forked from Imagelibrary/binutils-gdb
310b3441a0
When compiling gdb with '-lasan -fsanitizer=address' and running tests with:
- export ASAN_OPTIONS="detect_leaks=0:alloc_dealloc_mismatch=0", and
- a target board using local-board.exp, which sets sysroot to ""
we run into a heap-buffer-overflow in child_path for f.i. gdb.arch/amd64-byte:
...
==3997==ERROR: AddressSanitizer: heap-buffer-overflow on address \
0x60200002abcf at pc 0x5602acdf6872 bp 0x7ffe5237a090 sp 0x7ffe5237a080
READ of size 1 at 0x60200002abcf thread T0
#0 0x5602acdf6871 in child_path(char const*, char const*) \
gdb/common/pathstuff.c:161
#1 0x5602adb06587 in find_separate_debug_file gdb/symfile.c:1483
#2 0x5602adb06f2f in find_separate_debug_file_by_debuglink[abi:cxx11](...) \
gdb/symfile.c:1563
#3 0x5602ad13b743 in elf_symfile_read gdb/elfread.c:1293
#4 0x5602adb01cfa in read_symbols gdb/symfile.c:798
#5 0x5602adb03769 in syms_from_objfile_1 gdb/symfile.c:1000
#6 0x5602adb039d0 in syms_from_objfile gdb/symfile.c:1017
#7 0x5602adb04551 in symbol_file_add_with_addrs gdb/symfile.c:1124
#8 0x5602adb04ebf in symbol_file_add_from_bfd(...) gdb/symfile.c:1204
#9 0x5602ada5a78d in solib_read_symbols(...) gdb/solib.c:695
#10 0x5602ada5bdae in solib_add(char const*, int, int) gdb/solib.c:1004
#11 0x5602ada49bcd in enable_break gdb/solib-svr4.c:2394
#12 0x5602ada4dae9 in svr4_solib_create_inferior_hook gdb/solib-svr4.c:3028
#13 0x5602ada5d4f1 in solib_create_inferior_hook(int) gdb/solib.c:1215
#14 0x5602ad347f66 in post_create_inferior(target_ops*, int) \
gdb/infcmd.c:467
#15 0x5602ad348b3c in run_command_1 gdb/infcmd.c:663
#16 0x5602ad348e55 in run_command gdb/infcmd.c:686
#17 0x5602acd7d32b in do_const_cfunc gdb/cli/cli-decode.c:106
#18 0x5602acd84bfe in cmd_func(cmd_list_element*, char const*, int) \
gdb/cli/cli-decode.c:1892
#19 0x5602adc62a90 in execute_command(char const*, int) gdb/top.c:630
#20 0x5602ad5053e6 in catch_command_errors gdb/main.c:372
#21 0x5602ad507eb1 in captured_main_1 gdb/main.c:1138
#22 0x5602ad5081ec in captured_main gdb/main.c:1163
#23 0x5602ad508281 in gdb_main(captured_main_args*) gdb/main.c:1188
#24 0x5602ac9ddc3a in main gdb/gdb.c:32
#25 0x7f582b56eb96 in __libc_start_main \
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#26 0x5602ac9dda09 in _start \
(/home/smarchi/build/binutils-gdb/gdb/gdb+0x19a2a09)
0x60200002abcf is located 1 bytes to the left of 1-byte region \
[0x60200002abd0,0x60200002abd1)
allocated by thread T0 here:
#0 0x7f582e0e4b50 in __interceptor_malloc \
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x5602acdd3656 in xmalloc gdb/common/common-utils.c:44
#2 0x5602aefe17d1 in xstrdup libiberty/xstrdup.c:34
#3 0x5602acdf61f6 in gdb_realpath(char const*) gdb/common/pathstuff.c:80
#4 0x5602adb06278 in find_separate_debug_file gdb/symfile.c:1444
#5 0x5602adb06f2f in find_separate_debug_file_by_debuglink[abi:cxx11](...) \
gdb/symfile.c:1563
#6 0x5602ad13b743 in elf_symfile_read gdb/elfread.c:1293
#7 0x5602adb01cfa in read_symbols gdb/symfile.c:798
#8 0x5602adb03769 in syms_from_objfile_1 gdb/symfile.c:1000
#9 0x5602adb039d0 in syms_from_objfile gdb/symfile.c:1017
#10 0x5602adb04551 in symbol_file_add_with_addrs gdb/symfile.c:1124
#11 0x5602adb04ebf in symbol_file_add_from_bfd(...) gdb/solib.c:695
#13 0x5602ada5bdae in solib_add(char const*, int, int) gdb/solib.c:1004
#14 0x5602ada49bcd in enable_break gdb/solib-svr4.c:2394
#15 0x5602ada4dae9 in svr4_solib_create_inferior_hook gdb/solib-svr4.c:3028
#16 0x5602ada5d4f1 in solib_create_inferior_hook(int) gdb/solib.c:1215
#17 0x5602ad347f66 in post_create_inferior(target_ops*, int) \
