From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Subject: [Qemu-devel] [PULL 4/5] gdbstub: Fix misuse of isxdigit()
Date: Wed, 22 May 2019 15:47:25 +0200 [thread overview]
Message-ID: <20190522134726.19225-5-armbru@redhat.com> (raw)
In-Reply-To: <20190522134726.19225-1-armbru@redhat.com>
gdb_read_byte() passes its @ch argument to isxdigit(). Undefined
behavior when the value is negative. Two callers:
* gdb_chr_receive() passes an uint8_t value. Safe.
* gdb_handlesig() a char value. Unsafe. Not a security issue,
because the characters come from the gdb client, which is trusted.
The obvious fix would be casting @ch to unsigned char. But note that
gdb_read_byte() already casts @ch to uint8_t in many places. Uses of
@ch without such a cast:
(1) Compare to a character constant with == or !=
(2) s->linesum += ch
(3) Store ch or ch ^ 0x20 into s->line_buf[]
(4) Check for invalid RLE count:
ch < ' ' || ch == '#' || ch == '$' || ch > 126
(5) Pass to isxdigit()
(6) Pass to fromhex()
Change the parameter type from int to uint8_t, and drop the now
redundant casts. Affects the above uses as follows:
(1) No change: the character constants are all non-negative.
(2) Effectively no change: we only ever use s->linesum & 0xff, and
s->linesum is int.
(3) No change: s->line_buf[] is char[].
(4) No change.
(5) Avoid undefined behavior.
(6) No change: only reached when isxdigit(ch)
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190514180311.16028-5-armbru@redhat.com>
---
gdbstub.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/gdbstub.c b/gdbstub.c
index c41eb1de07..b129df4e59 100644
--- a/gdbstub.c
+++ b/gdbstub.c
@@ -1987,7 +1987,7 @@ void gdb_do_syscall(gdb_syscall_complete_cb cb, const char *fmt, ...)
va_end(va);
}
-static void gdb_read_byte(GDBState *s, int ch)
+static void gdb_read_byte(GDBState *s, uint8_t ch)
{
uint8_t reply;
@@ -2001,7 +2001,7 @@ static void gdb_read_byte(GDBState *s, int ch)
} else if (ch == '+') {
trace_gdbstub_io_got_ack();
} else {
- trace_gdbstub_io_got_unexpected((uint8_t)ch);
+ trace_gdbstub_io_got_unexpected(ch);
}
if (ch == '+' || ch == '$')
@@ -2024,7 +2024,7 @@ static void gdb_read_byte(GDBState *s, int ch)
s->line_sum = 0;
s->state = RS_GETLINE;
} else {
- trace_gdbstub_err_garbage((uint8_t)ch);
+ trace_gdbstub_err_garbage(ch);
}
break;
case RS_GETLINE:
@@ -2070,11 +2070,11 @@ static void gdb_read_byte(GDBState *s, int ch)
*/
if (ch < ' ' || ch == '#' || ch == '$' || ch > 126) {
/* invalid RLE count encoding */
- trace_gdbstub_err_invalid_repeat((uint8_t)ch);
+ trace_gdbstub_err_invalid_repeat(ch);
s->state = RS_GETLINE;
} else {
/* decode repeat length */
- int repeat = (unsigned char)ch - ' ' + 3;
+ int repeat = ch - ' ' + 3;
if (s->line_buf_index + repeat >= sizeof(s->line_buf) - 1) {
/* that many repeats would overrun the command buffer */
trace_gdbstub_err_overrun();
@@ -2096,7 +2096,7 @@ static void gdb_read_byte(GDBState *s, int ch)
case RS_CHKSUM1:
/* get high hex digit of checksum */
if (!isxdigit(ch)) {
- trace_gdbstub_err_checksum_invalid((uint8_t)ch);
+ trace_gdbstub_err_checksum_invalid(ch);
s->state = RS_GETLINE;
break;
}
@@ -2107,7 +2107,7 @@ static void gdb_read_byte(GDBState *s, int ch)
case RS_CHKSUM2:
/* get low hex digit of checksum */
if (!isxdigit(ch)) {
- trace_gdbstub_err_checksum_invalid((uint8_t)ch);
+ trace_gdbstub_err_checksum_invalid(ch);
s->state = RS_GETLINE;
break;
}
--
2.17.2
next prev parent reply other threads:[~2019-05-22 13:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-22 13:47 [Qemu-devel] [PULL 0/5] Miscellaneous patches for 2019-05-22 Markus Armbruster
2019-05-22 13:47 ` [Qemu-devel] [PULL 1/5] qemu-bridge-helper: Fix misuse of isspace() Markus Armbruster
2019-05-30 11:06 ` Peter Maydell
2019-05-22 13:47 ` [Qemu-devel] [PULL 2/5] tests/vhost-user-bridge: Fix misuse of isdigit() Markus Armbruster
2019-05-22 13:47 ` [Qemu-devel] [PULL 3/5] gdbstub: Reject invalid RLE repeat counts Markus Armbruster
2019-05-22 13:47 ` Markus Armbruster [this message]
2019-05-22 13:47 ` [Qemu-devel] [PULL 5/5] cutils: Simplify how parse_uint() checks for whitespace Markus Armbruster
2019-05-23 11:00 ` [Qemu-devel] [PULL 0/5] Miscellaneous patches for 2019-05-22 Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190522134726.19225-5-armbru@redhat.com \
--to=armbru@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).