diff mbox series

gdb: fix buffer overflow in DWARF reader

Message ID 281fdfc6ef3997cfab17d2379b51b208c0e00070.1694706424.git.aburgess@redhat.com
State New
Headers
Series gdb: fix buffer overflow in DWARF reader |

Checks

Context Check Description
linaro-tcwg-bot/tcwg_gdb_check--master-arm success Testing passed
linaro-tcwg-bot/tcwg_gdb_check--master-aarch64 success Testing passed
linaro-tcwg-bot/tcwg_gdb_build--master-aarch64 warning Patch is already merged
linaro-tcwg-bot/tcwg_gdb_build--master-arm warning Patch is already merged

Commit Message

Andrew Burgess Sept. 14, 2023, 3:48 p.m. UTC 
  In this commit:

  commit 48ac197b0c209ccf1f2de9704eb6cdf7c5c73a8e
  Date:   Fri Nov 19 10:12:44 2021 -0700

      Handle multiple addresses in call_site_target

a buffer overflow bug was introduced when the following code was
added:

  CORE_ADDR *saved = XOBNEWVAR (&objfile->objfile_obstack, CORE_ADDR,
                                addresses.size ());
  std::copy (addresses.begin (), addresses.end (), saved);

The definition of XOBNEWVAR is (from libiberty.h):

  #define XOBNEWVAR(O, T, S)	((T *) obstack_alloc ((O), (S)))

So 'saved' is going to point to addresses.size () bytes of memory,
however, the std::copy will write addresses.size () number of
CORE_ADDR sized entries to the address pointed to by 'saved', this is
going to result in memory corruption.

The mistake is that we should have used XOBNEWVEC, which allocates a
vector of entries, the definition of XOBNEWVEC is:

  #define XOBNEWVEC(O, T, N) \
    ((T *) obstack_alloc ((O), sizeof (T) * (N)))

Which means we will have set aside enough space to create a copy of
the contents of the addresses vector.

I'm not sure how to create a test for this problem, this issue cropped
up when debugging a particular i686 built binary, which just happened
to trigger a glibc assertion (likely due to random memory corruption),
debugging the same binary built for x86-64 appeared to work just fine.

Using valgrind on the failing GDB binary pointed straight to the cause
of the problem, and with this patch in place there are no longer
valgrind errors in this area.

If anyone has ideas for a test I'm happy to work on something.
---
 gdb/dwarf2/read.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: d7680f13df105aa8fa0edbdf8efae31a5411f579

Comments

Tom Tromey Sept. 14, 2023, 4:03 p.m. UTC | #1 
>>>>> "Andrew" == Andrew Burgess <aburgess@redhat.com> writes:

Andrew> In this commit:
Andrew>   commit 48ac197b0c209ccf1f2de9704eb6cdf7c5c73a8e
Andrew>   Date:   Fri Nov 19 10:12:44 2021 -0700

Andrew>       Handle multiple addresses in call_site_target

Andrew> a buffer overflow bug was introduced when the following code was
Andrew> added:

Sorry about that.

Andrew> I'm not sure how to create a test for this problem, this issue cropped
Andrew> up when debugging a particular i686 built binary, which just happened
Andrew> to trigger a glibc assertion (likely due to random memory corruption),
Andrew> debugging the same binary built for x86-64 appeared to work just fine.

The best thing would be if we had valgrind annotations for obstack.
Then valgrind or perhaps ASAN would catch this kind of bug.

Approved-By: Tom Tromey <tom@tromey.com>

Tom
diff mbox series

Patch

diff --git a/gdb/dwarf2/read.c b/gdb/dwarf2/read.c
index 98bedbc5d49..0f4d99109fb 100644
--- a/gdb/dwarf2/read.c
+++ b/gdb/dwarf2/read.c
@@ -10548,7 +10548,7 @@  read_call_site_scope (struct die_info *die, struct dwarf2_cu *cu)
 	  std::vector<unrelocated_addr> addresses;
 	  dwarf2_ranges_read_low_addrs (ranges_offset, target_cu,
 					target_die->tag, addresses);
-	  unrelocated_addr *saved = XOBNEWVAR (&objfile->objfile_obstack,
+	  unrelocated_addr *saved = XOBNEWVEC (&objfile->objfile_obstack,
 					       unrelocated_addr,
 					       addresses.size ());
 	  std::copy (addresses.begin (), addresses.end (), saved);