From patchwork Wed Nov 28 17:38:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Tromey <tom@tromey.com>
X-Patchwork-Id: 30364
Received: (qmail 34838 invoked by alias); 28 Nov 2018 17:38:14 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 34695 invoked by uid 89); 28 Nov 2018 17:38:13 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=
X-HELO: gateway23.websitewelcome.com
Received: from gateway23.websitewelcome.com (HELO
	gateway23.websitewelcome.com) (192.185.50.250) by
	sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Wed, 28 Nov 2018 17:38:11 +0000
Received: from cm14.websitewelcome.com (cm14.websitewelcome.com
	[100.42.49.7])	by gateway23.websitewelcome.com (Postfix) with
	ESMTP id 6F2233215D	for <gdb-patches@sourceware.org>;
	Wed, 28 Nov 2018 11:38:06 -0600 (CST)
Received: from box5379.bluehost.com ([162.241.216.53])	by cmsmtp with
	SMTP	id S3mogveo4kBj6S3mogrvBF; Wed, 28 Nov 2018 11:38:06 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com;
	s=default;
	h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version
	:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=xF4TpmsqhKXgiZlkV+A5Fzluw/fkK5VHMpNCHql9xzA=;
	b=LW5Dn9X/l4+eM40poYoSnu+Tq3
	EFI2atEaCWSsbbD0Jct+9TpK6wge3qoa+CSG81D7tFhj8VkLtxfv4/5ArKiHcGEuXIObaS3Gno/j1
	dYfU3/y8SqGtaBWpjAv445s2+;
Received: from 97-122-190-66.hlrn.qwest.net ([97.122.190.66]:35954
	helo=bapiya.Home)	by box5379.bluehost.com with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)	(Exim
	4.91)	(envelope-from <tom@tromey.com>)	id 1gS3mo-003zeE-5f;
	Wed, 28 Nov 2018 11:38:06 -0600
From: Tom Tromey <tom@tromey.com>
To: gdb-patches@sourceware.org
Cc: Tom Tromey <tom@tromey.com>
Subject: [PATCH] Avoid buffer overflow in value_x_unop
Date: Wed, 28 Nov 2018 10:38:04 -0700
Message-Id: <20181128173804.10594-1-tom@tromey.com>

Commit 6b1747cd1 ("invoke_xmethod & array_view") contains this change:

-  argvec = (struct value **) alloca (sizeof (struct value *) * 4);
+  value *argvec_storage[3];
+  gdb::array_view<value *> argvec = argvec_storage;

However, value_x_unop still does:

      argvec[2] = value_from_longest (builtin_type (gdbarch)->builtin_int, 0);
      argvec[3] = 0;

This triggers an error with -fsanitize=address from userdef.exp:

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdcf185068 at pc 0x000000e4f912 bp 0x7ffdcf184d80 sp 0x7ffdcf184d70
WRITE of size 8 at 0x7ffdcf185068 thread T0
    #0 0xe4f911 in value_x_unop(value*, exp_opcode, noside) ../../binutils-gdb/gdb/valarith.c:557
[...]

I think the two assignments to argvec[3] should just be removed, and
that this was intended in the earlier patch but just missed.

This passes userdef.exp with -fsanitize=address.

gdb/ChangeLog
2018-11-28  Tom Tromey  <tom@tromey.com>

	* valarith.c (value_x_unop): Don't set argvec[3].
---
 gdb/ChangeLog  | 4 ++++
 gdb/valarith.c | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/gdb/valarith.c b/gdb/valarith.c
index 3a59ada2d5..66cd9042d4 100644
--- a/gdb/valarith.c
+++ b/gdb/valarith.c
@@ -554,13 +554,11 @@ value_x_unop (struct value *arg1, enum exp_opcode op, enum noside noside)
     case UNOP_POSTINCREMENT:
       strcpy (ptr, "++");
       argvec[2] = value_from_longest (builtin_type (gdbarch)->builtin_int, 0);
-      argvec[3] = 0;
       nargs ++;
       break;
     case UNOP_POSTDECREMENT:
       strcpy (ptr, "--");
       argvec[2] = value_from_longest (builtin_type (gdbarch)->builtin_int, 0);
-      argvec[3] = 0;
       nargs ++;
       break;
     case UNOP_LOGICAL_NOT: