From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=FGbs=GX=intel.com=felix.willgerodt@sourceware.org>
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.10])
	by sourceware.org (Postfix) with ESMTPS id B7D513858D38
	for <gdb-patches@sourceware.org>; Fri, 10 Nov 2023 09:16:46 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B7D513858D38
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=intel.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B7D513858D38
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=198.175.65.10
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1699607808; cv=none;
	b=TsCNM33JdxqSABgiLFYpPQJxDatW9SFTZ7xh9aMSkJRpcxDKUCUVsWRM0talg1O3FLqXANzsawbcDKUMFLv06pJfH2Oh3QP9VTfVnr44P6ofOOpsLD3HYtgZWt7DC8+Qg9+VaZlUShq8V05VDK14SmGKT2vCRQA1rEzpQPs/94g=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1699607808; c=relaxed/simple;
	bh=uXdJdjtRHMSgS7S4hiCxiqTDclFT4xVM/jQ66TeDUAA=;
	h=DKIM-Signature:From:To:Subject:Date:Message-Id:MIME-Version; b=dEnp/Z7z67yWDWVKYsHd31tKZQ9JX2UByf9JK9y8aZPWiD/GeM0joF54bmuw6sJMAdjOBNYwl4333yfe8F7lPYo3jtO5JBKm0mQ8m9ObGUCRdMAN+Vm8MkYf2Z/cxObZZWi5/LUVWTky4EJ5nbv5BSosmuggVoSdqXMnA3YXWZg=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1699607807; x=1731143807;
  h=from:to:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=uXdJdjtRHMSgS7S4hiCxiqTDclFT4xVM/jQ66TeDUAA=;
  b=GsUFP+jw+FmA4Ml/dolyGFyI9fycAIVs4TpTfMjskvNnDkfOHC34RWOX
   I5oxAHtwGdD9LBgQR4pSGELqtu9UhMnhumayCUCwsz4+TrorfxZ36Oc10
   egoVvG5O5F+7tL6u0S9as4DdKtiqVWSCIvxyaKGZPtN/9M2I2xm8TH2V7
   Aj4DQ/LkFs7nDB0oyGzyg/JhDJmsx2/8/2JAUugmqyRAWwNe5GG49EP0R
   7k80sVWNV/XRSeZhxNhDaTgMP3K22njYDG5WVRm14BANhYHfOEZUsbHwl
   9qr1itidiIIYvwS9OMWxVNCaLqQ068yt38FTbNbnazsJCRE0Ygjcnxki6
   Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10889"; a="3210114"
X-IronPort-AV: E=Sophos;i="6.03,291,1694761200"; 
   d="scan'208";a="3210114"
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Nov 2023 01:16:39 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10889"; a="880921803"
X-IronPort-AV: E=Sophos;i="6.03,291,1694761200"; 
   d="scan'208";a="880921803"
Received: from gkldtt-dev-004.igk.intel.com (HELO localhost) ([10.123.221.202])
  by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Nov 2023 01:16:37 -0800
From: Felix Willgerodt <felix.willgerodt@intel.com>
To: gdb-patches@sourceware.org
Subject: [PATCH 1/1] gdb: Fix segfault with a negative .dynamic section size
Date: Fri, 10 Nov 2023 10:16:27 +0100
Message-Id: <20231110091627.2139626-1-felix.willgerodt@intel.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gdb-patches.sourceware.org>

Consider a binary with an erroneous size of the .dynamic section:

$ readelf a.out
...
  [24] .dynamic          DYNAMIC          0000000000004c20  00003c20
       000000fffffffa40  0000000000000010  WA       7     0     8
...

This binary causes a segfault in GDB, because we pass a negative
value to alloca in gdb_bfd_scan_elf_dyntag.  Alloca accepts size_t though,
so it is really a big size that we pass.  I changed the code to heap
allocation, as the size of the .dynamic section could be "too big" in a
correct binary as well.  That way GDB will assert on a negative size value.

There should be no user visible change after this.
---
 gdb/solib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gdb/solib.c b/gdb/solib.c
index b9fb911a810..45a5309d199 100644
--- a/gdb/solib.c
+++ b/gdb/solib.c
@@ -1546,7 +1546,8 @@ gdb_bfd_scan_elf_dyntag (const int desired_dyntag, bfd *abfd, CORE_ADDR *ptr,
   /* Read in .dynamic from the BFD.  We will get the actual value
      from memory later.  */
   sect_size = bfd_section_size (sect);
-  buf = bufstart = (gdb_byte *) alloca (sect_size);
+  gdb::byte_vector buffer (sect_size);
+  buf = bufstart = buffer.data ();
   if (!bfd_get_section_contents (abfd, sect,
 				 buf, 0, sect_size))
     return 0;
-- 
2.34.1

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de>
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928