* [PATCH]: Improve readelf's handling of corrupt call frames
@ 2006-06-30 12:46 Nick Clifton
0 siblings, 0 replies; 2+ messages in thread
From: Nick Clifton @ 2006-06-30 12:46 UTC (permalink / raw)
To: binutils
Hi Guys,
A coworker recently across a situation where readelf would seg fault
whilst trying to display the call frame information for a binary
built for a 16-bit target. Whilst the issue of whether the call
frame info in this binary was actually corrupt is still in debate
(it is a segmented 16/24/32 bit architecture), the fact remains that
readelf should not seg fault.
So I am going to apply the attached patch. It detects situations
where the end of a call frame data block is beyond the end of the
.debug_frame section, and it prevents the code that handles corrupt
CIE pointers from resetting the start pointer to the end of the
block. This causes problems because the code later on will attempt
to read the rest of the block's information from beyond the end of
the block.
Cheers
Nick
binutils/ChangeLog
2006-06-30 Nick Clifton <nickc@redhat.com>
* dwarf.c (display_debug_frames): Catch a corrupt length field
generating an end of block address that is beyond the end of the
section.
When encountering a corrupt CIE pointer do not reset the start
pointer as more data still has to be read.
Do not warn about user defined call frame instructions.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH]: Improve readelf's handling of corrupt call frames
@ 2006-06-30 13:30 Nick Clifton
0 siblings, 0 replies; 2+ messages in thread
From: Nick Clifton @ 2006-06-30 13:30 UTC (permalink / raw)
To: binutils
[-- Attachment #1: Type: text/plain, Size: 64 bytes --]
Oops - forgot to attach the patch. Here it is.
Cheers
Nick
[-- Attachment #2: dwarf.c.patch.3 --]
[-- Type: application/octet-stream, Size: 4697 bytes --]
Index: binutils/dwarf.c
===================================================================
RCS file: /cvs/src/src/binutils/dwarf.c,v
retrieving revision 1.5
diff -c -3 -p -r1.5 dwarf.c
*** binutils/dwarf.c 15 May 2006 14:50:38 -0000 1.5
--- binutils/dwarf.c 30 Jun 2006 12:38:12 -0000
*************** display_debug_aranges (struct dwarf_sect
*** 2519,2524 ****
--- 2519,2525 ----
unsigned char *ranges;
unsigned long length;
unsigned long address;
+ unsigned char address_size;
int excess;
int offset_size;
int initial_length_size;
*************** display_debug_aranges (struct dwarf_sect
*** 2565,2590 ****
printf (_(" Pointer Size: %d\n"), arange.ar_pointer_size);
printf (_(" Segment Size: %d\n"), arange.ar_segment_size);
printf (_("\n Address Length\n"));
ranges = hdrptr;
! /* Must pad to an alignment boundary that is twice the pointer size. */
! excess = (hdrptr - start) % (2 * arange.ar_pointer_size);
if (excess)
! ranges += (2 * arange.ar_pointer_size) - excess;
start += arange.ar_length + initial_length_size;
! while (ranges + 2 * arange.ar_pointer_size <= start)
{
! address = byte_get (ranges, arange.ar_pointer_size);
! ranges += arange.ar_pointer_size;
! length = byte_get (ranges, arange.ar_pointer_size);
! ranges += arange.ar_pointer_size;
printf (" %8.8lx %lu\n", address, length);
}
--- 2566,2602 ----
printf (_(" Pointer Size: %d\n"), arange.ar_pointer_size);
printf (_(" Segment Size: %d\n"), arange.ar_segment_size);
+ address_size = arange.ar_pointer_size + arange.ar_segment_size;
+
+ /* The DWARF spec does not require that the address size be a power
+ of two, but we do. This will have to change if we ever encounter
+ an uneven architecture. */
+ if ((address_size & (address_size - 1)) != 0)
+ {
+ warn (_("Pointer size + Segment size is not a power of two.\n"));
+ break;
+ }
+
printf (_("\n Address Length\n"));
ranges = hdrptr;
! /* Must pad to an alignment boundary that is twice the address size. */
! excess = (hdrptr - start) % (2 * address_size);
if (excess)
! ranges += (2 * address_size) - excess;
start += arange.ar_length + initial_length_size;
! while (ranges + 2 * address_size <= start)
{
! address = byte_get (ranges, address_size);
! ranges += address_size;
! length = byte_get (ranges, address_size);
! ranges += address_size;
printf (" %8.8lx %lu\n", address, length);
}
*************** static dwarf_vma
*** 2879,2884 ****
--- 2891,2897 ----
get_encoded_value (unsigned char *data, int encoding)
{
int size = size_of_encoded_value (encoding);
+
if (encoding & DW_EH_PE_signed)
return byte_get_signed (data, size);
else
*************** display_debug_frames (struct dwarf_secti
*** 2944,2949 ****
--- 2957,2968 ----
}
block_end = saved_start + length + initial_length_size;
+ if (block_end > end)
+ {
+ warn ("Invalid length %#08lx in FDE at %#08lx\n",
+ length, (unsigned long)(saved_start - section_start));
+ block_end = end;
+ }
cie_id = byte_get (start, offset_size); start += offset_size;
if (is_eh ? (cie_id == 0) : (cie_id == DW_CIE_ID))
*************** display_debug_frames (struct dwarf_secti
*** 3078,3086 ****
if (!cie)
{
! warn ("Invalid CIE pointer %08lx in FDE at %08lx\n",
cie_id, (unsigned long)(saved_start - section_start));
- start = block_end;
fc->ncols = 0;
fc->col_type = xmalloc (sizeof (short int));
fc->col_offset = xmalloc (sizeof (int));
--- 3097,3104 ----
if (!cie)
{
! warn ("Invalid CIE pointer %#08lx in FDE at %#08lx\n",
cie_id, (unsigned long)(saved_start - section_start));
fc->ncols = 0;
fc->col_type = xmalloc (sizeof (short int));
fc->col_offset = xmalloc (sizeof (int));
*************** display_debug_frames (struct dwarf_secti
*** 3584,3590 ****
break;
default:
! warn (_("unsupported or unknown DW_CFA_%d\n"), op);
start = block_end;
}
}
--- 3602,3611 ----
break;
default:
! if (op >= DW_CFA_lo_user && op <= DW_CFA_hi_user)
! printf (_(" DW_CFA_??? (User defined call frame op: %#x)\n"), op);
! else
! warn (_("unsupported or unknown Dwarf Call Frame Instruction number: %#x\n"), op);
start = block_end;
}
}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-06-30 12:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-06-30 12:46 [PATCH]: Improve readelf's handling of corrupt call frames Nick Clifton
2006-06-30 13:30 Nick Clifton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).