From 3b7262b0ee785bef06d3e458cb13c736fc0b8da8 Mon Sep 17 00:00:00 2001 From: "mark@chromium.org" Date: Thu, 5 Feb 2015 23:01:31 +0000 Subject: Fix overflow error in breakpad for linux A computation in the stack unwind algorithm could cause an overflow if a base pointer read from crashed process is sufficiently close to top of address space. This causes a memory read that causes the dump thread to crash, resulting in a failure to generate crash dump. Check fixed to properly detect that this pointer is greater than actual memory range of current stack. Patch by Kyle Joswiak Review URL: https://breakpad.appspot.com/3754003/ git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1425 4c0a9323-5329-0410-9bdc-e9ce6186880e --- src/client/linux/dump_writer_common/seccomp_unwinder.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src/client/linux') diff --git a/src/client/linux/dump_writer_common/seccomp_unwinder.cc b/src/client/linux/dump_writer_common/seccomp_unwinder.cc index 49971557..241bf1b0 100644 --- a/src/client/linux/dump_writer_common/seccomp_unwinder.cc +++ b/src/client/linux/dump_writer_common/seccomp_unwinder.cc @@ -44,8 +44,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu, uint64_t top = thread.stack.start_of_memory_range; for (int i = 4; i--; ) { if (bp < top || - bp + sizeof(bp) > thread.stack.start_of_memory_range + - thread.stack.memory.data_size || + bp > thread.stack.start_of_memory_range + + thread.stack.memory.data_size - sizeof(bp) || bp & 1) { break; } @@ -107,8 +107,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu, uint32_t top = thread.stack.start_of_memory_range; for (int i = 4; i--; ) { if (bp < top || - bp + sizeof(bp) > thread.stack.start_of_memory_range + - thread.stack.memory.data_size || + bp > thread.stack.start_of_memory_range + + thread.stack.memory.data_size - sizeof(bp) || bp & 1) { break; } -- cgit v1.2.1