7a3cc45945
Signed-off-by: chenhaixiang <chenhaixiang3@huawei.com> (cherry picked from commit 9be8d5d63973a31419c86f81ea25a6df9825756b)
145 lines
4.9 KiB
Diff
145 lines
4.9 KiB
Diff
From 950b74950f6020eda38647f22e9077ac7f68ca49 Mon Sep 17 00:00:00 2001
|
||
From: Keith Seitz <keiths@redhat.com>
|
||
Date: Wed, 16 Oct 2019 11:33:59 -0700
|
||
Subject: [PATCH] DWARF reader: Reject sections with invalid sizes
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
This is another fuzzer bug, gdb/23567. This time, the fuzzer has
|
||
specifically altered the size of .debug_str:
|
||
|
||
$ eu-readelf -S objdump
|
||
Section Headers:
|
||
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
|
||
[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1
|
||
|
||
When this file is loaded into GDB, the DWARF reader crashes attempting
|
||
to access the string table (or it may just store a bunch of nonsense):
|
||
|
||
[gdb-8.3-6-fc30]
|
||
$ gdb -nx -q objdump
|
||
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
||
Reading symbols from /path/to/objdump...
|
||
Segmentation fault (core dumped)
|
||
|
||
Nick has already committed a BFD patch to issue the warning seen above.
|
||
|
||
[gdb master 6acc1a0b]
|
||
$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
||
Reading symbols from /path/to/objdump...
|
||
(gdb) inf func
|
||
All defined functions:
|
||
|
||
File ./../include/dwarf2.def:
|
||
186: const
|
||
|
||
8 *>(.:
|
||
;'@<40>B);
|
||
747: const
|
||
|
||
8 *<2A>(.:
|
||
;'@<40>B);
|
||
701: const
|
||
|
||
8 *<2A>D <20>
|
||
(.:
|
||
;'@<40>B);
|
||
71: const
|
||
|
||
8 *(.:
|
||
;'@<40>B);
|
||
/* and more gibberish */
|
||
|
||
Consider read_indirect_string_at_offset_from:
|
||
|
||
static const char *
|
||
read_indirect_string_at_offset_from (struct objfile *objfile,
|
||
bfd *abfd, LONGEST str_offset,
|
||
struct dwarf2_section_info *sect,
|
||
const char *form_name,
|
||
const char *sect_name)
|
||
{
|
||
dwarf2_read_section (objfile, sect);
|
||
if (sect->buffer == NULL)
|
||
error (_("%s used without %s section [in module %s]"),
|
||
form_name, sect_name, bfd_get_filename (abfd));
|
||
if (str_offset >= sect->size)
|
||
error (_("%s pointing outside of %s section [in module %s]"),
|
||
form_name, sect_name, bfd_get_filename (abfd));
|
||
gdb_assert (HOST_CHAR_BIT == 8);
|
||
if (sect->buffer[str_offset] == '\0')
|
||
return NULL;
|
||
return (const char *) (sect->buffer + str_offset);
|
||
}
|
||
|
||
With sect_size being ginormous, the code attempts to access
|
||
sect->buffer[GINORMOUS], and depending on the layout of memory,
|
||
GDB either stores a bunch of gibberish strings or crashes.
|
||
|
||
This is an attempt to mitigate this by implementing a similar approach
|
||
used by BFD. In our case, we simply reject the section with the invalid
|
||
length:
|
||
|
||
$ ./gdb -nx -q objdump
|
||
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
||
Reading symbols from /path/to/objdump...
|
||
|
||
warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
|
||
DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
|
||
(No debugging symbols found in /path/to/objdump)
|
||
(gdb)
|
||
|
||
Unfortunately, I have not found a way to regression test this, since it
|
||
requires poking ELF section headers.
|
||
|
||
gdb/ChangeLog:
|
||
2019-10-16 Keith Seitz <keiths@redhat.com>
|
||
|
||
PR gdb/23567
|
||
* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
|
||
sections whose size is greater than the file size.
|
||
|
||
Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
|
||
|
||
Conflict:1.remove changelog; 2.patch context adaptation;
|
||
3.use sectp->name replace bfd_section_name (sectp);use abfd->filename replace bfd_get_filename.
|
||
Reference:https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49
|
||
|
||
---
|
||
gdb-7.6.patch | 18 ++++++++++++++++++
|
||
1 file changed, 18 insertions(+)
|
||
|
||
diff --git a/gdb-7.6.patch b/gdb-7.6.patch
|
||
index b29ccc9..0989724 100644
|
||
--- a/gdb-7.6.patch
|
||
+++ b/gdb-7.6.patch
|
||
@@ -65,6 +65,24 @@ exit 0
|
||
|
||
/*
|
||
FUNCTION
|
||
+--- gdb-7.6/gdb/dwarf2read.c
|
||
++++ gdb-7.6/gdb/dwarf2read.c
|
||
+@@ -1822,6 +1822,15 @@ dwarf2_locate_sections (bfd *abfd, asection *sectp, void *vnames)
|
||
+ if ((aflag & SEC_HAS_CONTENTS) == 0)
|
||
+ {
|
||
+ }
|
||
++ else if (elf_section_data (sectp)->this_hdr.sh_size
|
||
++ > bfd_get_file_size (abfd))
|
||
++ {
|
||
++ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
|
||
++ warning (_("Discarding section %s which has a section size (%s"
|
||
++ ") larger than the file size [in module %s]"),
|
||
++ sectp->name, phex_nz (size, sizeof (size)),
|
||
++ abfd->filename);
|
||
++ }
|
||
+ else if (section_is_p (sectp->name, &names->info))
|
||
+ {
|
||
+ dwarf2_per_objfile->info.asection = sectp;
|
||
--- gdb-7.6/libiberty/Makefile.in.orig
|
||
+++ gdb-7.6/libiberty/Makefile.in
|
||
@@ -175,6 +175,7 @@ REQUIRED_OFILES = \
|
||
--
|
||
2.27.0
|
||
|