diff options
| author | Sandra Loosemore <sandra@codesourcery.com> | 2019-04-25 07:27:02 -0700 |
|---|---|---|
| committer | Sandra Loosemore <sandra@codesourcery.com> | 2019-04-25 07:27:02 -0700 |
| commit | 723adb650a31859d7cc45832cb8adca0206455ed (patch) | |
| tree | 7901cb38a9a47bfdf79e1165887414f8ca46f8c8 /gdb/dwarf2-frame.c | |
| parent | 68bb0359eec3093560929b8ad2b3f5d30e7a7e1d (diff) | |
| download | gdb-723adb650a31859d7cc45832cb8adca0206455ed.zip gdb-723adb650a31859d7cc45832cb8adca0206455ed.tar.gz gdb-723adb650a31859d7cc45832cb8adca0206455ed.tar.bz2 | |
Detect invalid length field in debug frame FDE header.
GDB was failing to catch cases where a corrupt ELF or core file
contained an invalid length value in a Dwarf debug frame FDE header.
It was checking for buffer overflow but not cases where the length was
negative or caused pointer wrap-around.
In addition to the additional validity check, this patch cleans up the
multiple signed/unsigned conversions on the length field so that an
unsigned representation is used consistently throughout.
This patch fixes CVE-2017-9778 and PR gdb/21600.
2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
Kang Li <kanglictf@gmail.com>
PR gdb/21600
* dwarf2-frame.c (read_initial_length): Be consistent about using
unsigned representation of length.
(decode_frame_entry_1): Likewise. Check for wraparound of
end pointer as well as buffer overflow.
Diffstat (limited to 'gdb/dwarf2-frame.c')
| -rw-r--r-- | gdb/dwarf2-frame.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c index e2bf61b..b697afa 100644 --- a/gdb/dwarf2-frame.c +++ b/gdb/dwarf2-frame.c @@ -1487,7 +1487,7 @@ static ULONGEST read_initial_length (bfd *abfd, const gdb_byte *buf, unsigned int *bytes_read_ptr) { - LONGEST result; + ULONGEST result; result = bfd_get_32 (abfd, buf); if (result == 0xffffffff) @@ -1788,7 +1788,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, { struct gdbarch *gdbarch = get_objfile_arch (unit->objfile); const gdb_byte *buf, *end; - LONGEST length; + ULONGEST length; unsigned int bytes_read; int dwarf64_p; ULONGEST cie_id; @@ -1799,15 +1799,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start, buf = start; length = read_initial_length (unit->abfd, buf, &bytes_read); buf += bytes_read; - end = buf + length; - - /* Are we still within the section? */ - if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) - return NULL; + end = buf + (size_t) length; if (length == 0) return end; + /* Are we still within the section? */ + if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size) + return NULL; + /* Distinguish between 32 and 64-bit encoded frame info. */ dwarf64_p = (bytes_read == 12); |