PR gdb/15236: gdbserver write to linux memory with zero length corrupts stack
PROBLEM:
The function linux_write_memory () in linux-low.c allocates a buffer
on the stack to hold a copy of the data to be written.
register PTRACE_XFER_TYPE *buffer = (PTRACE_XFER_TYPE *)
alloca (count * sizeof (PTRACE_XFER_TYPE));
"count" is the number of bytes to be written, rounded up to the
nearest multiple of sizeof (PTRACE_XFER_TYPE) and allowing for not
being an aligned address. The function later uses
buffer[0] = ptrace (PTRACE_PEEKTEXT, pid,
(PTRACE_ARG3_TYPE) (uintptr_t) addr, 0);
The problem is that this function can be called to write zero bytes on
an aligned address, for example when receiving an X packet of length 0
(used to test if 8-bit write is supported). Under these circumstances,
count can be zero.
Since in this case, buffer[0] may never have been allocated, the stack
is corrupted and gdbserver may crash.
SOLUTION:
Writing zero bytes should always succeed. The patch below returns
successfully early if the length is zero, so avoiding the stack
corruption.
Verified on the ARC GDB 7.5.1 port.
2013-03-07 Jeremy Bennett <jeremy.bennett@embecosm.com>
PR server/15236
* linux-low.c (linux_write_memory): Return early success if LEN is
zero.
projects / binutils-gdb.git / commit