From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) by sourceware.org (Postfix) with ESMTPS id 50AD4385608E for ; Thu, 2 Jun 2022 07:26:33 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 50AD4385608E Received: by mail-pj1-x1033.google.com with SMTP id e24so4214397pjt.0 for ; Thu, 02 Jun 2022 00:26:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=uCPGKn5dfJU4+LuLOda9LKlSzOkPaXbYpQFAc/SPYVk=; b=OIFntN6RJb1ImrkSRyvaNfURdf/aD5alO6uuBch0sOj2KgbX/CgIutAJpt65TL8fsO iFIy9PCt25liK1XuPjycpvuhQ4YEjsU7tSX73rS6K96WgmTLFGyfhAvbp/3Fh1aZDncx gzqbazGsIqpGLgBxRdBZtFwQBWaXbNfgsLC8LlwnnX6wb9BsSrBWxJM4bv6HprSMKC5v 97xxaOfDOKNb/bsu+wSPp5iltyq7gx0iq82WxXp7yNe42XqF0GuHQsOcmSgXzNUui1Iv pH3fx/bloV+srYrBIKv1FRih6E8T6aKSYJnnU6cAQoqmt1SSnlM8PNpjOVt2Wg8HyiXL Hzlw== X-Gm-Message-State: AOAM533hEowArlNMvnqitecGhubUzBJenSakvb9KO0Enal+ibMXQpms+ S9R0eS4iJaNSys42aTaECF2KVbO+Cwk= X-Google-Smtp-Source: ABdhPJxMsg91kVdnAI/qgynyQejiB4qUvCHJT+TJlgTOyLbZBbmvMXWD0Zx7xSiPjPC/WQv8Ora2Kw== X-Received: by 2002:a17:90a:343:b0:1cb:234a:a975 with SMTP id 3-20020a17090a034300b001cb234aa975mr39079017pjf.83.1654154791837; Thu, 02 Jun 2022 00:26:31 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:3da7:6763:4a40:284d]) by smtp.gmail.com with ESMTPSA id d5-20020a634f05000000b003f655cf45c0sm2573274pgb.63.2022.06.02.00.26.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Jun 2022 00:26:31 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 4518711403B0; Thu, 2 Jun 2022 16:56:28 +0930 (ACST) Date: Thu, 2 Jun 2022 16:56:28 +0930 From: Alan Modra To: binutils@sourceware.org Subject: asan: NULL deref in scan_unit_for_symbols Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3036.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2022 07:26:35 -0000 Since commit b43771b045 it has been possible to look up addresses that match a unit with errors, since ranges are added to a trie while the unit is being parsed. On error, parse_comp_unit leaves first_child_die_ptr NULL which results in a NULL info_ptr being passed to scan_unit_for_symbols. Fix this by setting unit->error. Also wrap some overlong lines, and fix some formatting errors. * dwarf2.c: Formatting. (parse_comp_unit): Set unit->error on err_exit path. diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c index 6a728fc38b0..51018e1ab45 100644 --- a/bfd/dwarf2.c +++ b/bfd/dwarf2.c @@ -145,8 +145,7 @@ struct trie_interior static struct trie_node *alloc_trie_leaf (bfd *abfd) { - struct trie_leaf *leaf = - bfd_zalloc (abfd, sizeof (struct trie_leaf)); + struct trie_leaf *leaf = bfd_zalloc (abfd, sizeof (struct trie_leaf)); if (leaf == NULL) return NULL; leaf->head.num_room_in_leaf = TRIE_LEAF_SIZE; @@ -2009,7 +2008,7 @@ static bool ranges_overlap (bfd_vma low1, /* We touch iff low2 == high1. We overlap iff low2 is within [low1, high1). */ - return (low2 <= high1); + return low2 <= high1; } /* Insert an address range in the trie mapping addresses to compilation units. @@ -2039,9 +2038,10 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, for (i = 0; i < leaf->num_stored_in_leaf; ++i) { - if (leaf->ranges[i].unit == unit && - ranges_overlap(low_pc, high_pc, - leaf->ranges[i].low_pc, leaf->ranges[i].high_pc)) + if (leaf->ranges[i].unit == unit + && ranges_overlap (low_pc, high_pc, + leaf->ranges[i].low_pc, + leaf->ranges[i].high_pc)) { if (low_pc < leaf->ranges[i].low_pc) leaf->ranges[i].low_pc = low_pc; @@ -2085,10 +2085,10 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, const struct trie_leaf *leaf = (struct trie_leaf *) trie; unsigned int new_room_in_leaf = trie->num_room_in_leaf * 2; struct trie_leaf *new_leaf; - - new_leaf = bfd_zalloc (abfd, - sizeof (struct trie_leaf) + - (new_room_in_leaf - TRIE_LEAF_SIZE) * sizeof (leaf->ranges[0])); + size_t amt = (sizeof (struct trie_leaf) + + ((new_room_in_leaf - TRIE_LEAF_SIZE) + * sizeof (leaf->ranges[0]))); + new_leaf = bfd_zalloc (abfd, amt); new_leaf->head.num_room_in_leaf = new_room_in_leaf; new_leaf->num_stored_in_leaf = leaf->num_stored_in_leaf; @@ -2122,7 +2122,7 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, if (trie_pc_bits > 0) { bfd_vma bucket_high_pc = - trie_pc + ((bfd_vma)-1 >> trie_pc_bits); /* Inclusive. */ + trie_pc + ((bfd_vma) -1 >> trie_pc_bits); /* Inclusive. */ if (clamped_low_pc < trie_pc) clamped_low_pc = trie_pc; if (clamped_high_pc > bucket_high_pc) @@ -2143,9 +2143,10 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, if (!child) return NULL; } + bfd_vma bucket = (bfd_vma) ch << (VMA_BITS - trie_pc_bits - 8); child = insert_arange_in_trie (abfd, child, - trie_pc + ((bfd_vma)ch << (VMA_BITS - trie_pc_bits - 8)), + trie_pc + bucket, trie_pc_bits + 8, unit, low_pc, @@ -2843,9 +2844,8 @@ decode_line_info (struct comp_unit *unit) goto line_fail; break; case DW_LNE_set_discriminator: - discriminator = - _bfd_safe_read_leb128 (abfd, &line_ptr, - false, line_end); + discriminator = _bfd_safe_read_leb128 (abfd, &line_ptr, + false, line_end); break; case DW_LNE_HP_source_file_correlation: line_ptr += exop_len - 1; @@ -4512,6 +4512,7 @@ parse_comp_unit (struct dwarf2_debug *stash, return unit; err_exit: + unit->error = 1; free (str_addrp); return NULL; } @@ -5565,14 +5566,14 @@ _bfd_dwarf2_find_symbol_bias (asymbol ** symbols, void ** pinfo) { asymbol search, *sym; - /* FIXME: Do we need to scan the aranges looking for the lowest pc value ? */ + /* FIXME: Do we need to scan the aranges looking for the + lowest pc value? */ search.name = func->name; sym = htab_find (sym_hash, &search); if (sym != NULL) { - result = ((bfd_signed_vma) func->arange.low) - - ((bfd_signed_vma) (sym->value + sym->section->vma)); + result = func->arange.low - (sym->value + sym->section->vma); goto done; } } @@ -5752,16 +5753,14 @@ _bfd_dwarf2_find_nearest_line (bfd *abfd, unsigned int i; for (i = 0; i < leaf->num_stored_in_leaf; ++i) - { - leaf->ranges[i].unit->mark = false; - } + leaf->ranges[i].unit->mark = false; for (i = 0; i < leaf->num_stored_in_leaf; ++i) { struct comp_unit *unit = leaf->ranges[i].unit; - if (unit->mark || - addr < leaf->ranges[i].low_pc || - addr >= leaf->ranges[i].high_pc) + if (unit->mark + || addr < leaf->ranges[i].low_pc + || addr >= leaf->ranges[i].high_pc) continue; unit->mark = true; -- Alan Modra Australia Development Lab, IBM