[PATCH 0/1] MR8944: Draft: winedbg: Reserve memory according to the debug information (ASan).
This is a first attempt to reserve more than the sizeof(DWORD).
As far as I see the size in memory_read_value originates from a call to types_get_info(TI_GET_LENGTH).
Therefore trying here to use a similar call to get the size for memory reservation.
And if that fails, falling back to at least sizeof(void*).
CC: @epo
<details> <summary>ASan output from `wine winedbg.exe arp.exe`</summary>
``` $ export ASAN_OPTIONS="halt_on_error=0:allocator_may_return_null=1:strict_memcmp=0:windows_hook_rtl_allocators=1" $ wine winedbg.exe arp.exe WineDbg starting on pid 0144 013c:0140:fixme:dbghelp:elf_search_auxv can't find symbol in module 013c:0140:fixme:dbghelp:elf_search_auxv can't find symbol in module 013c:0140:fixme:dbghelp_dwarf:compute_location Only supporting one breg (r15/343 -> r12/340) 013c:0140:fixme:dbghelp_dwarf:dwarf2_fill_in_variant Unexpected base type bt=8 for form=f 013c:0140:fixme:dbghelp_dwarf:dwarf2_parse_variable Unsupported form for const value "pi" (f) 013c:0140:err:dbghelp_msc:codeview_process_info Unknown CODEVIEW signature 00000000 in module L"ntdll" 0x006fffffdc0569 ntdll+0x50569: retq Wine-dbg>bt Backtrace: =>0 0x006fffffdc0569 in ntdll (+0x50569) (0x007ffffe1ffa70) 013c:0140:fixme:dbghelp_dwarf:compute_location Unhandled attr op: 0 1 0x006fffffd9e1c0 loader_init+0x600(context=<is not available>, entry=<is not available>) [.../wine/dlls/ntdll/loader.c:0] in ntdll (0x007ffffe1ffa70) ================================================================= ==316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7eea4db09d15 at pc 0x6ffffe85a58b bp 0x7ffffe1fa020 sp 0x7ffffe1fa068 READ of size 8 at 0x7eea4db09d15 thread T0 #0 0x6ffffe85a58a in __asan_memcpy /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt\lib/asan/asan_interceptors_memintrinsics.cpp:63:3 #1 0x00014002c4c2 in memory_read_value .../wine/programs/winedbg/memory.c:107:13 #2 0x00014002e48a in memory_fetch_integer .../wine/programs/winedbg/memory.c:314:14 #3 0x00014002ff00 in print_typed_basic .../wine/programs/winedbg/memory.c #4 0x00014002f52d in print_basic .../wine/programs/winedbg/memory.c:687:10 #5 0x00014004b4df in print_value .../wine/programs/winedbg/types.c:499:9 #6 0x000140039452 in symbol_print_localvalue .../wine/programs/winedbg/symbol.c:707:9 #7 0x000140036832 in sym_enum_cb .../wine/programs/winedbg/stack.c:254:9 #8 0x6ffffac1baee in send_symbol .../wine/dlls/dbghelp/symbol.c:892:13 #9 0x6ffffac1b760 in symt_enum_locals_helper .../wine/dlls/dbghelp/symbol.c:1194:21 #10 0x6ffffac1b08f in symt_enum_locals .../wine/dlls/dbghelp/symbol.c:1227:16 #11 0x6ffffac1abd8 in sym_enum .../wine/dlls/dbghelp/symbol.c:1353:20 #12 0x6ffffac0f529 in doSymEnumSymbols .../wine/dlls/dbghelp/symbol.c:1419:12 #13 0x6ffffac0f360 in SymEnumSymbols .../wine/dlls/dbghelp/symbol.c:1450:11 #14 0x000140036507 in stack_print_addr_and_args .../wine/programs/winedbg/stack.c:290:9 #15 0x00014003584d in backtrace .../wine/programs/winedbg/stack.c:319:9 #16 0x000140034fc7 in stack_backtrace .../wine/programs/winedbg/stack.c:450:9 #17 0x0001400550a7 in dbg_parse .../wine/programs/winedbg/dbg.y #18 0x00014005766c in parser_handle .../wine/programs/winedbg/dbg.y:625:4 #19 0x000140050eff in dbg_start_interactive .../wine/programs/winedbg/winedbg.c:644:5 #20 0x0001400516b1 in main .../wine/programs/winedbg/winedbg.c:800:5 #21 0x0001400ed22c in mainCRTStartup .../wine/dlls/msvcrt/crt_main.c:62:11 #22 0x6fffffc377e0 in BaseThreadInitThunk .../wine/dlls/kernel32/thread.c:61:24 #23 0x6fffffdc0532 in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x170050532)
