haraldwolff
/
qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gdbstub: Fix buffer overflows in gdb_handle_packet() 

Some places in gdb_handle_packet() can get an arbitrary length (most
times directly from the client) and either didn't check it at all or
checked against the wrong value, potentially causing buffer overflows.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
stable-2.5
Kevin Wolf 2015-10-13 09:38:50 +02:00 committed by Michael Tokarev
parent 3c15d3a450
commit 5accecb3a6
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
gdbstub.c
View File

@ -956,6 +956,13 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
if (*p == ',')
p++;
len = strtoull(p, NULL, 16);
/* memtohex() doubles the required space */
if (len > MAX_PACKET_LENGTH / 2) {
put_packet (s, "E22");
break;
}
if (target_memory_rw_debug(s->g_cpu, addr, mem_buf, len, false) != 0) {
put_packet (s, "E14");
} else {
@ -970,6 +977,12 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
len = strtoull(p, (char **)&p, 16);
if (*p == ':')
p++;
/* hextomem() reads 2*len bytes */
if (len > strlen(p) / 2) {
put_packet (s, "E22");
break;
}
hextomem(mem_buf, p, len);
if (target_memory_rw_debug(s->g_cpu, addr, mem_buf, len,
true) != 0) {
@ -1107,7 +1120,8 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
cpu = find_cpu(thread);
if (cpu != NULL) {
cpu_synchronize_state(cpu);
len = snprintf((char *)mem_buf, sizeof(mem_buf),
/* memtohex() doubles the required space */
len = snprintf((char *)mem_buf, sizeof(buf) / 2,
"CPU#%d [%s]", cpu->cpu_index,
cpu->halted ? "halted " : "running");
memtohex(buf, mem_buf, len);
@ -1136,8 +1150,8 @@ static int gdb_handle_packet(GDBState *s, const char *line_buf)
put_packet(s, "E01");
break;
}
hextomem(mem_buf, p + 5, len);
len = len / 2;
hextomem(mem_buf, p + 5, len);
mem_buf[len++] = 0;
qemu_chr_be_write(s->mon_chr, mem_buf, len);
put_packet(s, "OK");