From patchwork Fri Nov 13 08:18:30 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yao Qi <qiyaoltc@gmail.com>
X-Patchwork-Id: 9656
Received: (qmail 127487 invoked by alias); 13 Nov 2015 08:18:39 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 127427 invoked by uid 89); 13 Nov 2015 08:18:38 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,
	SPF_PASS autolearn=ham version=3.3.2
X-HELO: mail-pa0-f48.google.com
Received: from mail-pa0-f48.google.com (HELO mail-pa0-f48.google.com)
	(209.85.220.48) by sourceware.org
	(qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-GCM-SHA256
	encrypted) ESMTPS; Fri, 13 Nov 2015 08:18:37 +0000
Received: by pabfh17 with SMTP id fh17so93468341pab.0 for
	<gdb-patches@sourceware.org>; Fri, 13 Nov 2015 00:18:35 -0800 (PST)
X-Received: by 10.66.123.72 with SMTP id ly8mr29916881pab.92.1447402715155;
	Fri, 13 Nov 2015 00:18:35 -0800 (PST)
Received: from E107787-LIN.cambridge.arm.com (gcc2-power8.osuosl.org.
	[140.211.9.43]) by smtp.gmail.com with ESMTPSA id
	iv5sm18855247pbb.24.2015.11.13.00.18.33 for
	<gdb-patches@sourceware.org> (version=TLS1_2
	cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 13 Nov 2015 00:18:34 -0800 (PST)
From: Yao Qi <qiyaoltc@gmail.com>
X-Google-Original-From: Yao Qi <yao.qi@linaro.org>
To: gdb-patches@sourceware.org
Subject: [PATCH] Fix bug in arm_push_dummy_call by -fsanitize=address
Date: Fri, 13 Nov 2015 08:18:30 +0000
Message-Id: <1447402710-26391-1-git-send-email-yao.qi@linaro.org>
X-IsSubscribed: yes

When I build GDB with -fsanitize=address, and run testsuite,
some gdb.base/*.exp test triggers the ERROR below,

=================================================================
==7646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000242810 at pc 0x487844 bp 0x7fffe32e84e0 sp 0x7fffe32e84d8
READ of size 4 at 0x603000242810 thread T0^[[1m^[[0m^M
    #0 0x487843 in push_stack_item /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3405
    #1 0x48998a in arm_push_dummy_call /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3960

In that path, GDB passes value on stack, in an INT_REGISTER_SIZE slot,
but the value contents' length can be less than INT_REGISTER_SIZE, so
the contents will be accessed out of the bound.  This patch adds an
array buf[INT_REGISTER_SIZE], and copy val to buf before writing them
to stack.

Regression tested on arm-linux.

gdb:

2015-11-13  Yao Qi  <yao.qi@linaro.org>

	* arm-tdep.c (arm_push_dummy_call): New array buf.  Store regval
	to buf.  Pass buf instead of val to push_stack_item.
---
 gdb/arm-tdep.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
index 9c8208a..58dcc6c 100644
--- a/gdb/arm-tdep.c
+++ b/gdb/arm-tdep.c
@@ -3928,13 +3928,13 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
       while (len > 0)
 	{
 	  int partial_len = len < INT_REGISTER_SIZE ? len : INT_REGISTER_SIZE;
+	  CORE_ADDR regval
+	    = extract_unsigned_integer (val, partial_len, byte_order);
 
 	  if (may_use_core_reg && argreg <= ARM_LAST_ARG_REGNUM)
 	    {
 	      /* The argument is being passed in a general purpose
 		 register.  */
-	      CORE_ADDR regval
-		= extract_unsigned_integer (val, partial_len, byte_order);
 	      if (byte_order == BFD_ENDIAN_BIG)
 		regval <<= (INT_REGISTER_SIZE - partial_len) * 8;
 	      if (arm_debug)
@@ -3948,11 +3948,16 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
 	    }
 	  else
 	    {
+	      gdb_byte buf[INT_REGISTER_SIZE];
+
+	      memset (buf, 0, sizeof (buf));
+	      store_unsigned_integer (buf, partial_len, byte_order, regval);
+
 	      /* Push the arguments onto the stack.  */
 	      if (arm_debug)
 		fprintf_unfiltered (gdb_stdlog, "arg %d @ sp + %d\n",
 				    argnum, nstack);
-	      si = push_stack_item (si, val, INT_REGISTER_SIZE);
+	      si = push_stack_item (si, buf, INT_REGISTER_SIZE);
 	      nstack += INT_REGISTER_SIZE;
 	    }