From: "Alex Bennée" <alex.bennee@linaro.org>
To: Damien Hedde <damien.hedde@greensocs.com>
Cc: philmd@redhat.com, qemu-devel@nongnu.org
Subject: Re: [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs
Date: Fri, 08 Nov 2019 14:09:52 +0000 [thread overview]
Message-ID: <877e4ah32n.fsf@linaro.org> (raw)
In-Reply-To: <20191108125534.114474-1-damien.hedde@greensocs.com>
Damien Hedde <damien.hedde@greensocs.com> writes:
> Ensure we don't put too much register data in buffers. This avoids
> a buffer overflow (and stack corruption) when a target has lots
> of registers.
>
> Signed-off-by: Damien Hedde <damien.hedde@greensocs.com>
> ---
>
> Hi all,
>
> While working on a target with many registers. I found out the gdbstub
> may do buffer overflows when receiving a 'g' query (to read general
> registers). This patch prevents that.
>
> Gdb is pretty happy with a partial set of registers and queries
> remaining registers one by one when needed.
Heh I was just looking at this code with regards to SVE (which can get
quite big).
>
> Regards,
> Damien
> ---
> gdbstub.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/gdbstub.c b/gdbstub.c
> index 4cf8af365e..dde0cfe0fe 100644
> --- a/gdbstub.c
> +++ b/gdbstub.c
> @@ -1810,8 +1810,17 @@ static void handle_read_all_regs(GdbCmdContext *gdb_ctx, void *user_ctx)
> cpu_synchronize_state(gdb_ctx->s->g_cpu);
> len = 0;
> for (addr = 0; addr < gdb_ctx->s->g_cpu->gdb_num_g_regs; addr++) {
> - len += gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf + len,
> - addr);
> + int size = gdb_read_register(gdb_ctx->s->g_cpu, gdb_ctx->mem_buf + len,
> + addr);
> + if (len + size > MAX_PACKET_LENGTH / 2) {
> + /*
> + * Prevent gdb_ctx->str_buf overflow in memtohex() below.
> + * As a consequence, send only the first registers content.
> + * Gdb will query remaining ones if/when needed.
> + */
Haven't we already potentially overflowed gdb_ctx->mem_buf though? I
suspect the better fix is for str_buf is to make it growable with
g_string and be able to handle arbitrary size conversions (unless the
spec limits us). But we still don't want a hostile gdbstub to be able to
spam memory by asking for registers that might be bigger than
MAX_PACKET_LENGTH bytes.
> + break;
> + }
> + len += size;
> }
>
> memtohex(gdb_ctx->str_buf, gdb_ctx->mem_buf, len);
--
Alex Bennée
next prev parent reply other threads:[~2019-11-08 14:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-08 12:55 [PATCH] gdbstub: Fix buffer overflow in handle_read_all_regs Damien Hedde
2019-11-08 13:40 ` Luc Michel
2019-11-08 14:09 ` Alex Bennée [this message]
2019-11-08 14:43 ` Damien Hedde
2019-11-08 14:52 ` Damien Hedde
2019-11-08 16:50 ` Alex Bennée
2019-11-14 10:19 ` Damien Hedde
2019-11-14 13:47 ` Alex Bennée
2019-11-14 14:43 ` Damien Hedde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877e4ah32n.fsf@linaro.org \
--to=alex.bennee@linaro.org \
--cc=damien.hedde@greensocs.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.