[PATCH] Don't return the main file as the separate debug info

[PATCH] Don't return the main file as the separate debug info

[H.J. Lu]

On Fedora 35,

$ readelf -d /usr/bin/npc

caused readelf to run out of stack since load_separate_debug_info
returned the input main file as the separate debug info:

(gdb) bt
 #0  load_separate_debug_info (
    main_filename=main_filename@entry=0x510f50 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo",
    xlink=xlink@entry=0x4e5180 <debug_displays+4480>,
    parse_func=parse_func@entry=0x431550 <parse_gnu_debuglink>,
    check_func=check_func@entry=0x432ae0 <check_gnu_debuglink>,
    func_data=func_data@entry=0x7fffffffdb60, file=file@entry=0x51d430)
    at /export/gnu/import/git/sources/binutils-gdb/binutils/dwarf.c:11057
 #1  0x000000000043328d in check_for_and_load_links (file=0x51d430,
    filename=0x510f50 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo")
    at /export/gnu/import/git/sources/binutils-gdb/binutils/dwarf.c:11381
 #2  0x00000000004332ae in check_for_and_load_links (file=0x51b070,
    filename=0x518dd0 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo")

Return NULL if the separate debug info is the same as the input main
file to avoid infinite recursion.

	PR binutils/28679
	* dwarf.c (load_separate_debug_info): Don't return the input
	main file.
---
 binutils/dwarf.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 6497e541063..3fe7abd79ba 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -11053,6 +11053,9 @@ load_separate_debug_info (const char *            main_filename,
   char *         canon_dir;
   size_t         canon_dirlen;
   size_t         dirlen;
+  char *         canon_filename;
+  char *         canon_debug_filename;
+  bool		 self;
 
   if ((separate_filename = parse_func (xlink, func_data)) == NULL)
     {
@@ -11064,7 +11067,8 @@ load_separate_debug_info (const char *            main_filename,
   /* Attempt to locate the separate file.
      This should duplicate the logic in bfd/opncls.c:find_separate_debug_file().  */
 
-  canon_dir = lrealpath (main_filename);
+  canon_filename = lrealpath (main_filename);
+  canon_dir = xstrdup (canon_filename);
 
   for (canon_dirlen = strlen (canon_dir); canon_dirlen > 0; canon_dirlen--)
     if (IS_DIR_SEPARATOR (canon_dir[canon_dirlen - 1]))
@@ -11219,6 +11223,16 @@ load_separate_debug_info (const char *            main_filename,
  found:
   free (canon_dir);
 
+  canon_debug_filename = lrealpath (debug_filename);
+  self = strcmp (canon_debug_filename, canon_filename) == 0;
+  free (canon_filename);
+  free (canon_debug_filename);
+  if (self)
+    {
+      free (debug_filename);
+      return NULL;
+    }
+
   void * debug_handle;
 
   /* Now open the file.... */
-- 
2.33.1

Re: [PATCH] Don't return the main file as the separate debug info

[Alan Modra]

On Fri, Dec 10, 2021 at 01:48:39PM -0800, H.J. Lu wrote:
> Return NULL if the separate debug info is the same as the input main
> file to avoid infinite recursion.

Your backtrace says it's actually the separate debug info file
pointing to itself, not to the main file.

> 	PR binutils/28679
> 	* dwarf.c (load_separate_debug_info): Don't return the input
> 	main file.

You missed two places where canon_filename should be freed when
returning NULL.  OK with those fixed.

-- 
Alan Modra
Australia Development Lab, IBM

Re: [PATCH] Don't return the main file as the separate debug info

[H.J. Lu]

[-- Attachment #1: Type: text/plain, Size: 757 bytes --]

On Fri, Dec 10, 2021 at 4:11 PM Alan Modra <amodra@gmail.com> wrote:
>
> On Fri, Dec 10, 2021 at 01:48:39PM -0800, H.J. Lu wrote:
> > Return NULL if the separate debug info is the same as the input main
> > file to avoid infinite recursion.
>
> Your backtrace says it's actually the separate debug info file
> pointing to itself, not to the main file.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2031278

>
> >       PR binutils/28679
> >       * dwarf.c (load_separate_debug_info): Don't return the input
> >       main file.
>
> You missed two places where canon_filename should be freed when
> returning NULL.  OK with those fixed.
>
> --
> Alan Modra
> Australia Development Lab, IBM

Here is the v2 patch I am checking in.