gdb/infcmd.c:467
#18 0x5602ad348b3c in run_command_1 gdb/infcmd.c:663
#19 0x5602ad348e55 in run_command gdb/infcmd.c:686
#20 0x5602acd7d32b in do_const_cfunc gdb/cli/cli-decode.c:106
#21 0x5602acd84bfe in cmd_func(cmd_list_element*, char const*, int) \
gdb/cli/cli-decode.c:1892
#22 0x5602adc62a90 in execute_command(char const*, int) gdb/top.c:630
#23 0x5602ad5053e6 in catch_command_errors gdb/main.c:372
#24 0x5602ad507eb1 in captured_main_1 gdb/main.c:1138
#25 0x5602ad5081ec in captured_main gdb/main.c:1163
#26 0x5602ad508281 in gdb_main(captured_main_args*) gdb/main.c:1188
#27 0x5602ac9ddc3a in main gdb/gdb.c:32
#28 0x7f582b56eb96 in __libc_start_main \
(/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow gdb/common/pathstuff.c:161 \
in child_path(char const*, char const*)
Shadow bytes around the buggy address:
0x0c047fffd520: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fffd530: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffd540: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fffd550: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fffd560: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
=>0x0c047fffd570: fa fa 07 fa fa fa 00 fa fa[fa]01 fa fa fa fa fa
0x0c047fffd580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffd590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffd5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffd5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffd5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3997==ABORTING
...
The direct cause is that child_path gets called with parent == "", so this
test:
...
if (IS_DIR_SEPARATOR (parent[parent_len - 1]))
...
accesses parent[-1].
[ There is an open discussion (1) about whether an empty sysroot should indeed
be represented internally as "". But this patch focuses on fixing the
heap-buffer-overflow without any redesign. ]
Fix this by guarding the test with 'parent_len > 0'.
Note that the fix makes child_path behave the same for:
- parent == "/" && child == "/foo" (returns "foo")
- parent == "" and child == "/foo" (returns "foo").
Build and reg-tested on x86_64-linux.
(1) https://sourceware.org/ml/gdb-patches/2019-05/msg00193.html
gdb/ChangeLog:
2019-06-17 Tom de Vries <tdevries@suse.de>
PR gdb/24617
* common/pathstuff.c (child_path): Make sure parent_len > 0 before
accessing parent[parent_len - 1].
291 lines
8.3 KiB
C
291 lines
8.3 KiB
C
/* Path manipulation routines for GDB and gdbserver.
|
|
|
|
Copyright (C) 1986-2019 Free Software Foundation, Inc.
|
|
|
|
This file is part of GDB.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>. */
|
|
|
|
#include "common-defs.h"
|
|
#include "pathstuff.h"
|
|
#include "host-defs.h"
|
|
#include "filenames.h"
|
|
#include "gdb_tilde_expand.h"
|
|
|
|
#ifdef USE_WIN32API
|
|
#include <windows.h>
|
|
#endif
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
gdb::unique_xmalloc_ptr<char>
|
|
gdb_realpath (const char *filename)
|
|
{
|
|
/* On most hosts, we rely on canonicalize_file_name to compute
|
|
the FILENAME's realpath.
|
|
|
|
But the situation is slightly more complex on Windows, due to some
|
|
versions of GCC which were reported to generate paths where
|
|
backlashes (the directory separator) were doubled. For instance:
|
|
c:\\some\\double\\slashes\\dir
|
|
... instead of ...
|
|
c:\some\double\slashes\dir
|
|
Those double-slashes were getting in the way when comparing paths,
|
|
for instance when trying to insert a breakpoint as follow:
|
|
(gdb) b c:/some/double/slashes/dir/foo.c:4
|
|
No source file named c:/some/double/slashes/dir/foo.c:4.
