string_to_event_location(char**, language_defn const*) /home/yao/SourceCode/gnu/gdb/git/gdb/location.c:687^

the code in question is:

>         /* Special case: C++ operator,.  */
>         if (language->la_language == language_cplus
>             && strncmp (*inp, "operator", 8)  <--- [1]
>             && (*inp)[9] == ',')
>           (*inp) += 9;
>         ++(*inp);

The error is caused by the access to (*inp)[9] if 9 is out of its bounds.
However [1] looks odd to me, because if strncmp returns true (non-zero),
the following check "(*inp)[9] == ','" makes no sense any more.  I
suspect it was a typo in the code we meant to "strncmp () == 0".  Another
problem in the code above is that if *inp is "operator,", we first
increment *inp by 9, and then increment it by one again, which is wrong
to me.  We should only increment *inp by 8 to skip "operator", and go
back to the loop header to decide where we stop.

Is it OK?

gdb:

2016-08-11  Yao Qi  <yao.qi@linaro.org>

	* location.c (explicit_location_lex_one): Compare the return
	value of strncmp with zero.  Don't check (*inp)[9].  Increment
	*inp by 8.
---
 gdb/location.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/gdb/location.c b/gdb/location.c
index 071d262..65116c7 100644
--- a/gdb/location.c
+++ b/gdb/location.c
@@ -498,9 +498,8 @@ explicit_location_lex_one (const char **inp,
 	{
 	  /* Special case: C++ operator,.  */
 	  if (language->la_language == language_cplus
-	      && strncmp (*inp, "operator", 8)
-	      && (*inp)[9] == ',')
-	    (*inp) += 9;
+	      && strncmp (*inp, "operator", 8) == 0)
+	    (*inp) += 8;
 	  ++(*inp);
 	}
     }