From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 16270 invoked by alias); 18 Nov 2010 21:24:40 -0000 Received: (qmail 16262 invoked by uid 22791); 18 Nov 2010 21:24:39 -0000 X-SWARE-Spam-Status: No, hits=-6.2 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,TW_BJ,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 18 Nov 2010 21:24:32 +0000 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id oAILOVJL027123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 18 Nov 2010 16:24:31 -0500 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id oAILOUkh023061; Thu, 18 Nov 2010 16:24:30 -0500 Received: from opsy.redhat.com (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id oAILOStg031846; Thu, 18 Nov 2010 16:24:29 -0500 Received: by opsy.redhat.com (Postfix, from userid 500) id DB14E3784F6; Thu, 18 Nov 2010 14:24:27 -0700 (MST) From: Tom Tromey To: gdb-patches@sourceware.org Subject: Patch: check for over- and under-flow in decode_locdesc Date: Thu, 18 Nov 2010 21:24:00 -0000 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org X-SW-Source: 2010-11/txt/msg00246.txt.bz2 I am going to check this in sometime soon, barring complaints. This is a new version of a patch we've been carrying in Fedora for quite some time. It changes decode_locdesc to check for under- and over-flow. This is the topic of CVE-2006-4146. This version of the patch issues a complaint where earlier versions called internal_error. I also cleaned up the comment formatting. Writing a test case for this is a pain, but I tried it by hand (by modifying state using a second gdb) to make sure it does the right thing. Built and regtested on x86-64 (compile farm). Tom 2010-11-18 Will Drewry Tavis Ormandy Jan Kratochvil * dwarf2read.c (decode_locdesc): Enforce location description stack boundaries. diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c index 33ebea8..30e1baa 100644 --- a/gdb/dwarf2read.c +++ b/gdb/dwarf2read.c @@ -13279,8 +13279,7 @@ read_signatured_type (struct objfile *objfile, callers will only want a very basic result and this can become a complaint. - Note that stack[0] is unused except as a default error return. - Note that stack overflow is not yet handled. */ + Note that stack[0] is unused except as a default error return. */ static CORE_ADDR decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu) @@ -13297,6 +13296,7 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu) i = 0; stacki = 0; stack[stacki] = 0; + stack[++stacki] = 0; while (i < size) { @@ -13478,6 +13478,22 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu) dwarf_stack_op_name (op, 1)); return (stack[stacki]); } + + /* Enforce maximum stack depth of SIZE-1 to avoid writing + outside of the allocated space. Also enforce minimum>0. */ + if (stacki >= sizeof (stack) / sizeof (*stack) - 1) + { + complaint (&symfile_complaints, + _("location description stack overflow")); + return 0; + } + + if (stacki <= 0) + { + complaint (&symfile_complaints, + _("location description stack underflow")); + return 0; + } } return (stack[stacki]); }