Re: out-of-bounds read / crash in elfutils tools (readelf, nm, ...) with malformed file

[Petr Machata <pmachata@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 3353 bytes --]

Hanno Böck <hanno@hboeck.de> writes:

> I can't build elfutils git head with -m32 right now at all (likely
> another bug? was possible a few days ago), so I can't test, but we can
> probably assume that it was due to the systemwide libs it used.

That would be my fault.  Is the following fix acceptable?

Subject: [PATCH] Fix compilation on x86

GCC finds two problems when compiling in 32-bit mode.

- First, the function __libdw_getsrclines is marked as internal only
  in the header, not in the C file, and in 32-bit mode, this is
  actually reported as a change in prototype.

- Second, address size is passed as a four-byte unsigned quantity, and
  GCC can't prove that it's safe to compare it with a four-byte signed
  quantity that is the result of pointer subtraction.  This is not a
  problem in 64-bit mode, where the 4-byte unsigned quantity can be
  losslessly converted to an 8-byte signed pointer difference.  But
  passing address size in a 4-byte type is overly generous, so revert
  back to uint8_t, like what CU's actually store.

Signed-off-by: Petr Machata <pmachata@redhat.com>
---
 libdw/ChangeLog           | 7 +++++++
 libdw/dwarf_getsrclines.c | 6 +++---
 libdw/libdwP.h            | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/libdw/ChangeLog b/libdw/ChangeLog
index d5796e8..0752566 100644
--- a/libdw/ChangeLog
+++ b/libdw/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-11  Petr Machata  <pmachata@redhat.com>
+
+	* libdwP.h (__libdw_getsrclines): Pass address_size as uint8_t.
+	* dwarf_getsrclines.c (read_srclines): Likewise.
+	(__libdw_getsrclines): Likewise.  Also mark function as internal
+	here as well.
+
 2014-09-10  Petr Machata  <pmachata@redhat.com>
 
 	* dwarf_macro_getparamcnt.c: New file.
diff --git a/libdw/dwarf_getsrclines.c b/libdw/dwarf_getsrclines.c
index 4bb19c2..959c460 100644
--- a/libdw/dwarf_getsrclines.c
+++ b/libdw/dwarf_getsrclines.c
@@ -70,7 +70,7 @@ compare_lines (const void *a, const void *b)
 static int
 read_srclines (Dwarf *dbg,
 	       const unsigned char *linep, const unsigned char *lineendp,
-	       const char *comp_dir, unsigned address_size,
+	       const char *comp_dir, uint8_t address_size,
 	       Dwarf_Lines **linesp, Dwarf_Files **filesp)
 {
   int res = -1;
@@ -729,9 +729,9 @@ files_lines_compare (const void *p1, const void *p2)
   return 0;
 }
 
-int
+internal_function int
 __libdw_getsrclines (Dwarf *dbg, Dwarf_Off debug_line_offset,
-		     const char *comp_dir, unsigned address_size,
+		     const char *comp_dir, uint8_t address_size,
 		     Dwarf_Lines **linesp, Dwarf_Files **filesp)
 {
   struct files_lines_s fake = { .debug_line_offset = debug_line_offset };
diff --git a/libdw/libdwP.h b/libdw/libdwP.h
index 5ccb13c..d798737 100644
--- a/libdw/libdwP.h
+++ b/libdw/libdwP.h
@@ -716,7 +716,7 @@ void __libdw_empty_loc_attr (Dwarf_Attribute *attr, struct Dwarf_CU *cu)
    NULL) with loaded information.  Returns 0 for success or a negative
    value for failure.  */
 int __libdw_getsrclines (Dwarf *dbg, Dwarf_Off debug_line_offset,
-			 const char *comp_dir, unsigned address_size,
+			 const char *comp_dir, uint8_t address_size,
 			 Dwarf_Lines **linesp, Dwarf_Files **filesp)
   internal_function
   __nonnull_attribute__ (1);
-- 
2.1.0