From patchwork Thu Jun 1 09:27:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Burgess X-Patchwork-Id: 70441 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 649563858C30 for ; Thu, 1 Jun 2023 09:29:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 649563858C30 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1685611747; bh=MApuv9qs+Vv33268UIrR35Iy2H2R8Tam6MEYG2OmfFA=; h=To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=acCVJkilWesXIz1ra12xXH4bhSndFx7lpXWsN/iDu+9eDGX0DaRhrw96E2kjAWVq1 LhgwqgMHwGR8/OkWlckeCjbZJRt9Cqkx8VLAUKficHPstbPUj/QD8ISNeU0pA05XMf 09k0T5oFv4n5rHxkGzEYmilmvO71z4GpMYZ0L5hU= X-Original-To: gdb-patches@sourceware.org Delivered-To: gdb-patches@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id D83713857738 for ; Thu, 1 Jun 2023 09:28:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org D83713857738 Received: from mail-lj1-f198.google.com (mail-lj1-f198.google.com [209.85.208.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-180-XhrBoKAMNT2CAyAp-ba4Wg-1; Thu, 01 Jun 2023 05:28:08 -0400 X-MC-Unique: XhrBoKAMNT2CAyAp-ba4Wg-1 Received: by mail-lj1-f198.google.com with SMTP id 38308e7fff4ca-2af1a18584bso4830511fa.2 for ; Thu, 01 Jun 2023 02:28:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685611687; x=1688203687; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MApuv9qs+Vv33268UIrR35Iy2H2R8Tam6MEYG2OmfFA=; b=ZR7dRXqJadrW6KPjuf8tUJ06KJoYXoSueluqDQukA5KEOR00kWm+Poee90wN0H5eGk pgVgxhUq/z219oLiZIGtOaln4A3F/WHgRN9yC2zXkBdJKSYsPqI7cK+QShPBtuGP/2Q0 ino+9Y4QOqThOdbkyLBGucTnElBMF/fx8xiNCAcrCn9G5Jgo4nhdXmNqgEjNCYdef9Mc R3WlcU6jSkssUSEm6O2H12cVMmSQ5h0/8HeteT/O2zUz8NGl9svHBuNCJF/mEGfXCvfW O0gZhOph2XUdmycYuJdOOh5IJWztbGm4Ov+n6mgwTnTSx9aBA5GgzrBMpjXYvE4Lq+YG 1i/w== X-Gm-Message-State: AC+VfDxNKyejFZFA3s1dk7ejNKQDuCNYHN11rI//7PlAJ+u/E1m0Y82I wjeiP3K+DQjfq7gQZFmZWEkF6iyrgDBnq+jRGbzM0XHj/Yh+CXD9pZ6pAHkuvYp1Co4VaEAG0zN PpVNYnA6vus4rlIm9eRP4lk6ViPCsMxdEhfCz32NXwI9ZkcZMYns8v5vE0e3IpyYwB5tj5DcXuQ yRtaYlMw== X-Received: by 2002:a2e:9bd9:0:b0:2a9:f94f:d304 with SMTP id w25-20020a2e9bd9000000b002a9f94fd304mr4194934ljj.19.1685611686707; Thu, 01 Jun 2023 02:28:06 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5AFfoQDVzCpx6cupOz6/gYQ+z+AxpNJtzGpeDA+mTboyBSIJ9Xk9vK544EcCVegpINg4ndeg== X-Received: by 2002:a2e:9bd9:0:b0:2a9:f94f:d304 with SMTP id w25-20020a2e9bd9000000b002a9f94fd304mr4194914ljj.19.1685611686172; Thu, 01 Jun 2023 02:28:06 -0700 (PDT) Received: from localhost (11.72.115.87.dyn.plus.net. [87.115.72.11]) by smtp.gmail.com with ESMTPSA id 9-20020a05600c028900b003f60482024fsm1653013wmk.30.2023.06.01.02.28.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Jun 2023 02:28:05 -0700 (PDT) To: gdb-patches@sourceware.org Cc: Simon Marchi , Andrew Burgess Subject: [PATCH 4/4] gdb: check max-value-size when reading strings for printf Date: Thu, 1 Jun 2023 10:27:53 +0100 Message-Id: <3166d8c1916f3d92550c436cf47c70ceece0e0ea.1685611213.git.aburgess@redhat.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: References: MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Andrew Burgess via Gdb-patches From: Andrew Burgess Reply-To: Andrew Burgess Errors-To: gdb-patches-bounces+patchwork=sourceware.org@sourceware.org Sender: "Gdb-patches" I noticed that the printf code for strings, printf_c_string and printf_wide_c_string, don't take max-value-size into account, but do load a complete string from the inferior into a GDB buffer. As such it would be possible for an badly behaved inferior to cause GDB to try and allocate an excessively large buffer, potentially crashing GDB, or at least causing GDB to swap lots, which isn't great. We already have a setting to protect against this sort of thing, the 'max-value-size'. So this commit updates the two function mentioned above to check the max-value-size and give an error if the max-value-size is