OpenE2K
/
binutils-gdb
12
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

PR gdb/15236: gdbserver write to linux memory with zero length corrupts stack 

PROBLEM:

The function linux_write_memory () in linux-low.c allocates a buffer
on the stack to hold a copy of the data to be written.

  register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
    alloca (count * sizeof (PTRACE_XFER_TYPE));

"count" is the number of bytes to be written, rounded up to the
nearest multiple of sizeof (PTRACE_XFER_TYPE) and allowing for not
being an aligned address. The function later uses

  buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
                      (PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);

The problem is that this function can be called to write zero bytes on
an aligned address, for example when receiving an X packet of length 0
(used to test if 8-bit write is supported). Under these circumstances,
count can be zero.

Since in this case, buffer[0] may never have been allocated, the stack
is corrupted and gdbserver may crash.

SOLUTION:

Writing zero bytes should always succeed. The patch below returns
successfully early if the length is zero, so avoiding the stack
corruption.

Verified on the ARC GDB 7.5.1 port.

2013-03-07  Jeremy Bennett  <jeremy.bennett@embecosm.com>

	PR server/15236

	* linux-low.c (linux_write_memory): Return early success if LEN is
	zero.
This commit is contained in:
Pedro Alves 2013-03-07 09:47:57 +00:00
parent 02e60bf7ba
commit f0ae6fc35c
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
gdb/gdbserver/ChangeLog
View File

@ -1,3 +1,9 @@
2013-03-07 Jeremy Bennett <jeremy.bennett@embecosm.com>
PR server/15236
* linux-low.c (linux_write_memory): Return early success if LEN is
zero.
2013-03-05 Corinna Vinschen <vinschen@redhat.de>
* configure.srv: Add x86_64-*-cygwin* as target.

8
gdb/gdbserver/linux-low.c
View File

@ -4481,7 +4481,7 @@ linux_read_memory (CORE_ADDR memaddr, unsigned char *myaddr, int len)
/* Copy LEN bytes of data from debugger memory at MYADDR to inferior's
memory at MEMADDR. On failure (cannot write to the inferior)
returns the value of errno. */
returns the value of errno. Always succeeds if LEN is zero. */
static int
linux_write_memory (CORE_ADDR memaddr, const unsigned char *myaddr, int len)
@ -4500,6 +4500,12 @@ linux_write_memory (CORE_ADDR memaddr, const unsigned char *myaddr, int len)
int pid = lwpid_of (get_thread_lwp (current_inferior));
if (len == 0)
{
/* Zero length write always succeeds. */
return 0;
}
if (debug_threads)
{
/* Dump up to four bytes. */