diff options
author | Andrew Burgess <andrew.burgess@embecosm.com> | 2018-11-27 13:41:44 +0000 |
---|---|---|
committer | Andrew Burgess <andrew.burgess@embecosm.com> | 2018-12-22 10:06:50 +0000 |
commit | 74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0 (patch) | |
tree | 6fb6bcdf563f8e2bdfdf145b30e0e0f6a3a69ad2 /missing | |
parent | ecc82c059059cfa21a8a099779253686f9637f9f (diff) | |
download | gdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.zip gdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.tar.gz gdb-74e3300d8aecbc6973f61c8cbbecd7bdac4f05d0.tar.bz2 |
gdb/riscv: Prevent buffer overflow in riscv_return_value
The existing code for reading and writing the return value can
overflow the passed in buffers in a couple of situations. This commit
aims to resolve these issues.
The problems were detected using valgrind, here are two examples,
first from gdb.base/structs.exp:
(gdb) p/x fun9()
==31353== Invalid write of size 8
==31353== at 0x4C34153: memmove (vg_replace_strmem.c:1270)
==31353== by 0x632EBB: memcpy (string_fortified.h:34)
==31353== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538)
==31353== by 0x659D3F: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2593)
==31353== by 0x583641: get_call_return_value (infcall.c:448)
==31353== by 0x583641: call_thread_fsm_should_stop(thread_fsm*, thread_info*) (infcall.c:546)
==31353== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883)
==31353== by 0x53890B: check_async_event_handlers (event-loop.c:1064)
==31353== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326)
==31353== by 0x6CA34B: wait_sync_command_done() (top.c:503)
==31353== by 0x584653: run_inferior_call (infcall.c:621)
...
And from gdb.base/call-sc.exp:
(gdb) advance fun
fun () at /gdb/gdb/testsuite/gdb.base/call-sc.c:41
41 return foo;
(gdb) finish
==1968== Invalid write of size 8
==1968== at 0x4C34153: memmove (vg_replace_strmem.c:1270)
==1968== by 0x632EBB: memcpy (string_fortified.h:34)
==1968== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538)
==1968== by 0x659D01: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2576)
==1968== by 0x5891E4: get_return_value(value*, type*) (infcmd.c:1640)
==1968== by 0x5892C4: finish_command_fsm_should_stop(thread_fsm*, thread_info*) (infcmd.c:1808)
==1968== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883)
==1968== by 0x53890B: check_async_event_handlers (event-loop.c:1064)
==1968== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326)
==1968== by 0x6CA34B: wait_sync_command_done() (top.c:503)
...
There are a couple of problems with the existing code, that are all
related.
In riscv_call_arg_struct we incorrectly rounded up the size of a
structure argument. This is unnecessary, and caused GDB to read too
much data into the output buffer when extracting a struct return
value.
In fixing this it became clear that we were incorrectly assuming that
any value being placed in a register (or read from a register) would
always access the entire register. This is not true, for example a
9-byte struct on a 64-bit target places 8-bytes in one registers and
1-byte in a second register (assuming available registers). To handle
this I switch from using cooked_read to cooked_read_part.
Finally, when processing basic integer return value types these are
extended to xlen sized types and then passed in registers. We
currently don't handle this type expansion in riscv_return_value, but
we do in riscv_push_dummy_call. The result is that small integer
types (like char) result in a full xlen sized register being written
into the output buffer, which results in buffer overflow. To address
this issue we now create a value of the expanded type and use this
values contents buffer to hold the return value before casting the
value down to the smaller expected type.
This patch resolves all of the valgrind issues I have found so far,
and causes no regressions. Tested against RV32/64 with and without
floating point support.
gdb/ChangeLog:
* riscv-tdep.c (riscv_call_arg_struct): Don't adjust size before
assigning locations.
(riscv_return_value): Take more care not to read/write outside of
argument buffer. Cast return value between the declared type and
the abi type.
Diffstat (limited to 'missing')
0 files changed, 0 insertions, 0 deletions