This is the mail archive of the gdb-prs@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug server/15236] gdbserver write to linux memory with zero lengthcorrupts stack

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: gdb-prs at sourceware dot org
Date: Thu, 07 Mar 2013 09:48:05 +0000
Subject: [Bug server/15236] gdbserver write to linux memory with zero lengthcorrupts stack
Auto-submitted: auto-generated
References: <bug-15236-4717@http.sourceware.org/bugzilla/>

http://sourceware.org/bugzilla/show_bug.cgi?id=15236

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> 2013-03-07 09:48:05 UTC ---
CVSROOT:    /cvs/src
Module name:    src
Changes by:    palves@sourceware.org    2013-03-07 09:47:58

Modified files:
    gdb/gdbserver  : ChangeLog linux-low.c 

Log message:
    PR gdb/15236: gdbserver write to linux memory with zero length corrupts
stack

    PROBLEM:

    The function linux_write_memory () in linux-low.c allocates a buffer
    on the stack to hold a copy of the data to be written.

    register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

    "count" is the number of bytes to be written, rounded up to the
    nearest multiple of sizeof (PTRACE_XFER_TYPE) and allowing for not
    being an aligned address. The function later uses

    buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
    (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

    The problem is that this function can be called to write zero bytes on
    an aligned address, for example when receiving an X packet of length 0
    (used to test if 8-bit write is supported). Under these circumstances,
    count can be zero.

    Since in this case, buffer[0] may never have been allocated, the stack
    is corrupted and gdbserver may crash.

    SOLUTION:

    Writing zero bytes should always succeed. The patch below returns
    successfully early if the length is zero, so avoiding the stack
    corruption.

    Verified on the ARC GDB 7.5.1 port.

    2013-03-07  Jeremy Bennett  <jeremy.bennett@embecosm.com>

    PR server/15236

    * linux-low.c (linux_write_memory): Return early success if LEN is
    zero.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/ChangeLog.diff?cvsroot=src&r1=1.690&r2=1.691
http://sourceware.org/cgi-bin/cvsweb.cgi/src/gdb/gdbserver/linux-low.c.diff?cvsroot=src&r1=1.231&r2=1.232

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

References:
- [Bug server/15236] New: gdbserver write to linux memory with zerolength corrupts stack
  - From: jeremy.bennett at embecosm dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]