mirror/binutils-gdb
2
0
Fork 0
mirror of https://sourceware.org/git/binutils-gdb.git synced 2025-03-19 13:51:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

[gdb/record] Fix out-of-bounds write in aarch64_record_asimd_load_store

Browse Source 
After compiling gdb with -fstack-protector-all, and running test-case
gdb.reverse/getrandom.exp on aarch64-linux, we run into
"Stack smashing detected" in function aarch64_record_asimd_load_store.

This is reported in PR record/32784.

This happens due to an out-of-bounds write to local array record_buf_mem:
...
  uint64_t record_buf_mem[24];
...
when recording insn:
...
B+>0xfffff7ff4d10  st1     {v0.16b-v3.16b}, [x0]
...

We can fix this by increasing the array size to 128, but rather than again
hardcoding a size, reimplement record_buf_mem as std::vector.

Tested on aarch64-linux.

Approved-By: Guinevere Larsen <guinevere@redhat.com>

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=32784
(cherry picked from commit 51729ea0905d1f688b7fd2ea769e69b29daa1b7c)
This commit is contained in:
Tom de Vries 2025-03-13 11:15:05 +01:00
parent 465465ce9c
commit 55b7a56b1f
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
gdb/aarch64-tdep.c
View File

@ -5200,9 +5200,9 @@ aarch64_record_asimd_load_store (aarch64_insn_decode_record *aarch64_insn_r)
CORE_ADDR address;
uint64_t addr_offset = 0;
uint32_t record_buf[24];
uint64_t record_buf_mem[24];
std::vector<uint64_t> record_buf_mem;
uint32_t reg_rn, reg_rt;
uint32_t reg_index = 0, mem_index = 0;
uint32_t reg_index = 0;
uint8_t opcode_bits, size_bits;
reg_rt = bits (aarch64_insn_r->aarch64_insn, 0, 4);
@ -5265,8 +5265,8 @@ aarch64_record_asimd_load_store (aarch64_insn_decode_record *aarch64_insn_r)
record_buf[reg_index++] = reg_rt + AARCH64_V0_REGNUM;
else
{
record_buf_mem[mem_index++] = esize / 8;
record_buf_mem[mem_index++] = address + addr_offset;
record_buf_mem.push_back (esize / 8);
record_buf_mem.push_back (address + addr_offset);
}
addr_offset = addr_offset + (esize / 8);
reg_rt = (reg_rt + 1) % 32;
@ -5337,8 +5337,8 @@ aarch64_record_asimd_load_store (aarch64_insn_decode_record *aarch64_insn_r)
record_buf[reg_index++] = reg_tt + AARCH64_V0_REGNUM;
else
{
record_buf_mem[mem_index++] = esize / 8;
record_buf_mem[mem_index++] = address + addr_offset;
record_buf_mem.push_back (esize / 8);
record_buf_mem.push_back (address + addr_offset);
}
addr_offset = addr_offset + (esize / 8);
reg_tt = (reg_tt + 1) % 32;
@ -5350,9 +5350,9 @@ aarch64_record_asimd_load_store (aarch64_insn_decode_record *aarch64_insn_r)
record_buf[reg_index++] = reg_rn;
aarch64_insn_r->reg_rec_count = reg_index;
aarch64_insn_r->mem_rec_count = mem_index / 2;
aarch64_insn_r->mem_rec_count = record_buf_mem.size () / 2;
MEM_ALLOC (aarch64_insn_r->aarch64_mems, aarch64_insn_r->mem_rec_count,
record_buf_mem);
record_buf_mem.data ());
REG_ALLOC (aarch64_insn_r->aarch64_regs, aarch64_insn_r->reg_rec_count,
record_buf);
return AARCH64_RECORD_SUCCESS;