From patchwork Wed Oct 16 16:52:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Simon Marchi (Code Review)" X-Patchwork-Id: 35051 Received: (qmail 65650 invoked by alias); 16 Oct 2019 16:53:01 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Delivered-To: mailing list gdb-patches@sourceware.org Received: (qmail 65636 invoked by uid 89); 16 Oct 2019 16:53:00 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-18.8 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3 autolearn=ham version=3.3.1 spammy= X-HELO: mx1.osci.io Received: from polly.osci.io (HELO mx1.osci.io) (8.43.85.229) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 16 Oct 2019 16:52:59 +0000 Received: by mx1.osci.io (Postfix, from userid 994) id 6A2722061D; Wed, 16 Oct 2019 12:52:57 -0400 (EDT) Received: from gnutoolchain-gerrit.osci.io (gnutoolchain-gerrit.osci.io [8.43.85.239]) by mx1.osci.io (Postfix) with ESMTP id F02C7208EF; Wed, 16 Oct 2019 12:52:54 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by gnutoolchain-gerrit.osci.io (Postfix) with ESMTP id D464620AF6; Wed, 16 Oct 2019 12:52:54 -0400 (EDT) X-Gerrit-PatchSet: 2 Date: Wed, 16 Oct 2019 12:52:54 -0400 From: "Keith Seitz (Code Review)" To: gdb-patches@sourceware.org Cc: Tom Tromey Auto-Submitted: auto-generated X-Gerrit-MessageType: newpatchset Subject: [review] DWARF reader: Reject sections with invalid sizes X-Gerrit-Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f X-Gerrit-Change-Number: 127 X-Gerrit-ChangeURL: X-Gerrit-Commit: af180f59f5fd06a844572bd0cb23e7cb15b41381 In-Reply-To: References: Reply-To: keiths@redhat.com, tromey@sourceware.org, gdb-patches@sourceware.org MIME-Version: 1.0 Content-Disposition: inline User-Agent: Gerrit/3.0.3 Message-Id: <20191016165254.D464620AF6@gnutoolchain-gerrit.osci.io> Keith Seitz has uploaded a new patch set version (#2). Change URL: https://gnutoolchain-gerrit.osci.io/r/c/binutils-gdb/+/127 ...................................................................... DWARF reader: Reject sections with invalid sizes This is another fuzzer bug, gdb/23567. This time, the fuzzer has specifically altered the size of .debug_str: $ eu-readelf -S objdump Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al [31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1 When this file is loaded into GDB, the DWARF reader crashes attempting to access the string table (or it may just store a bunch of nonsense): [gdb-8.3-6-fc30] $ gdb -nx -q objdump BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... Segmentation fault (core dumped) Nick has already committed a BFD patch to issue the warning seen above. [gdb master 6acc1a0b] $ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... (gdb) inf func All defined functions: File ./../include/dwarf2.def: 186: const 8 *>(.: ;'@�B); 747: const 8 *�(.: ;'@�B); 701: const 8 *�D � (.: ;'@�B); 71: const 8 *(.: ;'@�B); /* and more gibberish */ Consider read_indirect_string_at_offset_from: static const char * read_indirect_string_at_offset_from (struct objfile *objfile, bfd *abfd, LONGEST str_offset, struct dwarf2_section_info *sect, const char *form_name, const char *sect_name) { dwarf2_read_section (objfile, sect); if (sect->buffer == NULL) error (_("%s used without %s section [in module %s]"), form_name, sect_name, bfd_get_filename (abfd)); if (str_offset >= sect->size) error (_("%s pointing outside of %s section [in module %s]"), form_name, sect_name, bfd_get_filename (abfd)); gdb_assert (HOST_CHAR_BIT == 8); if (sect->buffer[str_offset] == '\0') return NULL; return (const char *) (sect->buffer + str_offset); } With sect_size being ginormous, the code attempts to access sect->buffer[GINORMOUS], and depending on the layout of memory, GDB either stores a bunch of gibberish strings or crashes. This is an attempt to mitigate this by implementing a similar approach used by BFD. In our case, we simply reject the section with the invalid length: $ ./gdb -nx -q objdump BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump] DW_FORM_strp used without .debug_str section [in module /path/to/objdump] (No debugging symbols found in /path/to/objdump) (gdb) Unfortunately, I have not found a way to regression test this, since it requires poking ELF section headers. gdb/ChangeLog: 2019-10-16 Keith Seitz PR gdb/23567 * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard sections whose size is greater than the file size. Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f --- M gdb/dwarf2read.c 1 file changed, 9 insertions(+), 0 deletions(-) diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c index 0443b55..a78f818 100644 --- a/gdb/dwarf2read.c +++ b/gdb/dwarf2read.c @@ -2338,6 +2338,15 @@ if ((aflag & SEC_HAS_CONTENTS) == 0) { } + else if (elf_section_data (sectp)->this_hdr.sh_size + > bfd_get_file_size (abfd)) + { + bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; + warning (_("Discarding section %s which has a section size (%s" + ") larger than the file size [in module %s]"), + bfd_section_name (sectp), phex_nz (size, sizeof (size)), + bfd_get_filename (abfd)); + } else if (section_is_p (sectp->name, &names.info)) { this->info.s.section = sectp;