[Lldb-commits] [lldb] ee47699 - [LLDB] Fix buffer overflow problem in DWARFExpression::Evaluate.

Caroline Tice via lldb-commits lldb-commits at lists.llvm.org
Wed Jun 28 11:48:25 PDT 2023 

Author: Caroline Tice
Date: 2023-06-28T11:46:55-07:00
New Revision: ee476996bec7f170928505a4c5b7715183cfbada

URL: https://github.com/llvm/llvm-project/commit/ee476996bec7f170928505a4c5b7715183cfbada
DIFF: https://github.com/llvm/llvm-project/commit/ee476996bec7f170928505a4c5b7715183cfbada.diff

LOG: [LLDB] Fix buffer overflow problem in DWARFExpression::Evaluate.

In two calls to ReadMemory in DWARFExpression.cpp, the buffer size
passed to ReadMemory is not actually the size of the buffer (I suspect
a copy/paste error where the variable name was not properly
updated). This caused a buffer overflow bug, which we found throuth
Address Sanitizer.  This patch fixes the problem by passing the
correct buffer size to the calls to ReadMemory (and to the
DataExtractor).

Differential Revision: https://reviews.llvm.org/D153840

Added: 
    

Modified: 
    lldb/source/Expression/DWARFExpression.cpp

Removed: 
    


################################################################################
diff  --git a/lldb/source/Expression/DWARFExpression.cpp b/lldb/source/Expression/DWARFExpression.cpp
index 9232282d81353..5f71a12456972 100644
--- a/lldb/source/Expression/DWARFExpression.cpp
+++ b/lldb/source/Expression/DWARFExpression.cpp
@@ -1138,15 +1138,16 @@ bool DWARFExpression::Evaluate(
 
         if (load_addr == LLDB_INVALID_ADDRESS && so_addr.IsSectionOffset()) {
           uint8_t addr_bytes[8];
+          size_t buf_size = sizeof(addr_bytes);
           Status error;
 
           if (target &&
-              target->ReadMemory(so_addr, &addr_bytes, size, error,
-                                 /*force_live_memory=*/false) == size) {
+              target->ReadMemory(so_addr, &addr_bytes, buf_size, error,
+                                 /*force_live_memory=*/false) == buf_size) {
             ObjectFile *objfile = module_sp->GetObjectFile();
 
             stack.back().GetScalar() = DerefSizeExtractDataHelper(
-                addr_bytes, size, objfile->GetByteOrder(), size);
+                addr_bytes, size, objfile->GetByteOrder(), buf_size);
             stack.back().ClearContext();
             break;
           } else {
@@ -1170,13 +1171,13 @@ bool DWARFExpression::Evaluate(
             lldb::addr_t pointer_addr =
                 stack.back().GetScalar().ULongLong(LLDB_INVALID_ADDRESS);
             uint8_t addr_bytes[sizeof(lldb::addr_t)];
+            size_t buf_size = sizeof(addr_bytes);
             Status error;
-            if (process->ReadMemory(pointer_addr, &addr_bytes, size, error) ==
-                size) {
-
+            if (process->ReadMemory(pointer_addr, &addr_bytes, buf_size, error)
+                == buf_size) {
               stack.back().GetScalar() =
                   DerefSizeExtractDataHelper(addr_bytes, sizeof(addr_bytes),
-                                             process->GetByteOrder(), size);
+                                             process->GetByteOrder(), buf_size);
               stack.back().ClearContext();
             } else {
               if (error_ptr)

More information about the lldb-commits mailing list