exceeded. If the max-value-size is exceeded, I chose to continue reading inferior memory to figure out how long the string actually is, we just don't store the results. The benefit of this is that when we give the user an error we can tell the user how big the string actually is, which would allow them to correctly adjust max-value-size, if that's what they choose to do. The default for max-value-size is 64k so there should be no user visible changes after this commit, unless the user was previously printing very large strings. If that is the case then the user will now need to increase max-value-size. --- gdb/printcmd.c | 39 ++++++++++++++++++++--- gdb/testsuite/gdb.base/printcmds.c | 2 ++ gdb/testsuite/gdb.base/printcmds.exp | 5 +++ gdb/testsuite/gdb.base/printf-wchar_t.c | 2 ++ gdb/testsuite/gdb.base/printf-wchar_t.exp | 6 ++++ gdb/testsuite/lib/gdb.exp | 30 +++++++++++++++++ gdb/value.c | 10 +++++- gdb/value.h | 5 +++ 8 files changed, 94 insertions(+), 5 deletions(-) diff --git a/gdb/printcmd.c b/gdb/printcmd.c index 61b009fb7f2..4bfdaa2c7d7 100644 --- a/gdb/printcmd.c +++ b/gdb/printcmd.c @@ -2480,17 +2480,24 @@ printf_c_string (struct ui_file *stream, const char *format, /* This is a %s argument. Build the string in STR which is currently empty. */ gdb_assert (str.size () == 0); - for (size_t len = 0;; len++) + size_t len; + for (len = 0;; len++) { gdb_byte c; QUIT; + read_memory (tem + len, &c, 1); - str.push_back (c); + if (!exceeds_max_value_size (len + 1)) + str.push_back (c); if (c == 0) break; } + if (exceeds_max_value_size (len + 1)) + error (_("printed string requires %s bytes, which is more than " + "max-value-size"), plongest (len + 1)); + /* We will have passed through the above loop at least once, and will only exit the loop when we have pushed a zero byte onto the end of STR. */ @@ -2547,13 +2554,37 @@ printf_wide_c_string (struct ui_file *stream, const char *format, for (len = 0;; len += wcwidth) { QUIT; - tem_str->resize (tem_str->size () + wcwidth); - gdb_byte *dst = tem_str->data () + len; + gdb_byte *dst; + if (!exceeds_max_value_size (len + wcwidth)) + { + tem_str->resize (tem_str->size () + wcwidth); + dst = tem_str->data () + len; + } + else + { + /* We still need to check for the null-character, so we need + somewhere to place the data read from the inferior. We + can't keep growing TEM_STR, it's gotten too big, so + instead just read the new character into the start of + TEMS_STR. This will corrupt the previously read contents, + but we're not going to print this string anyway, we just + want to know how big it would have been so we can tell the + user in the error message (see below). + + And we know there will be space in this buffer so long as + WCWIDTH is smaller than our LONGEST type, the + max-value-size can't be smaller than a LONGEST. */ + dst = tem_str->data (); + } read_memory (tem + len, dst, wcwidth); if (extract_unsigned_integer (dst, wcwidth, byte_order) == 0) break; } + if (exceeds_max_value_size (len + wcwidth)) + error (_("printed string requires %s bytes, which is more than " + "max-value-size"), plongest (len + wcwidth)); + str = tem_str->data (); } diff --git a/gdb/testsuite/gdb.base/printcmds.c b/gdb/testsuite/gdb.base/printcmds.c index fa3a62d6cdd..8445fcc1aa2 100644 --- a/gdb/testsuite/gdb.base/printcmds.c +++ b/gdb/testsuite/gdb.base/printcmds.c @@ -75,6 +75,8 @@ char *teststring = (char*)"teststring contents"; typedef char *charptr; charptr teststring2 = "more contents"; +const char *teststring3 = "this is a longer test string that we can use"; + /* Test printing of a struct containing character arrays. */ struct some_arrays { diff --git a/gdb/testsuite/gdb.base/printcmds.exp b/gdb/testsuite/gdb.base/printcmds.exp index 73f145c9586..eab0264af63 100644 --- a/gdb/testsuite/gdb.base/printcmds.exp +++ b/gdb/testsuite/gdb.base/printcmds.exp @@ -901,6 +901,11 @@ proc test_printf {} { # PR cli/14977. gdb_test "printf \"%s\\n\", 0" "\\(null\\)" + + with_max_value_size 20 { + gdb_test {printf "%s", teststring3} \ + "^printed string requires 45 bytes, which is more than max-value-size" + } } #Test printing DFP values with printf diff --git a/gdb/testsuite/gdb.base/printf-wchar_t.c b/gdb/testsuite/gdb.base/printf-wchar_t.c index 4d13fd3c961..2635932c780 100644 --- a/gdb/testsuite/gdb.base/printf-wchar_t.c +++ b/gdb/testsuite/gdb.base/printf-wchar_t.c @@ -18,6 +18,8 @@ #include const wchar_t wide_str[] = L"wide string"; +const wchar_t long_wide_str[] + = L"this is a much longer wide string that we can use if needed"; int main (void) diff --git a/gdb/testsuite/gdb.base/printf-wchar_t.exp b/gdb/testsuite/gdb.base/printf-wchar_t.exp index 85c6edf292c..8a6003d5785 100644 --- a/gdb/testsuite/gdb.base/printf-wchar_t.exp +++ b/gdb/testsuite/gdb.base/printf-wchar_t.exp @@ -24,3 +24,9 @@ if {![runto_main]} { } gdb_test {printf "%ls\n", wide_str} "^wide string" + +# Check that if the max-value-size will kick in when using printf on strings. +with_max_value_size 20 { + gdb_test {printf "%ls\n", long_wide_str} \ + "^printed string requires 240 bytes, which is more than max-value-size" +} diff --git a/gdb/testsuite/lib/gdb.exp b/gdb/testsuite/lib/gdb.exp index 294d136a547..c8d0aa6d3b8 100644 --- a/gdb/testsuite/lib/gdb.exp +++ b/gdb/testsuite/lib/gdb.exp @@ -3192,6 +3192,36 @@ proc with_target_charset { target_charset body } { } } +# Run tests in BODY with max-value-size set to SIZE. When BODY is +# finished restore max-value-size. + +proc with_max_value_size { size body } { + global gdb_prompt + + set saved "" + gdb_test_multiple "show max-value-size" "" { + -re -wrap "Maximum value size is ($::decimal) bytes\\." { + set saved $expect_out(1,string) + } + -re ".*$gdb_prompt " { + fail "get max-value-size" + } + } + + gdb_test_no_output -nopass "set max-value-size $size" + + set code [catch {uplevel 1 $body} result] + + gdb_test_no_output -nopass "set max-value-size $saved" + + if {$code == 1} { + global errorInfo errorCode + return -code $code -errorinfo $errorInfo -errorcode $errorCode $result + } else { + return -code $code $result + } +} + # Switch the default spawn id to SPAWN_ID, so that gdb_test, # mi_gdb_test etc. default to using it. diff --git a/gdb/value.c b/gdb/value.c index 980722a6dd7..05e5d10ab38 100644 --- a/gdb/value.c +++ b/gdb/value.c @@ -804,7 +804,7 @@ check_type_length_before_alloc (const struct type *type) { ULONGEST length = type->length (); - if (max_value_size > -1 && length > max_value_size) + if (exceeds_max_value_size (length)) { if (type->name () != NULL) error (_("value of type `%s' requires %s bytes, which is more " @@ -815,6 +815,14 @@ check_type_length_before_alloc (const struct type *type) } } +/* See value.h. */ + +bool +exceeds_max_value_size (ULONGEST length) +{ + return max_value_size > -1 && length > max_value_size; +} + /* When this has a value, it is used to limit the number of array elements of an array that are loaded into memory when an array value is made non-lazy. */ diff --git a/gdb/value.h b/gdb/value.h index 508367a4159..cca356a93ea 100644 --- a/gdb/value.h +++ b/gdb/value.h @@ -1575,6 +1575,11 @@ extern void finalize_values (); of floating-point, fixed-point, or integer type. */ extern gdb_mpq value_to_gdb_mpq (struct value *value); +/* Return true if LEN (in bytes) exceeds the max-value-size setting, + otherwise, return false. If the user has disabled (set to unlimited) + the max-value-size setting then this function will always return false. */ +extern bool exceeds_max_value_size (ULONGEST length); + /* While an instance of this class is live, and array values that are created, that are larger than max_value_size, will be restricted in size to a particular number of elements. */