0x7eea4db09d15 is located 0 bytes after 5-byte region [0x7eea4db09d10,0x7eea4db09d15) allocated by thread T0 here: #0 0x6ffffe85bc41 in malloc /home/runner/work/llvm-mingw/llvm-mingw/llvm-project/compiler-rt\lib/asan/asan_malloc_win.cpp:80:3 #1 0x000140057c67 in lexeme_alloc_size .../wine/programs/winedbg/debug.l:48:43 #2 0x0001400398b8 in fill_sym_lvalue .../wine/programs/winedbg/symbol.c:157:34 #3 0x000140039436 in symbol_print_localvalue .../wine/programs/winedbg/symbol.c:705:9 #4 0x000140036832 in sym_enum_cb .../wine/programs/winedbg/stack.c:254:9 #5 0x6ffffac1baee in send_symbol .../wine/dlls/dbghelp/symbol.c:892:13 #6 0x6ffffac1b760 in symt_enum_locals_helper .../wine/dlls/dbghelp/symbol.c:1194:21 #7 0x6ffffac1b08f in symt_enum_locals .../wine/dlls/dbghelp/symbol.c:1227:16 #8 0x6ffffac1abd8 in sym_enum .../wine/dlls/dbghelp/symbol.c:1353:20 #9 0x6ffffac0f529 in doSymEnumSymbols .../wine/dlls/dbghelp/symbol.c:1419:12 #10 0x6ffffac0f360 in SymEnumSymbols .../wine/dlls/dbghelp/symbol.c:1450:11 #11 0x000140036507 in stack_print_addr_and_args .../wine/programs/winedbg/stack.c:290:9 #12 0x00014003584d in backtrace .../wine/programs/winedbg/stack.c:319:9 #13 0x000140034fc7 in stack_backtrace .../wine/programs/winedbg/stack.c:450:9 #14 0x0001400550a7 in dbg_parse .../wine/programs/winedbg/dbg.y #15 0x00014005766c in parser_handle .../wine/programs/winedbg/dbg.y:625:4 #16 0x000140050eff in dbg_start_interactive .../wine/programs/winedbg/winedbg.c:644:5 #17 0x0001400516b1 in main .../wine/programs/winedbg/winedbg.c:800:5 #18 0x0001400ed22c in mainCRTStartup .../wine/dlls/msvcrt/crt_main.c:62:11 #19 0x6fffffc377e0 in BaseThreadInitThunk .../wine/dlls/kernel32/thread.c:61:24 #20 0x6fffffdc0532 in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x170050532)
SUMMARY: AddressSanitizer: heap-buffer-overflow .../wine/programs/winedbg/memory.c:107:13 in memory_read_value Shadow bytes around the buggy address: 0x7eea4db09a80: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa 0x7eea4db09b00: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa 00 00 0x7eea4db09b80: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fd 0x7eea4db09c00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x7eea4db09c80: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd =>0x7eea4db09d00: fa fa[05]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7eea4db09d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7eea4db09e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7eea4db09e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7eea4db09f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7eea4db09f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb 013c:0140:fixme:dbghelp_dwarf:compute_location Unhandled attr op: 5 2 0x006fffffdc18dc LdrInitializeThunk+0x1c(context=<internal error>, unk2=0xbe00000000, unk3=<internal error>, unk4=<internal error>) in ntdll (0x007ffffe1ffae0) Wine-dbg>```
</details>
From: Bernhard Übelacker bernhardu@mailbox.org
--- programs/winedbg/symbol.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/programs/winedbg/symbol.c b/programs/winedbg/symbol.c index 22c34033752..56e17dc81e3 100644 --- a/programs/winedbg/symbol.c +++ b/programs/winedbg/symbol.c @@ -154,7 +154,10 @@ static BOOL fill_sym_lvalue(const SYMBOL_INFO* sym, ULONG_PTR base, } else { - DWORD* pdw = (DWORD*)lexeme_alloc_size(sizeof(*pdw)); + DWORD64 size64; + DWORD* pdw; + if (!types_get_info(&type, TI_GET_LENGTH, &size64)) size64 = sizeof(void*); + pdw = (DWORD*)lexeme_alloc_size(size64); init_lvalue(lvalue, FALSE, pdw); *pdw = sym->Value; }
1) the sym->Value size if 64bit, so we shouldn't (normally...) pass more than that as constant value so changing pdw's type to DWORD64 should be sufficient 2) if not, then there's something wrong in dwarf decoding (could be one of the fixme:s)
-
Bernhard Übelacker -
Bernhard Übelacker (@bernhardu)
-
eric pouech (@epo)