From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 12874 invoked by alias); 1 Nov 2013 21:21:35 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 12865 invoked by uid 89); 1 Nov 2013 21:21:34 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-pd0-f177.google.com Received: from mail-pd0-f177.google.com (HELO mail-pd0-f177.google.com) (209.85.192.177) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Fri, 01 Nov 2013 21:21:33 +0000 Received: by mail-pd0-f177.google.com with SMTP id p10so4340925pdj.36 for ; Fri, 01 Nov 2013 14:21:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:content-type:content-transfer-encoding; bh=mtu0MMaiXY41w1St8cHmRByqzTOQ5lunsUpKdv6WnEE=; b=IJJF0Eo+RaNnV2hjsDmxAJfBj3IDDIXRX5us/T/BAsXeWu88B9p7leshu8Nw/MaUTh g3VfVWw06xl7odRONexLH8NiLuFfZcoc2wuennJimvfDtIP7C+uKftrWVRk1mxhJHj+A sDijdeINyquJmF/1JAp+l032MSDGp/UPn2GmuO/ydVhS8+MgfRvU2Ucvk5R91QWYO0aT XtE45xYnOLI76bWmDTRtpKpjWN9gd1Wl6W2shM6k6ommrubfVBl3kkMVE+VYXNDNt343 tRT0kJY2nypLa7HIK31dUmWxOuFNm70P93449UYKuTCK0mq0gzoE0rUXeesDTb3zZunF /eYg== X-Gm-Message-State: ALoCoQktw51Z0BYyHf9ODWrlZtkaUbbAg8STGOZlGzz//AfDZ6ToG+W2l5Z/X90TcJod6T9X4KvS X-Received: by 10.66.4.105 with SMTP id j9mr5189247paj.84.1383340892104; Fri, 01 Nov 2013 14:21:32 -0700 (PDT) Received: from localhost.localdomain ([63.239.94.10]) by mx.google.com with ESMTPSA id ed3sm12803021pbc.6.2013.11.01.14.21.31 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 01 Nov 2013 14:21:31 -0700 (PDT) Message-ID: <52741B5A.6090800@linaro.org> Date: Fri, 01 Nov 2013 21:21:00 -0000 From: Will Newton User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130805 Thunderbird/17.0.8 MIME-Version: 1.0 To: gdb-patches@sourceware.org CC: Patch Tracking Subject: [PATCH] gdb/dwarf2read.c: Sanity check DW_AT_sibling values. Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes X-SW-Source: 2013-11/txt/msg00023.txt.bz2 When reading objects with corrupt debug information it is possible that the sibling chain can form a loop, which leads to an infinite loop and memory exhaustion. Avoid this situation by disregarding and DW_AT_sibling values that point to a lower address than the current entry. gdb/ChangeLog: 2013-11-01 Will Newton PR gdb/12866 * dwarf2read.c (skip_one_die): Sanity check DW_AT_sibling values. (read_partial_die): Likewise. --- gdb/dwarf2read.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c index 3974d0b..d4dfd45 100644 --- a/gdb/dwarf2read.c +++ b/gdb/dwarf2read.c @@ -7016,7 +7016,14 @@ skip_one_die (const struct die_reader_specs *reader, const gdb_byte *info_ptr, complaint (&symfile_complaints, _("ignoring absolute DW_AT_sibling")); else - return buffer + dwarf2_get_ref_die_offset (&attr).sect_off; + { + const gdb_byte *sibling_ptr = buffer + dwarf2_get_ref_die_offset (&attr).sect_off; + if (sibling_ptr < info_ptr) + complaint (&symfile_complaints, + _("DW_AT_sibling points backwards")); + else + return buffer + dwarf2_get_ref_die_offset (&attr).sect_off; + } } /* If it isn't DW_AT_sibling, skip this attribute. */ @@ -15134,7 +15141,14 @@ read_partial_die (const struct die_reader_specs *reader, complaint (&symfile_complaints, _("ignoring absolute DW_AT_sibling")); else - part_die->sibling = buffer + dwarf2_get_ref_die_offset (&attr).sect_off; + { + const gdb_byte *sibling_ptr = buffer + dwarf2_get_ref_die_offset (&attr).sect_off; + if (sibling_ptr < info_ptr) + complaint (&symfile_complaints, + _("DW_AT_sibling points backwards")); + else + part_die->sibling = sibling_ptr; + } break; case DW_AT_byte_size: part_die->has_byte_size = 1; -- 1.8.1.4