Bug 22219

Summary: infinite loop in process_debug_info in dwarf.c in binutils 2.30(HEAD)
Product: binutils Reporter: skysider <luanjunchao>
Component: binutilsAssignee: Not yet assigned to anyone <unassigned>
Severity: normal CC: nickc
Priority: P2    
Version: 2.30   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: poc of infinite loop

Description skysider 2017-09-27 07:00:52 UTC
Created attachment 10490 [details]
poc of infinite loop

When I run "objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --inlines --dwarf-check loop.elf", it traps into function process_debug_info.

Some of the function snippet is here:

for (section_begin = start, unit = 0; start < end; unit++)
  start += compunit.cu_length + initial_length_size;

When I debug it with gdb, I can see that compuint.cu_length = 0xfffffff4 and initial_length_size =12 which leads to start +=0 each loop. Maybe there is an integer overflow here.
The poc is attached here.
Comment 1 cvs-commit@gcc.gnu.org 2017-09-27 09:44:11 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:


commit 19485196044b2521af979f1e5c4a89bfb90fba0b
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Sep 27 10:42:51 2017 +0100

    Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small negative size.
    	PR 22219
    	* dwarf.c (process_debug_info): Add a check for a negative
    	cu_length field.
Comment 2 Nick Clifton 2017-09-27 09:46:46 UTC
Hi Skysider,

  Thanks for reporting this bug.  I have checked in a patch to test for negative lengths in the comp_unit structure, which will prevent this infinite loop from happening again.