Thanks.

-- 
H.J.

[-- Attachment #2: v2-0001-Don-t-return-the-main-file-as-the-separate-debug-.patch --]
[-- Type: text/x-patch, Size: 3354 bytes --]

From 85fa72d8329d665ec1a43373fd00992b75f1d99e Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 10 Dec 2021 13:34:22 -0800
Subject: [PATCH v2] Don't return the main file as the separate debug info

On Fedora 35,

$ readelf -d /usr/bin/npc

caused readelf to run out of stack since load_separate_debug_info
returned the input main file as the separate debug info:

(gdb) bt
 #0  load_separate_debug_info (
    main_filename=main_filename@entry=0x510f50 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo",
    xlink=xlink@entry=0x4e5180 <debug_displays+4480>,
    parse_func=parse_func@entry=0x431550 <parse_gnu_debuglink>,
    check_func=check_func@entry=0x432ae0 <check_gnu_debuglink>,
    func_data=func_data@entry=0x7fffffffdb60, file=file@entry=0x51d430)
    at /export/gnu/import/git/sources/binutils-gdb/binutils/dwarf.c:11057
 #1  0x000000000043328d in check_for_and_load_links (file=0x51d430,
    filename=0x510f50 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo")
    at /export/gnu/import/git/sources/binutils-gdb/binutils/dwarf.c:11381
 #2  0x00000000004332ae in check_for_and_load_links (file=0x51b070,
    filename=0x518dd0 "/export/home/hjl/.cache/debuginfod_client/dcc33c51c49e7dafc178fdb5cf8bd8946f965295/debuginfo")

Return NULL if the separate debug info is the same as the input main
file to avoid infinite recursion.

	PR binutils/28679
	* dwarf.c (load_separate_debug_info): Don't return the input
	main file.
---
 binutils/dwarf.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 6497e541063..eeef98d4a18 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -11053,6 +11053,9 @@ load_separate_debug_info (const char *            main_filename,
   char *         canon_dir;
   size_t         canon_dirlen;
   size_t         dirlen;
+  char *         canon_filename;
+  char *         canon_debug_filename;
+  bool		 self;
 
   if ((separate_filename = parse_func (xlink, func_data)) == NULL)
     {
@@ -11064,7 +11067,8 @@ load_separate_debug_info (const char *            main_filename,
   /* Attempt to locate the separate file.
      This should duplicate the logic in bfd/opncls.c:find_separate_debug_file().  */
 
-  canon_dir = lrealpath (main_filename);
+  canon_filename = lrealpath (main_filename);
+  canon_dir = xstrdup (canon_filename);
 
   for (canon_dirlen = strlen (canon_dir); canon_dirlen > 0; canon_dirlen--)
     if (IS_DIR_SEPARATOR (canon_dir[canon_dirlen - 1]))
@@ -11096,6 +11100,7 @@ load_separate_debug_info (const char *            main_filename,
     {
       warn (_("Out of memory"));
       free (canon_dir);
+      free (canon_filename);
       return NULL;
     }
 
@@ -11214,11 +11219,22 @@ load_separate_debug_info (const char *            main_filename,
 
   free (canon_dir);
   free (debug_filename);
+  free (canon_filename);
   return NULL;
 
  found:
   free (canon_dir);
 
+  canon_debug_filename = lrealpath (debug_filename);
+  self = strcmp (canon_debug_filename, canon_filename) == 0;
+  free (canon_filename);
+  free (canon_debug_filename);
+  if (self)
+    {
+      free (debug_filename);
+      return NULL;
+    }
+
   void * debug_handle;
 
   /* Now open the file.... */
-- 
2.33.1