[Bug 3085] seccomp issue after upgrading openssl

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Oct 14 01:40:38 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3085

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #33 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
gdb: fix value_subscript when array upper bound is not known
http://www-look-4.com/category/health/

    Since commit 7c6f27129631 ("gdb: make get_discrete_bounds check for
https://komiya-dental.com/category/crypto/ 
    non-constant range bounds"), subscripting  flexible array member
fails:
    http://www.iu-bloomington.com/category/health/
        struct no_size
        { https://waytowhatsnext.com/category/health/
          int n;
          int items[];
        };
     http://www.wearelondonmade.com/category/health/
        (gdb) p *ns
        $1 = {n = 3, items = 0x5555555592a4}
        (gdb) p ns->items[0] http://www.jopspeech.com/category/health/
        Cannot access memory at address 0xfffe555b733a0164
        (gdb) p *((int *) 0x5555555592a4)
        $2 = 101  <--- we would expect that
http://joerg.li/category/health/
        (gdb) p &ns->items[0]
        $3 = (int *) 0xfffe5559ee829a24  <--- wrong address
http://connstr.net/category/health/

    Since the flexible array member (items) has an unspecified size,
the array type
    created for it in the DWARF doesn't have dimensions (this is with
gcc 9.3.0, http://embermanchester.uk/category/health/
    Ubuntu 20.04):
    http://www.slipstone.co.uk/category/health/
        0x000000a4:   DW_TAG_array_type
                        DW_AT_type [DW_FORM_ref4]       (0x00000038
"int")
                        DW_AT_sibling [DW_FORM_ref4]    (0x000000b3)
http://www.logoarts.co.uk/category/health/

        0x000000ad:     DW_TAG_subrange_type
                          DW_AT_type [DW_FORM_ref4]     (0x00000031
"long unsigned int")
    http://www.acpirateradio.co.uk/category/health/
    This causes GDB to create a range type (TYPE_CODE_RANGE) with a
defined
    constant low bound (dynamic _prop with kind PROP_CONST) and an
undefined
    high bound (dynamic_prop with kind PROP_UNDEFINED).
http://www.compilatori.com/category/health/

    value_subscript gets both bounds of that range using
    get_discrete_bounds.  Before commit 7c6f27129631,
get_discrete_bounds
    didn't check the kind of the dynamic_props and would just blindly
read
    them as if they were PROP_CONST.
https://www.webb-dev.co.uk/category/health/  It would return 0 for the
high bound,
    because we zero-initialize the range_bounds structure.  And it
didn't
    really matter in this case, because the returned high bound wasn't
used
    in the end.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list