|
 |
18de6f |
From FEDORA_PATCHES Mon Sep 17 00:00:00 2001
|
|
|
18de6f |
From: Keith Seitz <keiths@redhat.com>
|
|
|
18de6f |
Date: Thu, 17 Oct 2019 09:44:15 -0700
|
|
|
18de6f |
Subject: gdb-rhbz1742099-reject-sections-with-invalid-sizes.patch
|
|
|
18de6f |
MIME-Version: 1.0
|
|
|
18de6f |
Content-Type: text/plain; charset=UTF-8
|
|
|
18de6f |
Content-Transfer-Encoding: 8bit
|
|
|
18de6f |
|
|
|
18de6f |
;; Prevent buffer overflow with sections with invalid sizes.
|
|
|
18de6f |
;; Keith Seitz, RH BZ 1740299.
|
|
|
18de6f |
|
|
|
18de6f |
DWARF reader: Reject sections with invalid sizes
|
|
|
18de6f |
|
|
|
18de6f |
This is another fuzzer bug, gdb/23567. This time, the fuzzer has
|
|
|
18de6f |
specifically altered the size of .debug_str:
|
|
|
18de6f |
|
|
|
18de6f |
$ eu-readelf -S objdump
|
|
|
18de6f |
Section Headers:
|
|
|
18de6f |
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
|
|
|
18de6f |
[31] .debug_str PROGBITS 0000000000000000 0057116d ffffffffffffffff 1 MS 0 0 1
|
|
|
18de6f |
|
|
|
18de6f |
When this file is loaded into GDB, the DWARF reader crashes attempting
|
|
|
18de6f |
to access the string table (or it may just store a bunch of nonsense):
|
|
|
18de6f |
|
|
|
18de6f |
[gdb-8.3-6-fc30]
|
|
|
18de6f |
$ gdb -nx -q objdump
|
|
|
18de6f |
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
|
|
18de6f |
Reading symbols from /path/to/objdump...
|
|
|
18de6f |
Segmentation fault (core dumped)
|
|
|
18de6f |
|
|
|
18de6f |
Nick has already committed a BFD patch to issue the warning seen above.
|
|
|
18de6f |
|
|
|
18de6f |
[gdb master 6acc1a0b]
|
|
|
18de6f |
$ gdb -BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
|
|
18de6f |
Reading symbols from /path/to/objdump...
|
|
|
18de6f |
(gdb) inf func
|
|
|
18de6f |
All defined functions:
|
|
|
18de6f |
|
|
|
18de6f |
File ./../include/dwarf2.def:
|
|
|
18de6f |
186: const
|
|
|
18de6f |
|
|
|
18de6f |
8 *>(.:
|
|
|
18de6f |
;'@�B);
|
|
|
18de6f |
747: const
|
|
|
18de6f |
|
|
|
18de6f |
8 *�(.:
|
|
|
18de6f |
;'@�B);
|
|
|
18de6f |
701: const
|
|
|
18de6f |
|
|
|
18de6f |
8 *�D �
|
|
|
18de6f |
(.:
|
|
|
18de6f |
;'@�B);
|
|
|
18de6f |
71: const
|
|
|
18de6f |
|
|
|
18de6f |
8 *(.:
|
|
|
18de6f |
;'@�B);
|
|
|
18de6f |
/* and more gibberish */
|
|
|
18de6f |
|
|
|
18de6f |
Consider read_indirect_string_at_offset_from:
|
|
|
18de6f |
|
|
|
18de6f |
static const char *
|
|
|
18de6f |
read_indirect_string_at_offset_from (struct objfile *objfile,
|
|
|
18de6f |
bfd *abfd, LONGEST str_offset,
|
|
|
18de6f |
struct dwarf2_section_info *sect,
|
|
|
18de6f |
const char *form_name,
|
|
|
18de6f |
const char *sect_name)
|
|
|
18de6f |
{
|
|
|
18de6f |
dwarf2_read_section (objfile, sect);
|
|
|
18de6f |
if (sect->buffer == NULL)
|
|
|
18de6f |
error (_("%s used without %s section [in module %s]"),
|
|
|
18de6f |
form_name, sect_name, bfd_get_filename (abfd));
|
|
|
18de6f |
if (str_offset >= sect->size)
|
|
|
18de6f |
error (_("%s pointing outside of %s section [in module %s]"),
|
|
|
18de6f |
form_name, sect_name, bfd_get_filename (abfd));
|
|
|
18de6f |
gdb_assert (HOST_CHAR_BIT == 8);
|
|
|
18de6f |
if (sect->buffer[str_offset] == '\0')
|
|
|
18de6f |
return NULL;
|
|
|
18de6f |
return (const char *) (sect->buffer + str_offset);
|
|
|
18de6f |
}
|
|
|
18de6f |
|
|
|
18de6f |
With sect_size being ginormous, the code attempts to access
|
|
|
18de6f |
sect->buffer[GINORMOUS], and depending on the layout of memory,
|
|
|
18de6f |
GDB either stores a bunch of gibberish strings or crashes.
