public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed
* Pool section entries for DWP version 1
@ 2022-10-30  9:55 Alan Modra
  2022-11-11  0:54 ` Cary Coutant
  0 siblings, 1 reply; 3+ messages in thread
From: Alan Modra @ 2022-10-30  9:55 UTC (permalink / raw)
  To: binutils

Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3

Fuzzers have found a weakness in the code stashing pool section
entries.  With random nonsensical values in the index entries (rather
than each index pointing to its own set distinct from other sets),
it's possible to overflow the space allocated, losing the NULL
terminator.  Without a terminator, find_section_in_set can run off the
end of the shndx_pool buffer.  Fix this by scanning the pool directly.

Does anyone still have dwp version 1 files they can use to test my
change?

binutils/
	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
	(end_cu_tu_entry): Likewise.
	(process_cu_tu_index): Fill shndx_pool by directly scanning
	pool, rather than indirectly from index entries.

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index c6340a28906..7730293326a 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
 static void
 add_shndx_to_cu_tu_entry (unsigned int shndx)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
   shndx_pool [shndx_pool_used++] = shndx;
 }
 
 static void
 end_cu_tu_entry (void)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
   shndx_pool [shndx_pool_used++] = 0;
 }
 
@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 
   if (version == 1)
     {
+      unsigned char *shndx_list;
+      unsigned int shndx;
+
       if (!do_display)
-	prealloc_cu_tu_list ((limit - ppool) / 4);
-      for (i = 0; i < nslots; i++)
 	{
-	  unsigned char *shndx_list;
-	  unsigned int shndx;
-
-	  SAFE_BYTE_GET (signature, phash, 8, limit);
-	  if (signature != 0)
+	  prealloc_cu_tu_list ((limit - ppool) / 4);
+	  for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
 	    {
-	      SAFE_BYTE_GET (j, pindex, 4, limit);
-	      shndx_list = ppool + j * 4;
-	      /* PR 17531: file: 705e010d.  */
-	      if (shndx_list < ppool)
-		{
-		  warn (_("Section index pool located before start of section\n"));
-		  return 0;
-		}
+	      shndx = byte_get (shndx_list, 4);
+	      add_shndx_to_cu_tu_entry (shndx);
+	    }
+	  end_cu_tu_entry ();
+	}
+      else
+	for (i = 0; i < nslots; i++)
+	  {
+	    SAFE_BYTE_GET (signature, phash, 8, limit);
+	    if (signature != 0)
+	      {
+		SAFE_BYTE_GET (j, pindex, 4, limit);
+		shndx_list = ppool + j * 4;
+		/* PR 17531: file: 705e010d.  */
+		if (shndx_list < ppool)
+		  {
+		    warn (_("Section index pool located before start of section\n"));
+		    return 0;
+		  }
 
-	      if (do_display)
 		printf (_("  [%3d] Signature:  %#" PRIx64 "  Sections: "),
 			i, signature);
-	      for (;;)
-		{
-		  if (shndx_list >= limit)
-		    {
-		      warn (_("Section %s too small for shndx pool\n"),
-			    section->name);
-		      return 0;
-		    }
-		  SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
-		  if (shndx == 0)
-		    break;
-		  if (do_display)
+		for (;;)
+		  {
+		    if (shndx_list >= limit)
+		      {
+			warn (_("Section %s too small for shndx pool\n"),
+			      section->name);
+			return 0;
+		      }
+		    SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+		    if (shndx == 0)
+		      break;
 		    printf (" %d", shndx);
-		  else
-		    add_shndx_to_cu_tu_entry (shndx);
-		  shndx_list += 4;
-		}
-	      if (do_display)
+		    shndx_list += 4;
+		  }
 		printf ("\n");
-	      else
-		end_cu_tu_entry ();
-	    }
-	  phash += 8;
-	  pindex += 4;
-	}
+	      }
+	    phash += 8;
+	    pindex += 4;
+	  }
     }
   else if (version == 2)
     {

-- 
Alan Modra
Australia Development Lab, IBM

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Pool section entries for DWP version 1
  2022-10-30  9:55 Pool section entries for DWP version 1 Alan Modra
@ 2022-11-11  0:54 ` Cary Coutant
  2022-11-11  6:33   ` Fangrui Song
  0 siblings, 1 reply; 3+ messages in thread
From: Cary Coutant @ 2022-11-11  0:54 UTC (permalink / raw)
  To: Alan Modra; +Cc: binutils

> Does anyone still have dwp version 1 files they can use to test my
> change?

I doubt version 1 was ever used outside of Google, and it probably
hasn't been in use for at least 6 years. We could probably just remove
the support for it.

-cary

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Pool section entries for DWP version 1
  2022-11-11  0:54 ` Cary Coutant
@ 2022-11-11  6:33   ` Fangrui Song
  0 siblings, 0 replies; 3+ messages in thread
From: Fangrui Song @ 2022-11-11  6:33 UTC (permalink / raw)
  To: Cary Coutant; +Cc: Alan Modra, binutils

On 2022-11-10, Cary Coutant via Binutils wrote:
>> Does anyone still have dwp version 1 files they can use to test my
>> change?
>
>I doubt version 1 was ever used outside of Google, and it probably
>hasn't been in use for at least 6 years. We could probably just remove
>the support for it.
>
>-cary

I agree.


It would be nice to support DWARF v5 in dwp.  .debug_loclists,
.debug_rnglists, .debug_macro are not supported.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-11  6:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-30  9:55 Pool section entries for DWP version 1 Alan Modra
2022-11-11  0:54 ` Cary Coutant
2022-11-11  6:33   ` Fangrui Song

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).