* [PATCH] libdw: Check DW_AT_sibling attribute offset is after current DIE.
@ 2015-01-04 23:09 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2015-01-04 23:09 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 1724 bytes --]
The sibling attribute should point after this DIE in the CU.
Otherwise various algorithms might loop or go into infinite recursion
walking the DIE tree.
Found by afl-fuzz.
Signed-off-by: Mark Wielaard <mjw@redhat.com>
---
libdw/ChangeLog | 5 +++++
libdw/dwarf_siblingof.c | 7 +++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 2b47f4d..16ea9c3 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,5 +1,10 @@
2015-01-04 Mark Wielaard <mjw@redhat.com>
+ * dwarf_siblingof.c (dwarf_siblingof): Check sibling attribute
+ is after current DIE.
+
+2015-01-04 Mark Wielaard <mjw@redhat.com>
+
* cfi.c (enough_registers): Check reg < INT32_MAX / sizeof
(dwarf_frame_register).
diff --git a/libdw/dwarf_siblingof.c b/libdw/dwarf_siblingof.c
index f8241b3..e598ae4 100644
--- a/libdw/dwarf_siblingof.c
+++ b/libdw/dwarf_siblingof.c
@@ -1,5 +1,5 @@
/* Return sibling of given DIE.
- Copyright (C) 2003-2010, 2014 Red Hat, Inc.
+ Copyright (C) 2003-2010, 2014, 2015 Red Hat, Inc.
This file is part of elfutils.
Written by Ulrich Drepper <drepper@redhat.com>, 2003.
@@ -79,8 +79,11 @@ dwarf_siblingof (die, result)
/* Something went wrong. */
return -1;
+ /* The sibling attribute should point after this DIE in the CU.
+ But not after the end of the CU. */
size_t size = sibattr.cu->endp - sibattr.cu->startp;
- if (unlikely (offset >= size))
+ size_t die_off = this_die.addr - this_die.cu->startp;
+ if (unlikely (offset >= size || offset <= die_off))
{
__libdw_seterrno (DWARF_E_INVALID_DWARF);
return -1;
--
1.8.3.1
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] libdw: Check DW_AT_sibling attribute offset is after current DIE.
@ 2015-01-15 13:22 Mark Wielaard
0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2015-01-15 13:22 UTC (permalink / raw)
To: elfutils-devel
[-- Attachment #1: Type: text/plain, Size: 326 bytes --]
On Mon, 2015-01-05 at 00:09 +0100, Mark Wielaard wrote:
> The sibling attribute should point after this DIE in the CU.
> Otherwise various algorithms might loop or go into infinite recursion
> walking the DIE tree.
>
> Found by afl-fuzz.
>
> Signed-off-by: Mark Wielaard <mjw@redhat.com>
I pushed this to master.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-01-15 13:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-04 23:09 [PATCH] libdw: Check DW_AT_sibling attribute offset is after current DIE Mark Wielaard
2015-01-15 13:22 Mark Wielaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).