[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs
From: |
Alex Bennée |
Subject: |
Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs |
Date: |
Fri, 08 Nov 2019 14:09:52 +0000 |
User-agent: |
mu4e 1.3.5; emacs 27.0.50 |
Damien Hedde <address@hidden> writes:
> Ensure we don't put too much register data in buffers. This avoids
> a buffer overflow (and stack corruption) when a target has lots
> of registers.
>
> Signed-off-by: Damien Hedde <address@hidden>
> ---
>
> Hi all,
>
> While working on a target with many registers. I found out the gdbstub
> may do buffer overflows when receiving a 'g' query (to read general
> registers). This patch prevents that.
>
> Gdb is pretty happy with a partial set of registers and queries
> remaining registers one by one when needed.
Heh I was just looking at this code with regards to SVE (which can get
quite big).
>
> Regards,
> Damien
> ---
> gdbstub.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gdbstub.c b/gdbstub.c
> index 4cf8af365e..dde0cfe0fe 100644
> --- a/gdbstub.c
> +++ b/gdbstub.c
> @@ -1810,8 +1810,17 @@ static void handle_read_all_regs(GdbCmdContext
> *gdb_ctx, void *user_ctx)
> cpu_synchronize_state(gdb_ctx->s->g_cpu);
> len = 0;
> for (addr = 0; addr < gdb_ctx->s->g_cpu->gdb_num_g_regs; addr++) {
> - len += gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf + len,
> - addr);
> + int size = gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf +
> len,
> + addr);
> + if (len + size > MAX_PACKET_LENGTH / 2) {
> + /*
> + * Prevent gdb_ctx->str_buf overflow in memtohex() below.
> + * As a consequence, send only the first registers content.
> + * Gdb will query remaining ones if/when needed.
> + */
Haven't we already potentially overflowed gdb_ctx->mem_buf though? I
suspect the better fix is for str_buf is to make it growable with
g_string and be able to handle arbitrary size conversions (unless the
spec limits us). But we still don't want a hostile gdbstub to be able to
spam memory by asking for registers that might be bigger than
MAX_PACKET_LENGTH bytes.
> + break;
> + }
> + len += size;
> }
>
> memtohex(gdb_ctx->str_buf, gdb_ctx->mem_buf, len);
--
Alex Bennée
- [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Luc Michel, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs,
Alex Bennée <=
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Alex Bennée, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/14
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Alex Bennée, 2019/11/14
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/14