|
|
(gdb) b c:\some\double\slashes\dir\foo.c:4
|
|
No source file named c:\some\double\slashes\dir\foo.c:4.
|
|
To prevent this from happening, we need this function to always
|
|
strip those extra backslashes. While canonicalize_file_name does
|
|
perform this simplification, it only works when the path is valid.
|
|
Since the simplification would be useful even if the path is not
|
|
valid (one can always set a breakpoint on a file, even if the file
|
|
does not exist locally), we rely instead on GetFullPathName to
|
|
perform the canonicalization. */
|
|
|
|
#if defined (_WIN32)
|
|
{
|
|
char buf[MAX_PATH];
|
|
DWORD len = GetFullPathName (filename, MAX_PATH, buf, NULL);
|
|
|
|
/* The file system is case-insensitive but case-preserving.
|
|
So it is important we do not lowercase the path. Otherwise,
|
|
we might not be able to display the original casing in a given
|
|
path. */
|
|
if (len > 0 && len < MAX_PATH)
|
|
return make_unique_xstrdup (buf);
|
|
}
|
|
#else
|
|
{
|
|
char *rp = canonicalize_file_name (filename);
|
|
|
|
if (rp != NULL)
|
|
return gdb::unique_xmalloc_ptr<char> (rp);
|
|
}
|
|
#endif
|
|
|
|
/* This system is a lost cause, just dup the buffer. */
|
|
return make_unique_xstrdup (filename);
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
gdb::unique_xmalloc_ptr<char>
|
|
gdb_realpath_keepfile (const char *filename)
|
|
{
|
|
const char *base_name = lbasename (filename);
|
|
char *dir_name;
|
|
char *result;
|
|
|
|
/* Extract the basename of filename, and return immediately
|
|
a copy of filename if it does not contain any directory prefix. */
|
|
if (base_name == filename)
|
|
return make_unique_xstrdup (filename);
|
|
|
|
dir_name = (char *) alloca ((size_t) (base_name - filename + 2));
|
|
/* Allocate enough space to store the dir_name + plus one extra
|
|
character sometimes needed under Windows (see below), and
|
|
then the closing \000 character. */
|
|
strncpy (dir_name, filename, base_name - filename);
|
|
dir_name[base_name - filename] = '\000';
|
|
|
|
#ifdef HAVE_DOS_BASED_FILE_SYSTEM
|
|
/* We need to be careful when filename is of the form 'd:foo', which
|
|
is equivalent of d:./foo, which is totally different from d:/foo. */
|
|
if (strlen (dir_name) == 2 && isalpha (dir_name[0]) && dir_name[1] == ':')
|
|
{
|
|
dir_name[2] = '.';
|
|
dir_name[3] = '\000';
|
|
}
|
|
#endif
|
|
|
|
/* Canonicalize the directory prefix, and build the resulting
|
|
filename. If the dirname realpath already contains an ending
|
|
directory separator, avoid doubling it. */
|
|
gdb::unique_xmalloc_ptr<char> path_storage = gdb_realpath (dir_name);
|
|
const char *real_path = path_storage.get ();
|
|
if (IS_DIR_SEPARATOR (real_path[strlen (real_path) - 1]))
|
|
result = concat (real_path, base_name, (char *) NULL);
|
|
else
|
|
result = concat (real_path, SLASH_STRING, base_name, (char *) NULL);
|
|
|
|
return gdb::unique_xmalloc_ptr<char> (result);
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
gdb::unique_xmalloc_ptr<char>
|
|
gdb_abspath (const char *path)
|
|
{
|
|
gdb_assert (path != NULL && path[0] != '\0');
|
|
|
|
if (path[0] == '~')
|
|
return gdb_tilde_expand_up (path);
|
|
|
|
if (IS_ABSOLUTE_PATH (path))
|
|
return make_unique_xstrdup (path);
|
|
|
|
/* Beware the // my son, the Emacs barfs, the botch that catch... */
|
|
return gdb::unique_xmalloc_ptr<char>
|
|
(concat (current_directory,
|
|
IS_DIR_SEPARATOR (current_directory[strlen (current_directory) - 1])
|
|
? "" : SLASH_STRING,
|
|
path, (char *) NULL));
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
const char *
|
|
child_path (const char *parent, const char *child)
|
|
{
|
|
/* The child path must start with the parent path. */
|
|
size_t parent_len = strlen (parent);
|
|
if (filename_ncmp (parent, child, parent_len) != 0)
|
|
return NULL;
|
|
|
|
/* The parent path must be a directory and the child must contain at
|
|
least one component underneath the parent. */
|
|
const char *child_component;
|
|
if (parent_len > 0 && IS_DIR_SEPARATOR (parent[parent_len - 1]))
|
|
{
|
|
/* The parent path ends in a directory separator, so it is a
|
|
directory. The first child component starts after the common
|
|
prefix. */
|
|
child_component = child + parent_len;
|
|
}
|
|
else
|
|
{
|
|
/* The parent path does not end in a directory separator. The
|
|
first character in the child after the common prefix must be
|
|
a directory separator.
