TUI: Fix buffer overflow in tui_expand_tabs

Message ID	20150317103009.538f2b3d@kryten
State	New, archived
Headers	Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk Sender: gdb-patches-owner@sourceware.org Date: Tue, 17 Mar 2015 10:30:09 +1100 From: Anton Blanchard <anton@samba.org> To: gdb-patches@sourceware.org, eliz@gnu.org Subject: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs Message-ID: <20150317103009.538f2b3d@kryten> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit

Message ID

20150317103009.538f2b3d@kryten

State

New, archived

Headers

Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: gdb-patches-owner@sourceware.org
Date: Tue, 17 Mar 2015 10:30:09 +1100
From: Anton Blanchard <anton@samba.org>
To: gdb-patches@sourceware.org, eliz@gnu.org
Subject: [PATCH] TUI: Fix buffer overflow in tui_expand_tabs
Message-ID: <20150317103009.538f2b3d@kryten>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Commit Message

Anton Blanchard March 16, 2015, 11:30 p.m. UTC

  tui_expand_tabs writes past the end of the buffers it allocates
because we forget to zero out col. This results in us adding more
spaces than we need to get aligned, and we write past the end of the
allocated buffer.

This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when
using the TUI.

2015-03-17  Anton Blanchard  <anton@samba.org>

gdb/ChangeLog:
	* tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
---
 gdb/ChangeLog    | 4 ++++
 gdb/tui/tui-io.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

Comments

Anton Blanchard March 19, 2015, 9:44 p.m. UTC | #1

Hi,

> tui_expand_tabs writes past the end of the buffers it allocates
> because we forget to zero out col. This results in us adding more
> spaces than we need to get aligned, and we write past the end of the
> allocated buffer.
> 
> This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when
> using the TUI.

Any feedback on this? We either need to fix it, or back out commit
312809f88389 ("Make sure TABs are expanded in TUI windows on
MS-Windows.")

Anton

> 2015-03-17  Anton Blanchard  <anton@samba.org>
> 
> gdb/ChangeLog:
> 	* tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> ---
>  gdb/ChangeLog    | 4 ++++
>  gdb/tui/tui-io.c | 2 +-
>  2 files changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/gdb/ChangeLog b/gdb/ChangeLog
> index d984565..4e0177a 100644
> --- a/gdb/ChangeLog
> +++ b/gdb/ChangeLog
> @@ -1,3 +1,7 @@
> +2015-03-17  Anton Blanchard  <anton@samba.org>
> +
> +	* tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> +
>  2015-03-16  John Baldwin  <jhb@FreeBSD.org>
>  
>  	* fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target
> registers diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c
> index a8af9b6..02ae17d 100644
> --- a/gdb/tui/tui-io.c
> +++ b/gdb/tui/tui-io.c
> @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col)
>    ret = q = xmalloc (strlen (string) + n_adjust + 1);
>  
>    /* 2. Copy the original string while replacing TABs with spaces.
> */
> -  for (s = string; s; )
> +  for (col = 0, s = string; s; )
>      {
>        char *s1 = strpbrk (s, "\t");
>        if (s1)

Doug Evans March 19, 2015, 10:57 p.m. UTC | #2

On Mon, Mar 16, 2015 at 4:30 PM, Anton Blanchard <anton@samba.org> wrote:
> tui_expand_tabs writes past the end of the buffers it allocates
> because we forget to zero out col. This results in us adding more
> spaces than we need to get aligned, and we write past the end of the
> allocated buffer.
>
> This was noticed on Ubuntu Vivid ppc64le, where gdb would SEGV when
> using the TUI.
>
> 2015-03-17  Anton Blanchard  <anton@samba.org>
>
> gdb/ChangeLog:
>         * tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> ---
>  gdb/ChangeLog    | 4 ++++
>  gdb/tui/tui-io.c | 2 +-
>  2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/gdb/ChangeLog b/gdb/ChangeLog
> index d984565..4e0177a 100644
> --- a/gdb/ChangeLog
> +++ b/gdb/ChangeLog
> @@ -1,3 +1,7 @@
> +2015-03-17  Anton Blanchard  <anton@samba.org>
> +
> +       * tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
> +
>  2015-03-16  John Baldwin  <jhb@FreeBSD.org>
>
>         * fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target registers
> diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c
> index a8af9b6..02ae17d 100644
> --- a/gdb/tui/tui-io.c
> +++ b/gdb/tui/tui-io.c
> @@ -690,7 +690,7 @@ tui_expand_tabs (const char *string, int col)
>    ret = q = xmalloc (strlen (string) + n_adjust + 1);
>
>    /* 2. Copy the original string while replacing TABs with spaces.  */
> -  for (s = string; s; )
> +  for (col = 0, s = string; s; )
>      {
>        char *s1 = strpbrk (s, "\t");
>        if (s1)

Hi.

col needs to be reset to its original value on function entry, right?
I suggest changing the code so that col is left unmodified,
and use a new variable to track the advance of col in both loops.

diff mbox

Patch

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index d984565..4e0177a 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,7 @@ 
+2015-03-17  Anton Blanchard  <anton@samba.org>
+
+	* tui/tui-io.c (tui_expand_tabs): Zero col before reusing.
+
 2015-03-16  John Baldwin  <jhb@FreeBSD.org>
 
 	* fbsd-tdep.c (fbsd_make_corefile_notes): Fetch all target registers
diff --git a/gdb/tui/tui-io.c b/gdb/tui/tui-io.c
index a8af9b6..02ae17d 100644
--- a/gdb/tui/tui-io.c
+++ b/gdb/tui/tui-io.c
@@ -690,7 +690,7 @@  tui_expand_tabs (const char *string, int col)
   ret = q = xmalloc (strlen (string) + n_adjust + 1);
 
   /* 2. Copy the original string while replacing TABs with spaces.  */
-  for (s = string; s; )
+  for (col = 0, s = string; s; )
     {
       char *s1 = strpbrk (s, "\t");
       if (s1)