|
|
|
18de6f |
|
|
|
18de6f |
This is an attempt to mitigate this by implementing a similar approach
|
|
|
18de6f |
used by BFD. In our case, we simply reject the section with the invalid
|
|
|
18de6f |
length:
|
|
|
18de6f |
|
|
|
18de6f |
$ ./gdb -nx -q objdump
|
|
|
18de6f |
BFD: warning: /path/to/objdump has a corrupt section with a size (ffffffffffffffff) larger than the file size
|
|
|
18de6f |
Reading symbols from /path/to/objdump...
|
|
|
18de6f |
|
|
|
18de6f |
warning: Discarding section .debug_str which has a section size (ffffffffffffffff) larger than the file size [in module /path/to/objdump]
|
|
|
18de6f |
DW_FORM_strp used without .debug_str section [in module /path/to/objdump]
|
|
|
18de6f |
(No debugging symbols found in /path/to/objdump)
|
|
|
18de6f |
(gdb)
|
|
|
18de6f |
|
|
|
18de6f |
Unfortunately, I have not found a way to regression test this, since it
|
|
|
18de6f |
requires poking ELF section headers.
|
|
|
18de6f |
|
|
|
18de6f |
gdb/ChangeLog:
|
|
|
18de6f |
2019-10-16 Keith Seitz <keiths@redhat.com>
|
|
|
18de6f |
|
|
|
18de6f |
PR gdb/23567
|
|
|
18de6f |
* dwarf2read.c (dwarf2_per_objfile::locate_sections): Discard
|
|
|
18de6f |
sections whose size is greater than the file size.
|
|
|
18de6f |
|
|
|
18de6f |
Change-Id: I896ac3b4eb2207c54e8e05c16beab3051d9b4b2f
|
|
|
18de6f |
|
|
|
18de6f |
diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
|
|
|
18de6f |
--- a/gdb/dwarf2read.c
|
|
|
18de6f |
+++ b/gdb/dwarf2read.c
|
|
|
18de6f |
@@ -2335,6 +2335,15 @@ dwarf2_per_objfile::locate_sections (bfd *abfd, asection *sectp,
|
|
|
18de6f |
if ((aflag & SEC_HAS_CONTENTS) == 0)
|
|
|
18de6f |
{
|
|
|
18de6f |
}
|
|
|
18de6f |
+ else if (elf_section_data (sectp)->this_hdr.sh_size
|
|
|
18de6f |
+ > bfd_get_file_size (abfd))
|
|
|
18de6f |
+ {
|
|
|
18de6f |
+ bfd_size_type size = elf_section_data (sectp)->this_hdr.sh_size;
|
|
|
18de6f |
+ warning (_("Discarding section %s which has a section size (%s"
|
|
|
18de6f |
+ ") larger than the file size [in module %s]"),
|
|
|
18de6f |
+ bfd_section_name (abfd, sectp), phex_nz (size, sizeof (size)),
|
|
|
18de6f |
+ bfd_get_filename (abfd));
|
|
|
18de6f |
+ }
|
|
|
18de6f |
else if (section_is_p (sectp->name, &names.info))
|
|
|
18de6f |
{
|
|
|
18de6f |
this->info.s.section = sectp;
|