mirror of
https://github.com/espressif/binutils-gdb.git
synced 2025-06-19 17:18:24 +08:00
74e3300d8a
The existing code for reading and writing the return value can
overflow the passed in buffers in a couple of situations. This commit
aims to resolve these issues.
The problems were detected using valgrind, here are two examples,
first from gdb.base/structs.exp:
(gdb) p/x fun9()
==31353== Invalid write of size 8
==31353== at 0x4C34153: memmove (vg_replace_strmem.c:1270)
==31353== by 0x632EBB: memcpy (string_fortified.h:34)
==31353== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538)
==31353== by 0x659D3F: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2593)
==31353== by 0x583641: get_call_return_value (infcall.c:448)
==31353== by 0x583641: call_thread_fsm_should_stop(thread_fsm*, thread_info*) (infcall.c:546)
==31353== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883)
==31353== by 0x53890B: check_async_event_handlers (event-loop.c:1064)
==31353== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326)
==31353== by 0x6CA34B: wait_sync_command_done() (top.c:503)
==31353== by 0x584653: run_inferior_call (infcall.c:621)
...
And from gdb.base/call-sc.exp:
(gdb) advance fun
fun () at /gdb/gdb/testsuite/gdb.base/call-sc.c:41
41 return foo;
(gdb) finish
==1968== Invalid write of size 8
==1968== at 0x4C34153: memmove (vg_replace_strmem.c:1270)
==1968== by 0x632EBB: memcpy (string_fortified.h:34)
==1968== by 0x632EBB: readable_regcache::raw_read(int, unsigned char*) (regcache.c:538)
==1968== by 0x659D01: riscv_return_value(gdbarch*, value*, type*, regcache*, unsigned char*, unsigned char const*) (riscv-tdep.c:2576)
==1968== by 0x5891E4: get_return_value(value*, type*) (infcmd.c:1640)
==1968== by 0x5892C4: finish_command_fsm_should_stop(thread_fsm*, thread_info*) (infcmd.c:1808)
==1968== by 0x59BBEC: fetch_inferior_event(void*) (infrun.c:3883)
==1968== by 0x53890B: check_async_event_handlers (event-loop.c:1064)
==1968== by 0x53890B: gdb_do_one_event() [clone .part.4] (event-loop.c:326)
==1968== by 0x6CA34B: wait_sync_command_done() (top.c:503)
...
There are a couple of problems with the existing code, that are all
related.
In riscv_call_arg_struct we incorrectly rounded up the size of a
structure argument. This is unnecessary, and caused GDB to read too
much data into the output buffer when extracting a struct return
value.
In fixing this it became clear that we were incorrectly assuming that
any value being placed in a register (or read from a register) would
always access the entire register. This is not true, for example a
9-byte struct on a 64-bit target places 8-bytes in one registers and
1-byte in a second register (assuming available registers). To handle
this I switch from using cooked_read to cooked_read_part.
Finally, when processing basic integer return value types these are
extended to xlen sized types and then passed in registers. We
currently don't handle this type expansion in riscv_return_value, but
we do in riscv_push_dummy_call. The result is that small integer
types (like char) result in a full xlen sized register being written
into the output buffer, which results in buffer overflow. To address
this issue we now create a value of the expanded type and use this
values contents buffer to hold the return value before casting the
value down to the smaller expected type.
This patch resolves all of the valgrind issues I have found so far,
and causes no regressions. Tested against RV32/64 with and without
floating point support.
gdb/ChangeLog:
* riscv-tdep.c (riscv_call_arg_struct): Don't adjust size before
assigning locations.
(riscv_return_value): Take more care not to read/write outside of
argument buffer. Cast return value between the declared type and
the abi type.
README for GNU development tools This directory contains various GNU compilers, assemblers, linkers, debuggers, etc., plus their support routines, definitions, and documentation. If you are receiving this as part of a GDB release, see the file gdb/README. If with a binutils release, see binutils/README; if with a libg++ release, see libg++/README, etc. That'll give you info about this package -- supported targets, how to use it, how to report bugs, etc. It is now possible to automatically configure and build a variety of tools with one command. To build all of the tools contained herein, run the ``configure'' script here, e.g.: ./configure make To install them (by default in /usr/local/bin, /usr/local/lib, etc), then do: make install (If the configure script can't determine your type of computer, give it the name as an argument, for instance ``./configure sun4''. You can use the script ``config.sub'' to test whether a name is recognized; if it is, config.sub translates it to a triplet specifying CPU, vendor, and OS.) If you have more than one compiler on your system, it is often best to explicitly set CC in the environment before running configure, and to also set CC when running make. For example (assuming sh/bash/ksh): CC=gcc ./configure make A similar example using csh: setenv CC gcc ./configure make Much of the code and documentation enclosed is copyright by the Free Software Foundation, Inc. See the file COPYING or COPYING.LIB in the various directories, for a description of the GNU General Public License terms under which you can copy the files. REPORTING BUGS: Again, see gdb/README, binutils/README, etc., for info on where and how to report problems.