Fix bug in arm_push_dummy_call by -fsanitize=address

When I build GDB with -fsanitize=address, and run testsuite, some gdb.base/*.exp test triggers the ERROR below, ================================================================= ==7646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000242810 at pc 0x487844 bp 0x7fffe32e84e0 sp 0x7fffe32e84d8 READ of size 4 at 0x603000242810 thread T0 #0 0x487843 in push_stack_item /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3405 #1 0x48998a in arm_push_dummy_call /home/yao/SourceCode/gnu/gdb/git/gdb/arm-tdep.c:3960 In that path, GDB passes value on stack, in an INT_REGISTER_SIZE slot, but the value contents' length can be less than INT_REGISTER_SIZE, so the contents will be accessed out of the bound. This patch adds an array buf[INT_REGISTER_SIZE], and copy val to buf before writing them to stack. gdb: 2015-11-16 Yao Qi <[email protected]> * arm-tdep.c (arm_push_dummy_call): New array buf. Store regval to buf. Pass buf instead of val to push_stack_item.
riscvarchive · Nov 16, 2015 · ef9bd0b · ef9bd0b
1 parent 3940d2c
commit ef9bd0b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/gdb/ChangeLog b/gdb/ChangeLog
@@ -1,3 +1,8 @@
+2015-11-16  Yao Qi  <[email protected]>
+
+	* arm-tdep.c (arm_push_dummy_call): New array buf.  Store regval
+	to buf.  Pass buf instead of val to push_stack_item.
+
 2015-11-13  Yao Qi  <[email protected]>
 
 	PR tdep/19051

diff --git a/gdb/arm-tdep.c b/gdb/arm-tdep.c
@@ -3925,13 +3925,13 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
       while (len > 0)
 	{
 	  int partial_len = len < INT_REGISTER_SIZE ? len : INT_REGISTER_SIZE;
+	  CORE_ADDR regval
+	    = extract_unsigned_integer (val, partial_len, byte_order);
 
 	  if (may_use_core_reg && argreg <= ARM_LAST_ARG_REGNUM)
 	    {
 	      /* The argument is being passed in a general purpose
 		 register.  */
-	      CORE_ADDR regval
-		= extract_unsigned_integer (val, partial_len, byte_order);
 	      if (byte_order == BFD_ENDIAN_BIG)
 		regval <<= (INT_REGISTER_SIZE - partial_len) * 8;
 	      if (arm_debug)
@@ -3945,11 +3945,16 @@ arm_push_dummy_call (struct gdbarch *gdbarch, struct value *function,
 	    }
 	  else
 	    {
+	      gdb_byte buf[INT_REGISTER_SIZE];
+
+	      memset (buf, 0, sizeof (buf));
+	      store_unsigned_integer (buf, partial_len, byte_order, regval);
+
 	      /* Push the arguments onto the stack.  */
 	      if (arm_debug)
 		fprintf_unfiltered (gdb_stdlog, "arg %d @ sp + %d\n",
 				    argnum, nstack);
-	      si = push_stack_item (si, val, INT_REGISTER_SIZE);
+	      si = push_stack_item (si, buf, INT_REGISTER_SIZE);
 	      nstack += INT_REGISTER_SIZE;
 	    }