|
|
|
|
Note that CHILD must hold at least parent_len characters for
|
|
filename_ncmp to return zero. If the character at parent_len
|
|
is nul due to CHILD containing the same path as PARENT, the
|
|
IS_DIR_SEPARATOR check will fail here. */
|
|
if (!IS_DIR_SEPARATOR (child[parent_len]))
|
|
return NULL;
|
|
|
|
/* The first child component starts after the separator after the
|
|
common prefix. */
|
|
child_component = child + parent_len + 1;
|
|
}
|
|
|
|
/* The child must contain at least one non-separator character after
|
|
the parent. */
|
|
while (*child_component != '\0')
|
|
{
|
|
if (!IS_DIR_SEPARATOR (*child_component))
|
|
return child_component;
|
|
|
|
child_component++;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
bool
|
|
contains_dir_separator (const char *path)
|
|
{
|
|
for (; *path != '\0'; path++)
|
|
{
|
|
if (IS_DIR_SEPARATOR (*path))
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
std::string
|
|
get_standard_cache_dir ()
|
|
{
|
|
#ifdef __APPLE__
|
|
#define HOME_CACHE_DIR "Library/Caches"
|
|
#else
|
|
#define HOME_CACHE_DIR ".cache"
|
|
#endif
|
|
|
|
#ifndef __APPLE__
|
|
const char *xdg_cache_home = getenv ("XDG_CACHE_HOME");
|
|
if (xdg_cache_home != NULL)
|
|
{
|
|
/* Make sure the path is absolute and tilde-expanded. */
|
|
gdb::unique_xmalloc_ptr<char> abs (gdb_abspath (xdg_cache_home));
|
|
return string_printf ("%s/gdb", abs.get ());
|
|
}
|
|
#endif
|
|
|
|
const char *home = getenv ("HOME");
|
|
if (home != NULL)
|
|
{
|
|
/* Make sure the path is absolute and tilde-expanded. */
|
|
gdb::unique_xmalloc_ptr<char> abs (gdb_abspath (home));
|
|
return string_printf ("%s/" HOME_CACHE_DIR "/gdb", abs.get ());
|
|
}
|
|
|
|
return {};
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
std::string
|
|
get_standard_temp_dir ()
|
|
{
|
|
#ifdef WIN32
|
|
const char *tmp = getenv ("TMP");
|
|
if (tmp != nullptr)
|
|
return tmp;
|
|
|
|
tmp = getenv ("TEMP");
|
|
if (tmp != nullptr)
|
|
return tmp;
|
|
|
|
error (_("Couldn't find temp dir path, both TMP and TEMP are unset."));
|
|
|
|
#else
|
|
const char *tmp = getenv ("TMPDIR");
|
|
if (tmp != nullptr)
|
|
return tmp;
|
|
|
|
return "/tmp";
|
|
#endif
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
const char *
|
|
get_shell ()
|
|
{
|
|
const char *ret = getenv ("SHELL");
|
|
if (ret == NULL)
|
|
ret = "/bin/sh";
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* See common/pathstuff.h. */
|
|
|
|
gdb::char_vector
|
|
make_temp_filename (const std::string &f)
|
|
{
|
|
gdb::char_vector filename_temp (f.length () + 8);
|
|
strcpy (filename_temp.data (), f.c_str ());
|
|
strcat (filename_temp.data () + f.size (), "-XXXXXX");
|
|
return filename_temp;
|
|
}
|