File gdb-fix-buf-overflow.diff of Package gdb.5469

Overview Repositories Revisions Requests Users Attributes Meta

File gdb-fix-buf-overflow.diff of Package gdb.5469

As comment explain, horror hack.  The symptom is that gdb
itself segfault when the moon is right (Factory at 2016-02-29,
on my machine), with gdb.base/call-sc (call-sc-tld variant,
i.e. long double), when checking the -m32 executables with
a host-x86-64 gdb.
The buffer overflow that valgrind sees actually clobbers a different
buffer so that glibc aborts in an unrelated free.

valgrind report:

==3167== Invalid write of size 8
==3167==    at 0x74489B: memcpy (string3.h:53)
==3167==    by 0x74489B: floatformat_from_doublest (doublest.c:747)
==3167==    by 0x744CA2: store_typed_floating (doublest.c:854)
==3167==    by 0x60E6E3: value_from_double (value.c:3702)
==3167==    by 0x61C2D6: value_cast (valops.c:466)
==3167==    by 0x6476D7: value_arg_coerce (infcall.c:228)
==3167==    by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)
==3167==    by 0x614EC6: evaluate_subexp_standard (eval.c:2066)
==3167==    by 0x70813E: evaluate_subexp_c (c-lang.c:716)
==3167==    by 0x6108CC: evaluate_expression (eval.c:163)
==3167==    by 0x62950A: print_command_1 (printcmd.c:1012)
==3167==    by 0x737E75: execute_command (top.c:475)
==3167==    by 0x67037B: command_handler (event-top.c:496)
==3167==    by 0x670A36: command_line_handler (event-top.c:695)
==3167==  Address 0x83a6e68 is 8 bytes inside a block of size 12 alloc'd
==3167==    at 0x4C2C135: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3167==    by 0x766B10: xcalloc (common-utils.c:83)
==3167==    by 0x60B27B: allocate_value_contents.isra.4 (value.c:1043)
==3167==    by 0x60E6B0: allocate_value (value.c:1054)
==3167==    by 0x60E6B0: value_from_double (value.c:3696)
==3167==    by 0x61C2D6: value_cast (valops.c:466)
==3167==    by 0x6476D7: value_arg_coerce (infcall.c:228)
==3167==    by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)
==3167==    by 0x614EC6: evaluate_subexp_standard (eval.c:2066)
==3167==    by 0x70813E: evaluate_subexp_c (c-lang.c:716)
==3167==    by 0x6108CC: evaluate_expression (eval.c:163)
==3167==    by 0x62950A: print_command_1 (printcmd.c:1012)
==3167==    by 0x737E75: execute_command (top.c:475)
==3167==    by 0x67037B: command_handler (event-top.c:496)

Index: gdb-7.11/gdb/common/common-utils.c
===================================================================
--- gdb-7.11.orig/gdb/common/common-utils.c	2016-02-10 04:19:39.000000000 +0100
+++ gdb-7.11/gdb/common/common-utils.c	2016-02-29 22:24:26.000000000 +0100
@@ -90,6 +90,9 @@ xcalloc (size_t number, size_t size)
 void *
 xzalloc (size_t size)
 {
+  /* HACK: Round up to 8 bytes, fixes a problem with buffers of long double on
+     32 bit (12 bytes) when filled from a 64 bit gdb (16 bytes).  Ugh.  */
+  size = (size + 7) & ~(size_t)7;
   return xcalloc (1, size);
 }

Places

File gdb-fix-buf-overflow.diff of Package gdb.5469

Places