https://sourceware.org/bugzilla/show_bug.cgi?id=24398
Mark Wielaard <mark at klomp dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |mark at klomp dot org
Component|libdw |tools
Resolution|--- |FIXED
Summary|An invalid address |eu-readelf
|deference problem was |print_debug_macinfo_section
|discovered in the |might read past end of CU
|print_debug_macinfo_section |list
|function __libdw_next_unit |
|in libdw/dwarf_filesrc.c in |
|libdw |
--- Comment #1 from Mark Wielaard <mark at klomp dot org> ---
Under valgrind -q --track-origins=yes eu-readelf --debug-dump=macinfo
POC.macinfo it shows:
==8148== Conditional jump or move depends on uninitialised value(s)
==8148== at 0x8059AC3: print_debug_macinfo_section (readelf.c:9693)
==8148== by 0x8056509: print_debug (readelf.c:11222)
==8148== by 0x8058790: process_elf_file (readelf.c:998)
==8148== by 0x805970B: process_dwflmod (readelf.c:760)
==8148== by 0x40628B6: dwfl_getmodules (dwfl_getmodules.c:86)
==8148== by 0x804D9C2: process_file (readelf.c:868)
==8148== by 0x804B03F: main (readelf.c:350)
==8148== Uninitialised value was created by a stack allocation
==8148== at 0x8059756: print_debug_macinfo_section (readelf.c:9565)
==8148==
That is this code:
/* Find the CU DIE for this file. */
size_t macoff = readp - (const unsigned char *) data->d_buf;
const char *fname = "???";
if (macoff >= cus[0].offset)
{
while (macoff >= cus[1].offset && cus[1].offset != data->d_size)
++cus;
if (cus[0].files == NULL
&& dwarf_getsrcfiles (&cus[0].die, &cus[0].files, NULL) != 0)
cus[0].files = (Dwarf_Files *) -1l;
if (cus[0].files != (Dwarf_Files *) -1l)
fname = (dwarf_filesrc (cus[0].files, u128_2, NULL, NULL)
?: "???");
}
The cus[1].offset != data->d_size makes sure we don't go past the end of the
cus list. The last element of cus is the sentinel:
/* Add sentinel. */
cus[nculist].offset = data->d_size;
cus[nculist].files = (Dwarf_Files *) -1l;
if (nculist > 0)
{
for (size_t cnt = nculist - 1; culist != NULL; --cnt)
{
assert (cnt < nculist);
cus[cnt] = *culist;
culist = culist->next;
}
/* Sort the array according to the offset in the .debug_macinfo
section. Note we keep the sentinel at the end. */
qsort (cus, nculist, sizeof (*cus), mac_compare);
}
The issue here is that there are no cus at all, so cus[0] is the sentinal.
But that is not checked. Fixed by:
diff --git a/src/readelf.c b/src/readelf.c
index 33706bd..0bb9800 100644
--- a/src/readelf.c
+++ b/src/readelf.c
@@ -9688,7 +9688,7 @@ print_debug_macinfo_section (Dwfl_Module *dwflmod
__attribute__ ((unused)),
/* Find the CU DIE for this file. */
size_t macoff = readp - (const unsigned char *) data->d_buf;
const char *fname = "???";
- if (macoff >= cus[0].offset)
+ if (macoff >= cus[0].offset && cus[0].offset != data->d_size)
{
while (macoff >= cus[1].offset && cus[1].offset != data->d_size)
++cus;
commit 34ff3ca2e86f8a4915500b92a8e00d6f52aa546c
Author: Mark Wielaard <m...@klomp.org>
Date: Fri Mar 29 10:53:27 2019 +0100
readelf: print_debug_macinfo_section, check cus[0] is not the sentinel.
If there are no CUs at all we can not find any CU DIE file.
https://sourceware.org/bugzilla/show_bug.cgi?id=24398
Signed-off-by: Mark Wielaard <m...@klomp.org>
--
You are receiving this mail because:
You are on the CC list for the bug.
