gdb/gdb-fix-buf-overflow.diff

As comment explain, horror hack.  The symptom is that gdb
itself segfault when the moon is right (Factory at 2016-02-29,
on my machine), with gdb.base/call-sc (call-sc-tld variant,
i.e. long double), when checking the -m32 executables with
a host-x86-64 gdb.
The buffer overflow that valgrind sees actually clobbers a different
buffer so that glibc aborts in an unrelated free.

valgrind report:

==3167== Invalid write of size 8
==3167==    at 0x74489B: memcpy (string3.h:53)
==3167==    by 0x74489B: floatformat_from_doublest (doublest.c:747)
==3167==    by 0x744CA2: store_typed_floating (doublest.c:854)
==3167==    by 0x60E6E3: value_from_double (value.c:3702)
==3167==    by 0x61C2D6: value_cast (valops.c:466)
==3167==    by 0x6476D7: value_arg_coerce (infcall.c:228)
==3167==    by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)
==3167==    by 0x614EC6: evaluate_subexp_standard (eval.c:2066)
==3167==    by 0x70813E: evaluate_subexp_c (c-lang.c:716)
==3167==    by 0x6108CC: evaluate_expression (eval.c:163)
==3167==    by 0x62950A: print_command_1 (printcmd.c:1012)
==3167==    by 0x737E75: execute_command (top.c:475)
==3167==    by 0x67037B: command_handler (event-top.c:496)
==3167==    by 0x670A36: command_line_handler (event-top.c:695)
==3167==  Address 0x83a6e68 is 8 bytes inside a block of size 12 alloc'd
==3167==    at 0x4C2C135: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3167==    by 0x766B10: xcalloc (common-utils.c:83)
==3167==    by 0x60B27B: allocate_value_contents.isra.4 (value.c:1043)
==3167==    by 0x60E6B0: allocate_value (value.c:1054)
==3167==    by 0x60E6B0: value_from_double (value.c:3696)
==3167==    by 0x61C2D6: value_cast (valops.c:466)
==3167==    by 0x6476D7: value_arg_coerce (infcall.c:228)
==3167==    by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)
==3167==    by 0x614EC6: evaluate_subexp_standard (eval.c:2066)
==3167==    by 0x70813E: evaluate_subexp_c (c-lang.c:716)
==3167==    by 0x6108CC: evaluate_expression (eval.c:163)
==3167==    by 0x62950A: print_command_1 (printcmd.c:1012)
==3167==    by 0x737E75: execute_command (top.c:475)
==3167==    by 0x67037B: command_handler (event-top.c:496)

Index: gdb-7.11/gdb/common/common-utils.c
===================================================================
--- gdb-7.11.orig/gdb/common/common-utils.c	2016-02-10 04:19:39.000000000 +0100
+++ gdb-7.11/gdb/common/common-utils.c	2016-02-29 22:24:26.000000000 +0100
@@ -90,6 +90,9 @@ xcalloc (size_t number, size_t size)
 void *
 xzalloc (size_t size)
 {
+  /* HACK: Round up to 8 bytes, fixes a problem with buffers of long double on
+     32 bit (12 bytes) when filled from a 64 bit gdb (16 bytes).  Ugh.  */
+  size = (size + 7) & ~(size_t)7;
   return xcalloc (1, size);
 }
- Added local patch gdb-fix-buf-overflow.diff. OBS-URL: https://build.opensuse.org/package/show/devel:gcc/gdb?expand=0&rev=133 2016-02-29 21:39:10 +00:00			`As comment explain, horror hack. The symptom is that gdb`
			`itself segfault when the moon is right (Factory at 2016-02-29,`
			`on my machine), with gdb.base/call-sc (call-sc-tld variant,`
			`i.e. long double), when checking the -m32 executables with`
			`a host-x86-64 gdb.`
			`The buffer overflow that valgrind sees actually clobbers a different`
			`buffer so that glibc aborts in an unrelated free.`

			`valgrind report:`

			`==3167== Invalid write of size 8`
			`==3167== at 0x74489B: memcpy (string3.h:53)`
			`==3167== by 0x74489B: floatformat_from_doublest (doublest.c:747)`
			`==3167== by 0x744CA2: store_typed_floating (doublest.c:854)`
			`==3167== by 0x60E6E3: value_from_double (value.c:3702)`
			`==3167== by 0x61C2D6: value_cast (valops.c:466)`
			`==3167== by 0x6476D7: value_arg_coerce (infcall.c:228)`
			`==3167== by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)`
			`==3167== by 0x614EC6: evaluate_subexp_standard (eval.c:2066)`
			`==3167== by 0x70813E: evaluate_subexp_c (c-lang.c:716)`
			`==3167== by 0x6108CC: evaluate_expression (eval.c:163)`
			`==3167== by 0x62950A: print_command_1 (printcmd.c:1012)`
			`==3167== by 0x737E75: execute_command (top.c:475)`
			`==3167== by 0x67037B: command_handler (event-top.c:496)`
			`==3167== by 0x670A36: command_line_handler (event-top.c:695)`
			`==3167== Address 0x83a6e68 is 8 bytes inside a block of size 12 alloc'd`
			`==3167== at 0x4C2C135: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)`
			`==3167== by 0x766B10: xcalloc (common-utils.c:83)`
			`==3167== by 0x60B27B: allocate_value_contents.isra.4 (value.c:1043)`
			`==3167== by 0x60E6B0: allocate_value (value.c:1054)`
			`==3167== by 0x60E6B0: value_from_double (value.c:3696)`
			`==3167== by 0x61C2D6: value_cast (valops.c:466)`
			`==3167== by 0x6476D7: value_arg_coerce (infcall.c:228)`
			`==3167== by 0x6476D7: call_function_by_hand_dummy (infcall.c:951)`
			`==3167== by 0x614EC6: evaluate_subexp_standard (eval.c:2066)`
			`==3167== by 0x70813E: evaluate_subexp_c (c-lang.c:716)`
			`==3167== by 0x6108CC: evaluate_expression (eval.c:163)`
			`==3167== by 0x62950A: print_command_1 (printcmd.c:1012)`
			`==3167== by 0x737E75: execute_command (top.c:475)`
			`==3167== by 0x67037B: command_handler (event-top.c:496)`

			`Index: gdb-7.11/gdb/common/common-utils.c`
			`===================================================================`
			`--- gdb-7.11.orig/gdb/common/common-utils.c 2016-02-10 04:19:39.000000000 +0100`
			`+++ gdb-7.11/gdb/common/common-utils.c 2016-02-29 22:24:26.000000000 +0100`
			`@@ -90,6 +90,9 @@ xcalloc (size_t number, size_t size)`
			`void *`
			`xzalloc (size_t size)`
			`{`
			`+ /* HACK: Round up to 8 bytes, fixes a problem with buffers of long double on`
			`+ 32 bit (12 bytes) when filled from a 64 bit gdb (16 bytes). Ugh. */`
			`+ size = (size + 7) & ~(size_t)7;`
			`return xcalloc (1, size);`
			`}`