From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12066 invoked by alias); 19 Nov 2012 01:15:15 -0000 Received: (qmail 12046 invoked by uid 48); 19 Nov 2012 01:15:14 -0000 From: "alejandro.hernandez at ioactive dot co.uk" To: gdb-prs@sourceware.org Subject: [Bug symtab/14855] New: GDB crashes when processing DWARF information [dwarf2read.c] (malformed file_entry structure) Date: Mon, 19 Nov 2012 01:15:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gdb X-Bugzilla-Component: symtab X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: alejandro.hernandez at ioactive dot co.uk X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Mailing-List: contact gdb-prs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-prs-owner@sourceware.org X-SW-Source: 2012-q4/txt/msg00265.txt.bz2 http://sourceware.org/bugzilla/show_bug.cgi?id=14855 Bug #: 14855 Summary: GDB crashes when processing DWARF information [dwarf2read.c] (malformed file_entry structure) Product: gdb Version: 7.5 Status: NEW Severity: normal Priority: P2 Component: symtab AssignedTo: unassigned@sourceware.org ReportedBy: alejandro.hernandez@ioactive.co.uk Classification: Unclassified I was creating malformed ELF executables with my Frixyon fuzzer (an ELF file format fuzzer still in development) and I found a vulnerability in the DWARF information parsing which makes gdb unable to load an ELF executable for debugging due to a NULL pointer dereference. Evidently, it could be used to patch malicious executables (e.g. rootkits, 0day exploits, malware, etc.) not to allow to be analyzed by gdb. I reproduced this flaw in the latest stable version (7.5) and the latest snapshot (18-nov-12). In gdb-7.5/gdb/dwarf2read.c is the following data structure: struct line_header { ... unsigned int num_include_dirs, include_dirs_size; char **include_dirs; ... struct file_entry { char *name; unsigned int dir_index; unsigned int mod_time; unsigned int length; int included_p; /* Non-zero if referenced by the Line Number Program. */ struct symtab *symtab; /* The associated symbol table, if any. */ } *file_names; } The problem exists when trying to open a malformed ELF that contains a file_entry.dir_index > 0 and char **include_dirs pointing to NULL. The following lines illustrate this concept: nitr0us@chatsubo:~$ gcc foo.c -o foo -ggdb nitr0us@chatsubo:~$ ./foo It could be a malicious program }:) nitr0us@chatsubo:~$ objdump -s -j .debug_line ./foo ./foo: file format elf32-i386 Contents of section .debug_line: 0000 32000000 02001c00 00000101 fb0e0d00 2............... 0010 01010101 00000001 00000100 666f6f2e ............foo. 0020 63000000 00000005 02d48304 081591bc c............... 0030 59020200 0101 Y..... The byte after "foo.c\00" corresponds to dir_index, so changing it to another value, for example, 0x0F, gdb crashes: nitr0us@chatsubo:~$ objdump -s -j .debug_line ./dwarf_gdb_dir_index0F ./dwarf_gdb_dir_index0F: file format elf32-i386 Contents of section .debug_line: 0000 32000000 02001c00 00000101 fb0e0d00 2............... 0010 01010101 00000001 00000100 666f6f2e ............foo. 0020 63000f00 00000005 02d48304 081591bc c............... 0030 59020200 0101 Y..... Now, debugging gdb trying to open that malformed file: nitr0us@chatsubo:~$ gdb -q gdb-7.5/gdb/gdb Reading symbols from /home/nitr0us/gdb-7.5/gdb/gdb...done. (gdb) r -q ./dwarf_gdb_dir_index0F Starting program: /home/nitr0us/gdb-7.5/gdb/gdb -q ./dwarf_gdb_dir_index0F Reading symbols from /home/nitr0us/dwarf_gdb_dir_index0F... Program received signal SIGSEGV, Segmentation fault. 0x081e87bd in psymtab_include_file_name (lh=0x8594420, file_index=0, pst=0x8583650, comp_dir=0x858362c "/home/nitr0us") at dwarf2read.c:13970 13970 dir_name = lh->include_dirs[fe.dir_index - 1]; (gdb) p/x fe $1 = {name = 0x8583718, dir_index = 0xf, mod_time = 0x0, length = 0x0, included_p = 0x1, symtab = 0x0} (gdb) p lh->include_dirs $2 = (char **) 0x0 (gdb) x/i $eip => 0x81e87bd : mov (%eax),%eax (gdb) i r $eax eax 0x38 56 The root cause of the problem is that there's no validation in the line 13970 of gdb-7.5/gdb/dwarf2read.c to verify if include_dirs is different from NULL before referencing it: if (fe.dir_index) dir_name = lh->include_dirs[fe.dir_index - 1]; This same problem exists in different points of the code: Line 7777 setup_type_unit_groups() Line 14085 dwarf_decode_lines_1() Line 14265 dwarf_decode_lines_1() Line 14395 dwarf_decode_lines() Line 16778 file_full_name() Best Regards ! -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.