From patchwork Wed Oct 10 15:45:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 148565 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp1018784lji; Wed, 10 Oct 2018 08:46:25 -0700 (PDT) X-Google-Smtp-Source: ACcGV61R4XuM1/XDBWq3IfcDRe45icOlHzICqpQHaVq0kA3UYVw8mbCOPSsWt76w/UxRLdWLa/rE X-Received: by 2002:a17:902:ba8b:: with SMTP id k11-v6mr33793907pls.12.1539186385386; Wed, 10 Oct 2018 08:46:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539186385; cv=none; d=google.com; s=arc-20160816; b=FZmS+PJoS54dW1112ZNQJENeiEVWAAsxJv5WRtLGM/iatmL1bhDwZ/+sbeXSzb3xDd FvLj6UGk1eSJxUeeesChYzVLEFPZuhRmY0LLVNNPwXsNEe4o1vulzoSQ1jpuThKhMOUB KCi/gCqYoRbRbRYJo2aEPyuBqhoSamn/40fAlUyhKKz3aXJx+i2+VbB2noGB/WsZyVnJ G0tYMUFCMsnCC0LAjd+lAx4NU6HrL3GPLeHn2FKvUxxthMElfEJb0ibrHoART/gBv/jA 3qKzmE1Pu40MZfAPUQIZpLAEKQjAXOgnnyomcCqJH3Dt8fukIX6a+w55ahVUvRSKdAJf Rr8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:to:from:dkim-signature:delivered-to:sender :list-help:list-post:list-archive:list-subscribe:list-unsubscribe :list-id:precedence:mailing-list:dkim-signature:domainkey-signature; bh=pfbI+0yg8e2O1eVdEMkfcyxaEQuyxTm6rgsS1aTlneo=; b=m08Q7DfkEODIUQxxowfm0UrPVAM9McTd/Sjk9676TqwDMHUlb18Bq+Y2Aq931SXzYz 1Gr34r/4CV8aFgK3vNDW4b2tOJi4gbokFd7vX75Vq+H/cpl1PWvjf5/cE1l32tJTqSqq CUFRI74PK3YbdZD50kZLBzFT6h3WbJj1WW9mP/KpIfOqHHS2djKVW39QSJSwblcyrYLF ufcL1EHdeARWUEWCgmXqCRI1avm1WYd4sdXEb8g3Jc4cvfpwVVikPUUpk88o81rKxDf/ HzAhpHHwSzPNg6kek2nX5ca52sgA3L7Aw0vY4FvXuAI8Acy/xdVX7TFnVstahQ8AzwXb HfOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b="pwC/H7sW"; dkim=pass header.i=@linaro.org header.s=google header.b=ZerNGL4Z; spf=pass (google.com: domain of gdb-patches-return-151544-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom="gdb-patches-return-151544-patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from sourceware.org (server1.sourceware.org. [209.132.180.131]) by mx.google.com with ESMTPS id 31-v6si24698479pli.238.2018.10.10.08.46.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Oct 2018 08:46:25 -0700 (PDT) Received-SPF: pass (google.com: domain of gdb-patches-return-151544-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) client-ip=209.132.180.131; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b="pwC/H7sW"; dkim=pass header.i=@linaro.org header.s=google header.b=ZerNGL4Z; spf=pass (google.com: domain of gdb-patches-return-151544-patch=linaro.org@sourceware.org designates 209.132.180.131 as permitted sender) smtp.mailfrom="gdb-patches-return-151544-patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; q=dns; s= default; b=wfhTqRnKpNhPP2nyEyiPDOHaUKTbi309CSCUnqQDZJlRaRkZ8oiJI iXiYCRw7ZODUAd7hX2Khq5XIvrI0VjNVjD1FTrO3dPFvb//+HB2TfJd+vdsiuRRz oxXnjHtIMJeWhY47IR+GOomHcZyLjSYzhYDjUsb91uLrycMuJ3ZF0A= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id; s=default; bh=WLxCiUwfG2VhG0uYMLASYLNxsMs=; b=pwC/H7sWeisQgzV2fShGx5RI1tPg B4hj0+QRQgWGZmuOh3Y/nexJ6mZEVtzt6rbPKj9LwtioxdagKSEm2zNl2BZ9YZK3 EWAzrhFMZrCzTZFRtSJlThv/dyuVBr2Js5H6Is8Qs+FNVHwdMqDzIFbaGfyoSgRh DWJB4GnOspBBnyM= Received: (qmail 750 invoked by alias); 10 Oct 2018 15:46:14 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 131052 invoked by uid 89); 10 Oct 2018 15:45:58 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-24.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_PASS autolearn=ham version=3.3.2 spammy=H*r:sk:1-v6so2, HX-Received:sk:13-v6mr, SVE, H*r:sk:mail-pl X-HELO: mail-pl1-f193.google.com Received: from mail-pl1-f193.google.com (HELO mail-pl1-f193.google.com) (209.85.214.193) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 10 Oct 2018 15:45:57 +0000 Received: by mail-pl1-f193.google.com with SMTP id 1-v6so2726804plv.7 for ; Wed, 10 Oct 2018 08:45:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id; bh=pfbI+0yg8e2O1eVdEMkfcyxaEQuyxTm6rgsS1aTlneo=; b=ZerNGL4ZyctIzzpCyJ+IlY6J/1ILiN36pq5uvBydkT4lDXpNIBk+axCR/QhSTMWhjb Gd+toYiayxzrR3NVTEG5IMBBN15PKSpgdl5om35ueTwXNU69kxZjG4VNtj5qsnDD6Y7Q jojtzgLzGWzI4GUN01DqaG0SWzgZYcfwCEMO0= Return-Path: Received: from cloudburst.twiddle.net (97-113-8-179.tukw.qwest.net. [97.113.8.179]) by smtp.gmail.com with ESMTPSA id b14-v6sm27510631pgn.49.2018.10.10.08.45.53 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 10 Oct 2018 08:45:54 -0700 (PDT) From: Richard Henderson To: gdb-patches@sourceware.org Subject: [PATCH] Fix buffer overrun in fetch_register_using_p Date: Wed, 10 Oct 2018 08:45:53 -0700 Message-Id: <20181010154553.11515-1-richard.henderson@linaro.org> If the packet returned from the gdbserver is too long, the stack would be clobbered and gdb would crash. gdb/ * remote.c (remote_target::fetch_register_using_p): Error if more data is received than expected in the packet. --- I am adding SVE support to QEMU's gdbserver stub, and managed to tickle this bug in the process. r~ --- gdb/remote.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/gdb/remote.c b/gdb/remote.c index 724f41cf71..d68faf1046 100644 --- a/gdb/remote.c +++ b/gdb/remote.c @@ -7958,7 +7958,8 @@ remote_target::fetch_register_using_p (struct regcache *regcache, struct gdbarch *gdbarch = regcache->arch (); struct remote_state *rs = get_remote_state (); char *buf, *p; - gdb_byte *regp = (gdb_byte *) alloca (register_size (gdbarch, reg->regnum)); + int size = register_size (gdbarch, reg->regnum); + gdb_byte *regp = (gdb_byte *) alloca (size); int i; if (packet_support (PACKET_p) == PACKET_DISABLE) @@ -8003,6 +8004,8 @@ remote_target::fetch_register_using_p (struct regcache *regcache, { if (p[1] == 0) error (_("fetch_register_using_p: early buf termination")); + if (i == size) + error (_("fetch_register_using_p: late buf termination")); regp[i++] = fromhex (p[0]) * 16 + fromhex (p[1]); p += 2;