From patchwork Mon Aug 18 19:27:47 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kratochvil X-Patchwork-Id: 2426 Received: (qmail 18922 invoked by alias); 18 Aug 2014 19:27:54 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 18909 invoked by uid 89); 18 Aug 2014 19:27:53 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-4.3 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD, SPF_HELO_PASS, SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Mon, 18 Aug 2014 19:27:52 +0000 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s7IJRpJN014394 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 18 Aug 2014 15:27:51 -0400 Received: from host2.jankratochvil.net (ovpn-116-72.ams2.redhat.com [10.36.116.72]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s7IJRlvH031040 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 18 Aug 2014 15:27:50 -0400 Date: Mon, 18 Aug 2014 21:27:47 +0200 From: Jan Kratochvil To: gdb-patches@sourceware.org Subject: [patch] Fix -fsanitize=address on unreadable inferior strings Message-ID: <20140818192747.GA23790@host2.jankratochvil.net> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-IsSubscribed: yes Hi, it is not a real memory corruption/crash but it breaks with ASAN, making the use of ASAN for regular GDB runs difficult. echo 'void f(char *s){}main(){f((char *)1);}'|gcc -g -x c -;../gdb ./a.out -ex 'b f' -ex r ====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000aaccf at pc 0x96eea7 bp 0x7fff75bdbc90 sp 0x7fff75bdbc80 READ of size 1 at 0x6020000aaccf thread T0 #0 0x96eea6 in extract_unsigned_integer .../gdb/findvar.c:108 #1 0x9df02b in val_print_string .../gdb/valprint.c:2513 [...] 0x6020000aaccf is located 1 bytes to the left of 8-byte region [0x6020000aacd0,0x6020000aacd8) allocated by thread T0 here: #0 0x7f45fad26b97 in malloc (/lib64/libasan.so.1+0x57b97) #1 0xdb3409 in xmalloc common/common-utils.c:45 #2 0x9d8cf9 in read_string .../gdb/valprint.c:1845 #3 0x9defca in val_print_string .../gdb/valprint.c:2502 [..] ====ABORTING No regressions on {x86_64,x86_64-m32,i686}-fedorarawhide-linux-gnu. I do not think it can cause any behavior change. Thanks, Jan echo 'void f(char *s){}main(){f((char *)1);}'|gcc -g -x c -;../gdb ./a.out -ex 'b f' -ex r ====ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000aaccf at pc 0x96eea7 bp 0x7fff75bdbc90 sp 0x7fff75bdbc80 READ of size 1 at 0x6020000aaccf thread T0 #0 0x96eea6 in extract_unsigned_integer .../gdb/findvar.c:108 #1 0x9df02b in val_print_string .../gdb/valprint.c:2513 [...] 0x6020000aaccf is located 1 bytes to the left of 8-byte region [0x6020000aacd0,0x6020000aacd8) allocated by thread T0 here: #0 0x7f45fad26b97 in malloc (/lib64/libasan.so.1+0x57b97) #1 0xdb3409 in xmalloc common/common-utils.c:45 #2 0x9d8cf9 in read_string .../gdb/valprint.c:1845 #3 0x9defca in val_print_string .../gdb/valprint.c:2502 [..] ====ABORTING gdb/ 2014-08-18 Jan Kratochvil Fix -fsanitize=address on unreadable inferior strings. * valprint.c (val_print_string): Fix access before BUFFER. diff --git a/gdb/valprint.c b/gdb/valprint.c index d3ab267..a87d67c 100644 --- a/gdb/valprint.c +++ b/gdb/valprint.c @@ -2510,8 +2510,10 @@ val_print_string (struct type *elttype, const char *encoding, LEN is -1. */ /* Determine found_nul by looking at the last character read. */ - found_nul = extract_unsigned_integer (buffer + bytes_read - width, width, - byte_order) == 0; + found_nul = 0; + if (bytes_read >= width) + found_nul = extract_unsigned_integer (buffer + bytes_read - width, width, + byte_order) == 0; if (len == -1 && !found_nul) { gdb_byte *peekbuf;