From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2621 invoked by alias); 6 Jun 2018 22:01:20 -0000 Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: elfutils-devel-owner@sourceware.org Received: (qmail 2591 invoked by uid 89); 6 Jun 2018 22:01:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy= X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: gnu.wildebeest.org Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 06 Jun 2018 22:01:17 +0000 Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id 8A5923002044; Thu, 7 Jun 2018 00:01:15 +0200 (CEST) Received: by tarox.wildebeest.org (Postfix, from userid 1000) id 515FF4154884; Thu, 7 Jun 2018 00:01:15 +0200 (CEST) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [PATCH] libdw: Report error in dwarf_getlocation_die for bogus opcode offset. Date: Wed, 06 Jun 2018 22:01:00 -0000 Message-Id: <1528322472-31031-1-git-send-email-mark@klomp.org> X-Mailer: git-send-email 1.8.3.1 X-Spam-Flag: NO X-IsSubscribed: yes X-SW-Source: 2018-q2/txt/msg00162.txt.bz2 Found by afl fuzzer on varlocs test. varlocs sanity checks that the given offset in the opcode corresponds to the cuoffset of the returned DIE. In case the opcode offset was bogus this might fail because we might wrap around and return a random DIE instead of reporting an error. Signed-off-by: Mark Wielaard --- libdw/ChangeLog | 5 +++++ libdw/dwarf_getlocation_die.c | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/libdw/ChangeLog b/libdw/ChangeLog index 21adeb7..b000492 100644 --- a/libdw/ChangeLog +++ b/libdw/ChangeLog @@ -1,3 +1,8 @@ +2018-06-06 Mark Wielaard + + * dwarf_getlocation_die.c (dwarf_getlocation_die): Check offset + falls inside cu data. + 2018-06-05 Mark Wielaard * dwarf_getsrclines.c (read_srclines): Explicitly set diridx to -1 diff --git a/libdw/dwarf_getlocation_die.c b/libdw/dwarf_getlocation_die.c index 00369a9..673c61c 100644 --- a/libdw/dwarf_getlocation_die.c +++ b/libdw/dwarf_getlocation_die.c @@ -59,6 +59,12 @@ dwarf_getlocation_die (Dwarf_Attribute *attr, const Dwarf_Op *op, case DW_OP_GNU_const_type: case DW_OP_call2: case DW_OP_call4: + if (op->number > (attr->cu->end - attr->cu->start)) + { + invalid_offset: + __libdw_seterrno (DWARF_E_INVALID_OFFSET); + return -1; + } dieoff = attr->cu->start + op->number; break; @@ -66,6 +72,8 @@ dwarf_getlocation_die (Dwarf_Attribute *attr, const Dwarf_Op *op, case DW_OP_GNU_regval_type: case DW_OP_deref_type: case DW_OP_GNU_deref_type: + if (op->number2 > (attr->cu->end - attr->cu->start)) + goto invalid_offset; dieoff = attr->cu->start + op->number2; break; -- 1.8.3.1