From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <elfutils-devel-return-6854-listarch-elfutils-devel=sourceware.org@sourceware.org>
Received: (qmail 130273 invoked by alias); 26 Jun 2018 14:50:56 -0000
Mailing-List: contact elfutils-devel-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <elfutils-devel.sourceware.org>
List-Post: <mailto:elfutils-devel@sourceware.org>
List-Help: <mailto:elfutils-devel-help@sourceware.org>
List-Subscribe: <mailto:elfutils-devel-subscribe@sourceware.org>
Sender: elfutils-devel-owner@sourceware.org
Received: (qmail 130260 invoked by uid 89); 26 Jun 2018 14:50:55 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 spammy=2018-06-23
X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: gnu.wildebeest.org
Received: from wildebeest.demon.nl (HELO gnu.wildebeest.org) (212.238.236.112) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Tue, 26 Jun 2018 14:50:54 +0000
Received: from tarox.wildebeest.org (tarox.wildebeest.org [172.31.17.39])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by gnu.wildebeest.org (Postfix) with ESMTPSA id AFA2A300040F;	Tue, 26 Jun 2018 16:50:51 +0200 (CEST)
Received: by tarox.wildebeest.org (Postfix, from userid 1000)	id A101A413CABF; Tue, 26 Jun 2018 16:50:51 +0200 (CEST)
From: Mark Wielaard <mark@klomp.org>
To: elfutils-devel@sourceware.org
Cc: Mark Wielaard <mark@klomp.org>
Subject: [PATCH] tests: Limit varlocs print_expr_block recursion depth.
Date: Tue, 26 Jun 2018 14:50:00 -0000
Message-Id: <1530024649-31105-1-git-send-email-mark@klomp.org>
X-Mailer: git-send-email 1.8.3.1
X-Spam-Flag: NO
X-IsSubscribed: yes
X-SW-Source: 2018-q2/txt/msg00261.txt.bz2

This is only useful for bad DWARF where an expression block might have
an expression that refers to a DIE that contains the expression block
itself. But that might happen with bad DWARF generated by a fuzzer.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 tests/ChangeLog |  7 +++++++
 tests/varlocs.c | 30 +++++++++++++++++-------------
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/tests/ChangeLog b/tests/ChangeLog
index c494286..8259725 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,10 @@
+2018-06-23  Mark Wielaard  <mark@klomp.org>
+
+	* varlocs.c (print_expr): Take a new depth argument. Check it isn't
+	greater than MAX_DEPTH (64). Pass on to print_expr_block.
+	(print_expr_block): Take a new depth argument. Pass it to print_expr.
+	(print_expr_block_addrs): Call print_expr_block with zero depth.
+
 2018-06-16  Yonghong Song  <yhs@fb.com>
 
 	* run-reloc-bpf.sh: New test.
diff --git a/tests/varlocs.c b/tests/varlocs.c
index f4a711c..2512439 100644
--- a/tests/varlocs.c
+++ b/tests/varlocs.c
@@ -164,16 +164,16 @@ dwarf_opcode_string (unsigned int code)
 }
 
 // Forward reference for print_expr_block.
-static void print_expr (Dwarf_Attribute *, Dwarf_Op *, Dwarf_Addr);
+static void print_expr (Dwarf_Attribute *, Dwarf_Op *, Dwarf_Addr, int);
 
 static void
 print_expr_block (Dwarf_Attribute *attr, Dwarf_Op *exprs, int len,
-		  Dwarf_Addr addr)
+		  Dwarf_Addr addr, int depth)
 {
   printf ("{");
   for (int i = 0; i < len; i++)
     {
-      print_expr (attr, &exprs[i], addr);
+      print_expr (attr, &exprs[i], addr, depth);
       printf ("%s", (i + 1 < len ? ", " : ""));
     }
   printf ("}");
@@ -185,13 +185,17 @@ print_expr_block_addrs (Dwarf_Attribute *attr,
 			Dwarf_Op *exprs, int len)
 {
   printf ("      [%" PRIx64 ",%" PRIx64 ") ", begin, end);
-  print_expr_block (attr, exprs, len, begin);
+  print_expr_block (attr, exprs, len, begin, 0);
   printf ("\n");
 }
 
