public inbox for gdb-testers@sourceware.org help / color / mirror / Atom feed
From: gdb-buildbot@sergiodj.net To: gdb-testers@sourceware.org Subject: [binutils-gdb] DWARF reader: Reject sections with invalid sizes Date: Tue, 22 Oct 2019 16:25:00 -0000 [thread overview] Message-ID: <950b74950f6020eda38647f22e9077ac7f68ca49@gdb-build> (raw) *** TEST RESULTS FOR COMMIT 950b74950f6020eda38647f22e9077ac7f68ca49 *** commit 950b74950f6020eda38647f22e9077ac7f68ca49 Author: Keith Seitz <keiths@redhat.com> AuthorDate: Wed Oct 16 11:33:59 2019 -0700 Commit: Keith Seitz <keiths@redhat.com> CommitDate: Wed Oct 16 11:35:16 2019 -0700 DWARF reader: Reject sections with invalid sizes This is another fuzzer bug, gdb/23567. This time, the fuzzer has specifically altered the size of .debug_str: $ eu-readelf -S objdump Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al [31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1 When this file is loaded into GDB, the DWARF reader crashes attempting to access the string table (or it may just store a bunch of nonsense): [gdb-8.3-6-fc30] $ gdb -nx -q objdump BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... Segmentation fault (core dumped) Nick has already committed a BFD patch to issue the warning seen above. [gdb master 6acc1a0b] $ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... (gdb) inf func All defined functions: File ./../include/dwarf2.def: 186: const 8 *>(.: ;'@B); 747: const 8 *(.: ;'@B); 701: const 8 *D (.: ;'@B); 71: const 8 *(.: ;'@B); /* and more gibberish */ Consider read_indirect_string_at_offset_from: static const char * read_indirect_string_at_offset_from (struct objfile *objfile, bfd *abfd, LONGEST str_offset, struct dwarf2_section_info *sect, const char *form_name, const char *sect_name) { dwarf2_read_section (objfile, sect); if (sect->buffer == NULL) error (_("%s used without %s section [in module %s]"), form_name, sect_name, bfd_get_filename (abfd)); if (str_offset >= sect->size) error (_("%s pointing outside of %s section [in module %s]"), form_name, sect_name, bfd_get_filename (abfd)); gdb_assert (HOST_CHAR_BIT == 8); if (sect->buffer[str_offset] == '\0') return NULL; return (const char *) (sect->buffer + str_offset); } With sect_size being ginormous, the code attempts to access sect->buffer[GINORMOUS], and depending on the layout of memory, GDB either stores a bunch of gibberish strings or crashes. This is an attempt to mitigate this by implementing a similar approach used by BFD. In our case, we simply reject the section with the invalid length: $ ./gdb -nx -q objdump BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size Reading symbols from /path/to/objdump... warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump] DW_FORM_strp used without .debug_str section [in module /path/to/objdump] (No debugging symbols found in /path/to/objdump) (gdb) Unfortunately, I have not found a way to regression test this, since it requires poking ELF section headers. gdb/ChangeLog: 2019-10-16 Keith Seitz <keiths@redhat.com> PR gdb/23567 * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard sections whose size is greater than the file size. Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f diff --git a/gdb/ChangeLog b/gdb/ChangeLog index 6de9f3d01f..d11dbfbfcf 100644 --- a/gdb/ChangeLog +++ b/gdb/ChangeLog @@ -1,3 +1,9 @@ +2019-10-16 Keith Seitz <keiths@redhat.com> + + PR gdb/23567 + * dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard + sections whose size is greater than the file size. + 2019-10-16 Jim Wilson <jimw@sifive.com> * riscv-tdep.c (riscv_gcc_target_options): New. diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c index 0443b55d89..a78f818e0e 100644 --- a/gdb/dwarf2read.c +++ b/gdb/dwarf2read.c @@ -2338,6 +2338,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp, if ((aflag & SEC_HAS_CONTENTS) == 0) { } + else if (elf_section_data (sectp)->this_hdr.sh_size + > bfd_get_file_size (abfd)) + { + bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size; + warning (_("Discarding section %s which has a section size (%s" + ") larger than the file size [in module %s]"), + bfd_section_name (sectp), phex_nz (size, sizeof (size)), + bfd_get_filename (abfd)); + } else if (section_is_p (sectp->name, &names.info)) { this->info.s.section = sectp;
next reply other threads:[~2019-10-22 16:25 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-10-22 16:25 gdb-buildbot [this message] 2019-10-22 16:25 ` Failures on Ubuntu-Aarch64-m64, branch master gdb-buildbot 2019-10-22 16:40 ` Failures on Ubuntu-Aarch64-native-extended-gdbserver-m64, " gdb-buildbot 2019-10-22 16:57 ` Failures on Ubuntu-Aarch64-native-gdbserver-m64, " gdb-buildbot 2019-11-01 6:56 ` Failures on Fedora-i686, " gdb-buildbot 2019-11-01 7:46 ` Failures on Fedora-x86_64-cc-with-index, " gdb-buildbot 2019-11-01 10:04 ` Failures on Fedora-x86_64-m32, " gdb-buildbot 2019-11-01 10:47 ` Failures on Fedora-x86_64-m64, " gdb-buildbot 2019-11-01 13:25 ` Failures on Fedora-x86_64-native-gdbserver-m64, " gdb-buildbot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=950b74950f6020eda38647f22e9077ac7f68ca49@gdb-build \ --to=gdb-buildbot@sergiodj.net \ --cc=gdb-testers@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).