Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs

From:	Alex Bennée
Subject:	Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs
Date:	Fri, 08 Nov 2019 14:09:52 +0000
User-agent:	mu4e 1.3.5; emacs 27.0.50

Damien Hedde <address@hidden> writes:

> Ensure we don't put too much register data in buffers. This avoids
> a buffer overflow (and stack corruption) when a target has lots
> of registers.
>
> Signed-off-by: Damien Hedde <address@hidden>
> ---
>
> Hi all,
>
> While working on a target with many registers. I found out the gdbstub
> may do buffer overflows when receiving a 'g' query (to read general
> registers). This patch prevents that.
>
> Gdb is pretty happy with a partial set of registers and queries
> remaining registers one by one when needed.

Heh I was just looking at this code with regards to SVE (which can get
quite big).

>
> Regards,
> Damien
> ---
>  gdbstub.c | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gdbstub.c b/gdbstub.c
> index 4cf8af365e..dde0cfe0fe 100644
> --- a/gdbstub.c
> +++ b/gdbstub.c
> @@ -1810,8 +1810,17 @@ static void handle_read_all_regs(GdbCmdContext 
> *gdb_ctx, void *user_ctx)
>      cpu_synchronize_state(gdb_ctx->s->g_cpu);
>      len = 0;
>      for (addr = 0; addr < gdb_ctx->s->g_cpu->gdb_num_g_regs; addr++) {
> -        len += gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf + len,
> -                                 addr);
> +        int size = gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf + 
> len,
> +                                     addr);
> +        if (len + size > MAX_PACKET_LENGTH / 2) {
> +            /*
> +             * Prevent gdb_ctx->str_buf overflow in memtohex() below.
> +             * As a consequence, send only the first registers content.
> +             * Gdb will query remaining ones if/when needed.
> +             */

Haven't we already potentially overflowed gdb_ctx->mem_buf though? I
suspect the better fix is for str_buf is to make it growable with
g_string and be able to handle arbitrary size conversions (unless the
spec limits us). But we still don't want a hostile gdbstub to be able to
spam memory by asking for registers that might be bigger than
MAX_PACKET_LENGTH bytes.

> +            break;
> +        }
> +        len += size;
>      }
>
>      memtohex(gdb_ctx->str_buf, gdb_ctx->mem_buf, len);


--
Alex Bennée

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Luc Michel, 2019/11/08
- Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Alex Bennée <=
  - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
    - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/08
    - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Alex Bennée, 2019/11/08
    - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/14
    - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Alex Bennée, 2019/11/14
    - Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs, Damien Hedde, 2019/11/14

Prev by Date: [Bug 1844814] Re: trace: SystemTap documentation out of date
Next by Date: Re: [PATCH v15 10/12] hmat acpi: Build System Locality Latency and Bandwidth Information Structure(s)
Previous by thread: Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs
Next by thread: Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs
Index(es):
- Date
- Thread