From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32126 invoked by alias); 3 Aug 2009 17:13:24 -0000 Received: (qmail 32114 invoked by uid 22791); 3 Aug 2009 17:13:23 -0000 X-SWARE-Spam-Status: No, hits=-2.1 required=5.0 tests=AWL,BAYES_00,J_CHICKENPOX_44,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: sourceware.org Received: from mx2.redhat.com (HELO mx2.redhat.com) (66.187.237.31) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Mon, 03 Aug 2009 17:13:16 +0000 Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n73HDF2T030338 for ; Mon, 3 Aug 2009 13:13:15 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n73HDDM3020171; Mon, 3 Aug 2009 13:13:14 -0400 Received: from host0.dyn.jankratochvil.net (sebastian-int.corp.redhat.com [172.16.52.221]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n73HDCvo032290; Mon, 3 Aug 2009 13:13:13 -0400 Received: from host0.dyn.jankratochvil.net (localhost [127.0.0.1]) by host0.dyn.jankratochvil.net (8.14.3/8.14.3) with ESMTP id n73HDCr3016550; Mon, 3 Aug 2009 19:13:12 +0200 Received: (from jkratoch@localhost) by host0.dyn.jankratochvil.net (8.14.3/8.14.3/Submit) id n73HDATw016547; Mon, 3 Aug 2009 19:13:10 +0200 Date: Mon, 03 Aug 2009 17:13:00 -0000 From: Jan Kratochvil To: Tom Tromey Cc: gdb-patches@sourceware.org, Richard Guenther Subject: Re: [patch] Fix find_separate_debug_file buffer overrun [Re: gdb crash during read of separate debuginfo] Message-ID: <20090803171310.GA14029@host0.dyn.jankratochvil.net> References: <20090802211036.GA28064@host0.dyn.jankratochvil.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.19 (2009-01-05) X-IsSubscribed: yes Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2009-08/txt/msg00028.txt.bz2 On Mon, 03 Aug 2009 18:46:34 +0200, Tom Tromey wrote: > Jan> 2009-08-02 Richard Guenther > Jan> Jan Kratochvil > Jan> Fix memory corruption on reread of file through a symbolic link. > Jan> * symfile.c (find_separate_debug_file): Initialize CANON_NAME earlier. > Jan> Allocate DEBUGFILE with length based on CANON_NAME. Free CANON_NAME on > Jan> all the return paths. > > This looks good to me. > Ok. Checked-in: http://sourceware.org/ml/gdb-cvs/2009-08/msg00009.html > Jan> I do not push much to get the testcase accepted. > > Is there something in particular you think is wrong with it? It looks > ok to me, but your comment makes me wonder what subtlety I missed. Function under the test is: find_separate_debug_file Calling paths to find_separate_debug_file are only: reread_symbols -> reread_separate_symbols -> find_separate_debug_file - It should get sooner or later dropped by Re: [patch] Replace reread_symbols by load+free calls http://sourceware.org/ml/gdb-patches/2009-06/msg00696.html or some similiar patch which is IMO inevitable. - This path is currently exploited by the testcase. symbol_file_add -> symbol_file_add_from_bfd - Not exploitable as: symbol_file_add -> symfile_bfd_open -> openp -> xfullpath so that objfile->name has already expanded any symbolic links. symbol_file_add_from_bfd -> symbol_file_add_with_addrs_or_offsets -> find_separate_debug_file - Exploitable caller may be symbol_add_stub through solib_add, I will check it later more. The testcase was written before I found out it is not easily exploitable. Only now found the last option. Therefore not checking it now in. Thanks, Jan