public inbox for elfutils@sourceware.org
 help / color / mirror / Atom feed
* [PATCH] libdw: Report error in dwarf_getlocation_die for bogus opcode offset.
@ 2018-06-06 22:01 Mark Wielaard
  2018-06-08 14:23 ` Mark Wielaard
  0 siblings, 1 reply; 2+ messages in thread
From: Mark Wielaard @ 2018-06-06 22:01 UTC (permalink / raw)
  To: elfutils-devel; +Cc: Mark Wielaard

Found by afl fuzzer on varlocs test. varlocs sanity checks that the
given offset in the opcode corresponds to the cuoffset of the returned
DIE. In case the opcode offset was bogus this might fail because we
might wrap around and return a random DIE instead of reporting an error.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdw/ChangeLog               | 5 +++++
 libdw/dwarf_getlocation_die.c | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index 21adeb7..b000492 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,8 @@
+2018-06-06  Mark Wielaard  <mark@klomp.org>
+
+	* dwarf_getlocation_die.c (dwarf_getlocation_die): Check offset
+	falls inside cu data.
+
 2018-06-05  Mark Wielaard  <mark@klomp.org>
 
 	* dwarf_getsrclines.c (read_srclines): Explicitly set diridx to -1
diff --git a/libdw/dwarf_getlocation_die.c b/libdw/dwarf_getlocation_die.c
index 00369a9..673c61c 100644
--- a/libdw/dwarf_getlocation_die.c
+++ b/libdw/dwarf_getlocation_die.c
@@ -59,6 +59,12 @@ dwarf_getlocation_die (Dwarf_Attribute *attr, const Dwarf_Op *op,
     case DW_OP_GNU_const_type:
     case DW_OP_call2:
     case DW_OP_call4:
+      if (op->number > (attr->cu->end - attr->cu->start))
+	{
+	invalid_offset:
+	  __libdw_seterrno (DWARF_E_INVALID_OFFSET);
+	  return -1;
+	}
       dieoff = attr->cu->start + op->number;
       break;
 
@@ -66,6 +72,8 @@ dwarf_getlocation_die (Dwarf_Attribute *attr, const Dwarf_Op *op,
     case DW_OP_GNU_regval_type:
     case DW_OP_deref_type:
     case DW_OP_GNU_deref_type:
+      if (op->number2 > (attr->cu->end - attr->cu->start))
+	goto invalid_offset;
       dieoff = attr->cu->start + op->number2;
       break;
 
-- 
1.8.3.1

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [PATCH] libdw: Report error in dwarf_getlocation_die for bogus opcode offset.
  2018-06-06 22:01 [PATCH] libdw: Report error in dwarf_getlocation_die for bogus opcode offset Mark Wielaard
@ 2018-06-08 14:23 ` Mark Wielaard
  0 siblings, 0 replies; 2+ messages in thread
From: Mark Wielaard @ 2018-06-08 14:23 UTC (permalink / raw)
  To: elfutils-devel

On Thu, 2018-06-07 at 00:01 +0200, Mark Wielaard wrote:
> Found by afl fuzzer on varlocs test. varlocs sanity checks that the
> given offset in the opcode corresponds to the cuoffset of the returned
> DIE. In case the opcode offset was bogus this might fail because we
> might wrap around and return a random DIE instead of reporting an error.

Pushed to master.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-06-08 14:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-06 22:01 [PATCH] libdw: Report error in dwarf_getlocation_die for bogus opcode offset Mark Wielaard
2018-06-08 14:23 ` Mark Wielaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).