This is the mail archive of the
gdb-prs@sourceware.org
mailing list for the GDB project.
[Bug server/15236] New: gdbserver write to linux memory with zerolength corrupts stack
- From: "jeremy.bennett at embecosm dot com" <sourceware-bugzilla at sourceware dot org>
- To: gdb-prs at sourceware dot org
- Date: Wed, 06 Mar 2013 15:02:49 +0000
- Subject: [Bug server/15236] New: gdbserver write to linux memory with zerolength corrupts stack
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=15236
Bug #: 15236
Summary: gdbserver write to linux memory with zero length
corrupts stack
Product: gdb
Version: unknown
Status: NEW
Severity: normal
Priority: P2
Component: server
AssignedTo: unassigned@sourceware.org
ReportedBy: jeremy.bennett@embecosm.com
Classification: Unclassified
The function linux_write_memory () allocates a buffer on the stack to hold a
copy of the data to be written.
register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
alloca (count * sizeof (PTRACE_XFER_TYPE));
"count" is the number of bytes to be written, rounded up to the nearest
multiple of sizeof (PTRACE_XFER_TYPE). I.e. sizeof (long). It later uses
buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
(PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);
The problem is that this function can be called to write zero bytes, for
example when receiving an X packet of length 0 (used to test if 8-bit write is
supported). Under these circumstances, count can be zero.
Since in this case, buffer[0] may never have been allocated, the stack is
corrupted.
Patch to follow...
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.