 static void
-print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
+print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr, int depth)
 {
+#define MAX_DEPTH 64
+  if (depth++ > MAX_DEPTH)
+    error (EXIT_FAILURE, 0, "print_expr recursion depth exceeded");
+
   uint8_t atom = expr->atom;
   const char *opname = dwarf_opcode_string (atom);
   assert (opname != NULL);
@@ -274,7 +278,7 @@ print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
 		   addr, dwarf_errmsg (-1));
 	  if (cfa_nops < 1)
 	    error (EXIT_FAILURE, 0, "dwarf_frame_cfa no ops");
-	  print_expr_block (NULL, cfa_ops, cfa_nops, 0);
+	  print_expr_block (NULL, cfa_ops, cfa_nops, 0, depth);
 	  free (frame);
 	}
       else if (is_ET_REL || is_debug)
@@ -343,7 +347,7 @@ print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
 		 dwarf_errmsg (-1));
 
 	printf ("%s([%" PRIx64 "]) ", opname, dwarf_dieoffset (&call_die));
-	print_expr_block (&call_attr, call_ops, call_len, addr);
+	print_expr_block (&call_attr, call_ops, call_len, addr, depth);
       }
       break;
 
@@ -458,7 +462,7 @@ print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
 	    if (locs == 0)
 	      printf ("<no location>"); // This means "optimized out".
 	    else if (locs == 1)
-	      print_expr_block (&attrval, exprval, exprval_len, addr);
+	      print_expr_block (&attrval, exprval, exprval_len, addr, depth);
 	    else
 	      error (EXIT_FAILURE, 0,
 		     "dwarf_getlocation_addr attrval at addr 0x%" PRIx64
@@ -498,7 +502,7 @@ print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
 	    if (locs == 0)
 	      printf ("<no location>"); // This means "optimized out".
 	    else if (locs == 1)
-	      print_expr_block (&attrval, exprval, exprval_len, addr);
+	      print_expr_block (&attrval, exprval, exprval_len, addr, depth);
 	    else
 	      error (EXIT_FAILURE, 0,
 		     "dwarf_getlocation_addr attrval at addr 0x%" PRIx64
@@ -527,7 +531,7 @@ print_expr (Dwarf_Attribute *attr, Dwarf_Op *expr, Dwarf_Addr addr)
 		 dwarf_errmsg (-1));
 
 	printf ("%s(%zd) ", opname, entry_len);
-	print_expr_block (attr, entry_ops, entry_len, addr);
+	print_expr_block (attr, entry_ops, entry_len, addr, depth);
       }
       break;
 
@@ -723,7 +727,7 @@ print_varlocs (Dwarf_Die *funcdie)
 	  if (entrypc == 0)
 	    printf ("XXX zero address"); // XXX bad DWARF?
 	  else
-	    print_expr_block (&fb_attr, fb_expr, fb_exprlen, entrypc);
+	    print_expr_block (&fb_attr, fb_expr, fb_exprlen, entrypc, 0);
 	  printf ("\n");
 	}
       else
@@ -736,7 +740,7 @@ print_varlocs (Dwarf_Die *funcdie)
 					    &fb_expr, &fb_exprlen)) > 0)
 	    {
 	      printf ("      (%" PRIx64 ",%" PRIx64 ") ", start, end);
-	      print_expr_block (&fb_attr, fb_expr, fb_exprlen, start);
+	      print_expr_block (&fb_attr, fb_expr, fb_exprlen, start, 0);
 	      printf ("\n");
 	    }
 
@@ -940,7 +944,7 @@ handle_attr (Dwarf_Attribute *attr, void *arg)
   if (res == 0)
     {
       printf (" ");
-      print_expr_block (attr, expr, exprlen, entrypc);
+      print_expr_block (attr, expr, exprlen, entrypc, 0);
       printf ("\n");
       printed = true;
     }
-- 
1.8.3.1