From waddlesplash <waddlesplash@xxxxxxxxx>:
waddlesplash has uploaded this change for review. (
https://review.haiku-os.org/579
Change subject: demangle/gcc2: Do not trust inputs.
......................................................................
demangle/gcc2: Do not trust inputs.
We do not know anything about the symbols we are being asked to demangle;
it is entirely possible they are malformed, or that we parse them incorrectly,
which previously led to buffer overflows. E.g. the "2","8" in
"SetTo__Q28_GLOBAL_"
is presently incorrectly parsed as a length, leading to an access 21 bytes past
the end of the string.
This caused a page fault under the guarded heap, a fact I had the misfortune
to discover when trying to attach Debugger to a guarded-heap'd application
which somehow ran the demangler under the guarded heap also, and that symbol
above was in runtime_loader, so it crashed while loading its symbols.
So now we do what the GCC3+ demangler does here, and keep track of the input
buffer through the use of a state class, which will prevent us from incrementing
past the buffer's end.
I've tested this patch using the new haikuc++filt utility against libtracker
(indeed, it took multiple rounds of testing to get the diff to be 0 bytes)
and it seems to work exactly as before, though now without out-of-bounds
accesses.
As this demangler is also used in the kernel, it's possible that some
triple-faults on x86_gcc2[h] are caused by this bug (although that would
be rare; one of the incorrectly-parsed symbols would have to be in the
stack trace, and then it would have to read past the end of the buffer
containing the symbol.)
---
M src/add-ons/kernel/debugger/demangle/gcc2.cpp
1 file changed, 160 insertions(+), 93 deletions(-)
git pull ssh://git.haiku-os.org/haiku refs/changes/79/579/1
--
To view, visit https://review.haiku-os.org/579
To unsubscribe, or for help writing mail filters, visit
https://review.haiku-os.org/settings
Gerrit-Project: haiku
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I343991cebd7d2887812c8c6b3dc2e0df2fcd79fa
Gerrit-Change-Number: 579
Gerrit-PatchSet: 1
Gerrit-Owner: waddlesplash <waddlesplash@xxxxxxxxx>