From: Jan Kratochvil <jan.kratochvil@redhat.com>
To: Tom Tromey <tromey@redhat.com>
Cc: gdb-patches@sourceware.org, Richard Guenther <rguenther@suse.de>
Subject: Re: [patch] Fix find_separate_debug_file buffer overrun [Re: gdb crash during read of separate debuginfo]
Date: Mon, 03 Aug 2009 17:13:00 -0000 [thread overview]
Message-ID: <20090803171310.GA14029@host0.dyn.jankratochvil.net> (raw)
In-Reply-To: <m3y6q0luad.fsf@fleche.redhat.com>
On Mon, 03 Aug 2009 18:46:34 +0200, Tom Tromey wrote:
> Jan> 2009-08-02 Richard Guenther <rguenther@suse.de>
> Jan> Jan Kratochvil <jan.kratochvil@redhat.com>
> Jan> Fix memory corruption on reread of file through a symbolic link.
> Jan> * symfile.c (find_separate_debug_file): Initialize CANON_NAME earlier.
> Jan> Allocate DEBUGFILE with length based on CANON_NAME. Free CANON_NAME on
> Jan> all the return paths.
>
> This looks good to me.
> Ok.
Checked-in:
http://sourceware.org/ml/gdb-cvs/2009-08/msg00009.html
> Jan> I do not push much to get the testcase accepted.
>
> Is there something in particular you think is wrong with it? It looks
> ok to me, but your comment makes me wonder what subtlety I missed.
Function under the test is: find_separate_debug_file
Calling paths to find_separate_debug_file are only:
reread_symbols -> reread_separate_symbols -> find_separate_debug_file
- It should get sooner or later dropped by
Re: [patch] Replace reread_symbols by load+free calls
http://sourceware.org/ml/gdb-patches/2009-06/msg00696.html
or some similiar patch which is IMO inevitable.
- This path is currently exploited by the testcase.
symbol_file_add -> symbol_file_add_from_bfd
- Not exploitable as:
symbol_file_add -> symfile_bfd_open -> openp -> xfullpath
so that objfile->name has already expanded any symbolic links.
symbol_file_add_from_bfd -> symbol_file_add_with_addrs_or_offsets -> find_separate_debug_file
- Exploitable caller may be symbol_add_stub through solib_add, I will
check it later more.
The testcase was written before I found out it is not easily exploitable.
Only now found the last option. Therefore not checking it now in.
Thanks,
Jan
prev parent reply other threads:[~2009-08-03 17:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.LNX.2.00.0908021137300.16347@zhemvz.fhfr.qr>
2009-08-02 21:11 ` Jan Kratochvil
2009-08-03 16:46 ` Tom Tromey
2009-08-03 17:13 ` Jan Kratochvil [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090803171310.GA14029@host0.dyn.jankratochvil.net \
--to=jan.kratochvil@redhat.com \
--cc=gdb-patches@sourceware.org \
--cc=rguenther@suse.de \
--cc=tromey@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox