From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 818F53858D28 for ; Tue, 22 Aug 2023 15:23:38 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 818F53858D28 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692717818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3b3sY4pzQE2YYBW94fDso5eM/Bt5e5ySSH4A0a4H0Hc=; b=eHYEDvLC2scIF4l3lMsmDsOJ3qzLPALhdAumYgh6ZR1GPEtSqIhiHu9cG9APXXx8qDilr+ 5srI2W24kuC3WZXT/3sDJ2/pQI0BeCzPfwl4hUgaKJpPMOAw5V6ezIS5dcYLwtZavx2gXN 04Om5Ns7cpwqstSVbP3x36wmmJLp3H8= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-608-Lr-qyzvPMw-8XXLfxriifA-1; Tue, 22 Aug 2023 11:23:36 -0400 X-MC-Unique: Lr-qyzvPMw-8XXLfxriifA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6078F8D40A9 for ; Tue, 22 Aug 2023 15:23:36 +0000 (UTC) Received: from guittard.redhat.com (unknown [10.22.32.58]) by smtp.corp.redhat.com (Postfix) with ESMTP id 25A0F140E96E for ; Tue, 22 Aug 2023 15:23:36 +0000 (UTC) From: Keith Seitz To: gdb-patches@sourceware.org Subject: [PATCH] Verify COFF symbol stringtab offset Date: Tue, 22 Aug 2023 08:23:35 -0700 Message-ID: <20230822152335.231921-1-keiths@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-Spam-Status: No, score=-11.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,KAM_SHORT,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This patch addresses an issue with malformed/fuzzed debug information that was recently reported in gdb/30639. That bug specifically deals with an ASAN issue, but the reproducer provided by the reporter causes a another failure outside of ASAN: $ ./gdb --data-directory data-directory -nx -q UAF_2 Reading symbols from /home/keiths/UAF_2... Fatal signal: Segmentation fault ----- Backtrace ----- 0x59a53a gdb_internal_backtrace_1 ../../src/gdb/bt-utils.c:122 0x59a5dd _Z22gdb_internal_backtracev ../../src/gdb/bt-utils.c:168 0x786380 handle_fatal_signal ../../src/gdb/event-top.c:889 0x7864ec handle_sigsegv ../../src/gdb/event-top.c:962 0x7ff354c5fb6f ??? 0x611f9a process_coff_symbol ../../src/gdb/coffread.c:1556 0x611025 coff_symtab_read ../../src/gdb/coffread.c:1172 0x60f8ff coff_read_minsyms ../../src/gdb/coffread.c:549 0x60fe4b coff_symfile_read ../../src/gdb/coffread.c:698 0xbde0f6 read_symbols ../../src/gdb/symfile.c:772 0xbde7a3 syms_from_objfile_1 ../../src/gdb/symfile.c:966 0xbde867 syms_from_objfile ../../src/gdb/symfile.c:983 0xbded42 symbol_file_add_with_addrs ../../src/gdb/symfile.c:1086 0xbdf083 _Z24symbol_file_add_from_bfdRKN3gdb7ref_ptrI3bfd18gdb_bfd_ref_policyEEPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaISC_EES8_I12objfile_flagEP7objfile ../../src/gdb/symfile.c:1166 0xbdf0d2 _Z15symbol_file_addPKc10enum_flagsI16symfile_add_flagEPSt6vectorI14other_sectionsSaIS5_EES1_I12objfile_flagE ../../src/gdb/symfile.c:1179 0xbdf197 symbol_file_add_main_1 ../../src/gdb/symfile.c:1203 0xbdf13e _Z20symbol_file_add_mainPKc10enum_flagsI16symfile_add_flagE ../../src/gdb/symfile.c:1194 0x90f97f symbol_file_add_main_adapter ../../src/gdb/main.c:549 0x90f895 catch_command_errors ../../src/gdb/main.c:518 0x9109b6 captured_main_1 ../../src/gdb/main.c:1203 0x910fc8 captured_main ../../src/gdb/main.c:1310 0x911067 _Z8gdb_mainP18captured_main_args ../../src/gdb/main.c:1339 0x418c71 main ../../src/gdb/gdb.c:39 --------------------- A fatal error internal to GDB has been detected, further debugging is not possible. GDB will now terminate. This is a bug, please report it. For instructions, see: . Segmentation fault (core dumped) The issue here is that the COFF offset for the fuzzed symbol's name is outside the string table. That is, the offset is greater than the actual string table size. coffread.c:getsymname actually contains a FIXME about this, and that's what I've chosen to address to fix this issue, following what is done in the DWARF reader: $ ./gdb --data-directory data-directory -nx -q UAF_2 Reading symbols from /home/keiths/UAF_2... COFF Error: string table offset (256) outside string table (length 0) (gdb) Unfortunately, I haven't any idea how else to test this patch since COFF is not very common anymore. GCC removed support for it five years ago with GCC 8. --- gdb/coffread.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/gdb/coffread.c b/gdb/coffread.c index 13610998ad7..e00f5c55e4f 100644 --- a/gdb/coffread.c +++ b/gdb/coffread.c @@ -159,6 +159,7 @@ static file_ptr linetab_offset; static file_ptr linetab_size; static char *stringtab = NULL; +static long stringtab_length = 0; extern void stabsread_clear_cache (void); @@ -1303,6 +1304,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr *stora /* This is in target format (probably not very useful, and not currently used), not host format. */ memcpy (stringtab, lengthbuf, sizeof lengthbuf); + stringtab_length = length; if (length == sizeof length) /* Empty table -- just the count. */ return 0; @@ -1322,8 +1324,9 @@ getsymname (struct internal_syment *symbol_entry) if (symbol_entry->_n._n_n._n_zeroes == 0) { - /* FIXME: Probably should be detecting corrupt symbol files by - seeing whether offset points to within the stringtab. */ + if (symbol_entry->_n._n_n._n_offset > stringtab_length) + error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), + symbol_entry->_n._n_n._n_offset, stringtab_length); result = stringtab + symbol_entry->_n._n_n._n_offset; } else -- 2.41.0