[PATCH] D42828: Fix for read-past-end-of-array buglet in ProcessElfCore.cpp while reading linux notes

Jason Molenda via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Thu Feb 1 16:23:14 PST 2018 

jasonmolenda created this revision.
jasonmolenda added a reviewer: labath.
jasonmolenda added a project: LLDB.
Herald added a subscriber: llvm-commits.

I caught this while running the testsuite against lldb built with address sanitizer (ASAN) enabled - it found one problem when running the TestLinuxCore.py test.  The ELFLinuxPrPsInfo structure has two fixed width strings in it, pr_fname (16 chars) and pr_psargs (80 chars).  They are not required to be nul (\0) terminated, and in the case of ppc64le, pr_fname is not -

(lldb) p prpsinfo
(ELFLinuxPrPsInfo) $1 = {

  pr_fname = {
    [0] = 'l'
    [1] = 'i'
    [2] = 'n'
    [3] = 'u'
    [4] = 'x'
    [5] = '-'
    [6] = 'p'
    [7] = 'p'
    [8] = 'c'
    [9] = '6'
    [10] = '4'
    [11] = 'l'
    [12] = 'e'
    [13] = '.'
    [14] = 'o'
    [15] = 'u'
  }

When we copy this into a std::string,

thread_data.name = prpsinfo.pr_fname;

the read goes off the end of the array.  It goes into the next element on the structure, pr_psargs, so it's unlikely to crash, but it's an easy one to fix so I think we should.

TestLinuxCore.py's do_test() could also get passed in the expected thread name and verify that it was set correctly), that would have caught this without using ASAN.  But given that ASAN did catch it, I'm pretty happy with it as-is.


Repository:
  rL LLVM

https://reviews.llvm.org/D42828

Files:
  source/Plugins/Process/elf-core/ProcessElfCore.cpp


Index: source/Plugins/Process/elf-core/ProcessElfCore.cpp
===================================================================
--- source/Plugins/Process/elf-core/ProcessElfCore.cpp
+++ source/Plugins/Process/elf-core/ProcessElfCore.cpp
@@ -665,7 +665,7 @@
       Status status = prpsinfo.Parse(note.data, arch);
       if (status.Fail())
         return status.ToError();
-      thread_data.name = prpsinfo.pr_fname;
+      thread_data.name.assign (prpsinfo.pr_fname, sizeof (prpsinfo.pr_fname));
       SetID(prpsinfo.pr_pid);
       break;
     }


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D42828.132500.patch
Type: text/x-patch
Size: 549 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180202/b7f20c75/attachment.bin>

More information about the llvm-commits mailing list