Mailing List Archive

[Bug 3085] seccomp issue after upgrading openssl

Ahmed Sayeed <> changed:

What |Removed |Added
CC| |

--- Comment #33 from Ahmed Sayeed <> ---
gdb: fix value_subscript when array upper bound is not known

Since commit 7c6f27129631 ("gdb: make get_discrete_bounds check for
non-constant range bounds"), subscripting flexible array member
struct no_size
int n;
int items[];
(gdb) p *ns
$1 = {n = 3, items = 0x5555555592a4}
(gdb) p ns->items[0]
Cannot access memory at address 0xfffe555b733a0164
(gdb) p *((int *) 0x5555555592a4)
$2 = 101 <--- we would expect that
(gdb) p &ns->items[0]
$3 = (int *) 0xfffe5559ee829a24 <--- wrong address

Since the flexible array member (items) has an unspecified size,
the array type
created for it in the DWARF doesn't have dimensions (this is with
gcc 9.3.0,
Ubuntu 20.04):
0x000000a4: DW_TAG_array_type
DW_AT_type [DW_FORM_ref4] (0x00000038
DW_AT_sibling [DW_FORM_ref4] (0x000000b3)

0x000000ad: DW_TAG_subrange_type
DW_AT_type [DW_FORM_ref4] (0x00000031
"long unsigned int")
This causes GDB to create a range type (TYPE_CODE_RANGE) with a
constant low bound (dynamic _prop with kind PROP_CONST) and an
high bound (dynamic_prop with kind PROP_UNDEFINED).

value_subscript gets both bounds of that range using
get_discrete_bounds. Before commit 7c6f27129631,
didn't check the kind of the dynamic_props and would just blindly
them as if they were PROP_CONST. It would return 0 for the
high bound,
because we zero-initialize the range_bounds structure. And it
really matter in this case, because the returned high bound wasn't
in the end.

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
openssh-bugs mailing list