Bug 21600

Summary:	Fail to detect invalid FDE header, can exhaust gdb process's virtual memory and terminate debug session
Product:	gdb	Reporter:	Kang <kanglictf>
Component:	backtrace	Assignee:	Not yet assigned to anyone <unassigned>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sergiodj, simark
Priority:	P2
Version:	HEAD
Target Milestone:	---
Host:		Target:
Build:		Last reconfirmed:
Project(s) to access:		ssh public key:
Attachments:	malformed core file a regular ELF file (cb), used to load with the core file a malformed ELF file sample patch file screenshot or gdb failure when open core file screenshot when gdb fails during debugging attachment-95212-0.html

Description Kang 2017-06-15 02:22:13 UTC

GDB fails to catch an invalid length informaiton in dwarf debug frame FDE headers. A carefully created ELF file or core file can cause gdb to terminate the debug session due to memory exhausted error.

This bug was found by Kang Li <kanglictf@gmail.com> and Yue Yin <yinyueacm@gmail.com>.  We also thank Guodong Zhu for help troubleshooting.

This bug was found and verified on 32-bit Ubuntu 14.04 LTS (and tested on Ubuntu 12.04.5 as well)

The software was checkout from git://sourceware.org/git/binutils-gdb.git  on 2017/06/14
and the latest commit f7e16c2a9cc405707e646e951397938d2b4eea48

The package was built with gcc 4.8.3 .


* Two ways to reproduce the error

  Method A:

  1. Use gdb to open a malformed core file (file cb and core are in attachment)
  $ gdb cb core
	
  2. after sometime, gdb will show virtual memory exhausted error. 


  Method B:

  1. Use gdb to load a malformed ELF binary (file trouble_bin is in attachment)
  $ gdb trouble_bin
	
  2. Set a breakpoint. It does not matter where as long as it will be hit at run time.
     In this example, we put a breakpoint at the start of .init section.

  (gdb) br *0x80482b0		
 
  3. run and gdb will show virtual memory exhausted error after it hit a breakpoint.

Comment 1 Kang 2017-06-15 02:23:46 UTC

Created attachment 10141 [details]
malformed core file

gdb runs into error when open this file along with the normal binary (the attachment called cb)

Comment 2 Kang 2017-06-15 02:24:51 UTC

Created attachment 10142 [details]
a regular ELF file (cb), used to load with the core file

use gdb to load this ELF and the core file together.

Comment 3 Kang 2017-06-15 02:26:32 UTC

Created attachment 10143 [details]
a malformed ELF file

gdb shows error message after run this with a breakpoint.

Comment 4 Kang 2017-06-15 02:28:22 UTC

Created attachment 10144 [details]
sample patch file

Comment 5 Kang 2017-06-15 02:29:54 UTC

Created attachment 10145 [details]
screenshot or gdb failure when open core file

Comment 6 Kang 2017-06-15 02:30:32 UTC

Created attachment 10146 [details]
screenshot when gdb fails during debugging

Comment 7 Sergio Durigan Junior 2017-06-15 16:58:22 UTC

Thanks for the bug report.  I see you have a possible patch to fix this issue, and it is rather trivial (in the sense that it just modifies a few lines of code).  In this case, I would suggest you to submit the patch, along with a description of what it does, to gdb-patches@sourceware.org.  We have a wiki page which contains a contribution checklist: https://sourceware.org/gdb/wiki/ContributionChecklist.

Thanks.

Comment 8 Sergio Durigan Junior 2017-06-15 19:51:45 UTC

BTW, bug is confirmed on i686 targets.

Comment 9 Kang 2017-06-15 20:02:05 UTC

Created attachment 10148 [details]
attachment-95212-0.html

Got it!   Will check how to fix this.

On Thu, Jun 15, 2017 at 3:51 PM, sergiodj at redhat dot com <
sourceware-bugzilla@sourceware.org> wrote:

> https://sourceware.org/bugzilla/show_bug.cgi?id=21600
>
> --- Comment #8 from Sergio Durigan Junior <sergiodj at redhat dot com> ---
> BTW, bug is confirmed on i686 targets.
>
> --
> You are receiving this mail because:
> You reported the bug.
>

Comment 10 Kang 2017-06-15 20:09:37 UTC

BTW, we just tested on earlier version of gdb (7.4 & 7.7).  The bug affects earlier versions of gdb as well,  i.e. malformed/malicious ELF binaries can prevent gdb from debugging by forcing session termination.  We will work on a new patch.

Comment 11 Sourceware Commits 2019-04-25 14:33:51 UTC

The master branch has been updated by Sandra Loosemore <sandra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed

commit 723adb650a31859d7cc45832cb8adca0206455ed
Author: Sandra Loosemore <sandra@codesourcery.com>
Date:   Thu Apr 25 07:27:02 2019 -0700

    Detect invalid length field in debug frame FDE header.
    
    GDB was failing to catch cases where a corrupt ELF or core file
    contained an invalid length value in a Dwarf debug frame FDE header.
    It was checking for buffer overflow but not cases where the length was
    negative or caused pointer wrap-around.
    
    In addition to the additional validity check, this patch cleans up the
    multiple signed/unsigned conversions on the length field so that an
    unsigned representation is used consistently throughout.
    
    This patch fixes CVE-2017-9778 and PR gdb/21600.
    
    2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
    	    Kang Li <kanglictf@gmail.com>
    
    	PR gdb/21600
    
    	* dwarf2-frame.c (read_initial_length): Be consistent about using
    	unsigned representation of length.
    	(decode_frame_entry_1): Likewise.  Check for wraparound of
    	end pointer as well as buffer overflow.

Comment 12 Simon Marchi 2019-04-25 14:36:45 UTC

Should be fixed by commit mentioned above.