aboutsummaryrefslogtreecommitdiff
path: root/missing
diff options
context:
space:
mode:
authorAndrew Burgess <andrew.burgess@embecosm.com>2018-11-27 13:41:44 +0000
committerAndrew Burgess <andrew.burgess@embecosm.com>2018-12-22 10:06:50 +0000
commit74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0 (patch)
tree6fb6bcdf563f8e2bdfdf145b30e0e0f6a3a69ad2 /missing
parentecc82c059059cfa21a8a099779253686f9637f9f (diff)
downloadgdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.zip
gdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.tar.gz
gdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.tar.bz2
gdb/riscv: Prevent buffer overflow in riscv_return_value
The existing code for reading and writing the return value can overflow the passed in buffers in a couple of situations. This commit aims to resolve these issues. The problems were detected using valgrind, here are two examples, first from gdb.base/structs.exp: (gdb) p/x fun9() ==31353== Invalid write of size 8 ==31353== at 0x4C34153: memmove (vg_replace_strmem.c:1270) ==31353== by 0x632EBB: memcpy (string_fortified.h:34) ==31353== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538) ==31353== by 0x659D3F: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2593) ==31353== by 0x583641: get_call_return_value (infcall.c:448) ==31353== by 0x583641: call_thread_fsm_should_stop(thread_fsm*, thread_info*) (infcall.c:546) ==31353== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883) ==31353== by 0x53890B: check_async_event_handlers (event-loop.c:1064) ==31353== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326) ==31353== by 0x6CA34B: wait_sync_command_done() (top.c:503) ==31353== by 0x584653: run_inferior_call (infcall.c:621) ... And from gdb.base/call-sc.exp: (gdb) advance fun fun () at /gdb/gdb/testsuite/gdb.base/call-sc.c:41 41 return foo; (gdb) finish ==1968== Invalid write of size 8 ==1968== at 0x4C34153: memmove (vg_replace_strmem.c:1270) ==1968== by 0x632EBB: memcpy (string_fortified.h:34) ==1968== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538) ==1968== by 0x659D01: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2576) ==1968== by 0x5891E4: get_return_value(value*, type*) (infcmd.c:1640) ==1968== by 0x5892C4: finish_command_fsm_should_stop(thread_fsm*, thread_info*) (infcmd.c:1808) ==1968== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883) ==1968== by 0x53890B: check_async_event_handlers (event-loop.c:1064) ==1968== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326) ==1968== by 0x6CA34B: wait_sync_command_done() (top.c:503) ... There are a couple of problems with the existing code, that are all related. In riscv_call_arg_struct we incorrectly rounded up the size of a structure argument. This is unnecessary, and caused GDB to read too much data into the output buffer when extracting a struct return value. In fixing this it became clear that we were incorrectly assuming that any value being placed in a register (or read from a register) would always access the entire register. This is not true, for example a 9-byte struct on a 64-bit target places 8-bytes in one registers and 1-byte in a second register (assuming available registers). To handle this I switch from using cooked_read to cooked_read_part. Finally, when processing basic integer return value types these are extended to xlen sized types and then passed in registers. We currently don't handle this type expansion in riscv_return_value, but we do in riscv_push_dummy_call. The result is that small integer types (like char) result in a full xlen sized register being written into the output buffer, which results in buffer overflow. To address this issue we now create a value of the expanded type and use this values contents buffer to hold the return value before casting the value down to the smaller expected type. This patch resolves all of the valgrind issues I have found so far, and causes no regressions. Tested against RV32/64 with and without floating point support. gdb/ChangeLog: * riscv-tdep.c (riscv_call_arg_struct): Don't adjust size before assigning locations. (riscv_return_value): Take more care not to read/write outside of argument buffer. Cast return value between the declared type and the abi type.
Diffstat (limited to 'missing')
0 files changed, 0 insertions, 0 deletions