This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug server/15236] New: gdbserver write to linux memory with zerolength corrupts stack


http://sourceware.org/bugzilla/show_bug.cgi?id=15236

             Bug #: 15236
           Summary: gdbserver write to linux memory with zero length
                    corrupts stack
           Product: gdb
           Version: unknown
            Status: NEW
          Severity: normal
          Priority: P2
         Component: server
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jeremy.bennett@embecosm.com
    Classification: Unclassified


The function linux_write_memory () allocates a buffer on the stack to hold a
copy of the data to be written.

  register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

"count" is the number of bytes to be written, rounded up to the nearest
multiple of sizeof (PTRACE_XFER_TYPE). I.e. sizeof (long). It later uses 

  buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
                      (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

The problem is that this function can be called to write zero bytes, for
example when receiving an X packet of length 0 (used to test if 8-bit write is
supported). Under these circumstances, count can be zero.

Since in this case, buffer[0] may never have been allocated, the stack is
corrupted.

Patch to follow...

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]