GDB fails to catch an invalid length informaiton in dwarf debug frame FDE headers. A carefully created ELF file or core file can cause gdb to terminate the debug session due to memory exhausted error.
This bug was found by Kang Li <firstname.lastname@example.org> and Yue Yin <email@example.com>. We also thank Guodong Zhu for help troubleshooting.
This bug was found and verified on 32-bit Ubuntu 14.04 LTS (and tested on Ubuntu 12.04.5 as well)
The software was checkout from git://sourceware.org/git/binutils-gdb.git on 2017/06/14
and the latest commit f7e16c2a9cc405707e646e951397938d2b4eea48
The package was built with gcc 4.8.3 .
* Two ways to reproduce the error
1. Use gdb to open a malformed core file (file cb and core are in attachment)
$ gdb cb core
2. after sometime, gdb will show virtual memory exhausted error.
1. Use gdb to load a malformed ELF binary (file trouble_bin is in attachment)
$ gdb trouble_bin
2. Set a breakpoint. It does not matter where as long as it will be hit at run time.
In this example, we put a breakpoint at the start of .init section.
(gdb) br *0x80482b0
3. run and gdb will show virtual memory exhausted error after it hit a breakpoint.
Created attachment 10141 [details]
malformed core file
gdb runs into error when open this file along with the normal binary (the attachment called cb)
Created attachment 10142 [details]
a regular ELF file (cb), used to load with the core file
use gdb to load this ELF and the core file together.
Created attachment 10143 [details]
a malformed ELF file
gdb shows error message after run this with a breakpoint.
Created attachment 10144 [details]
sample patch file
Created attachment 10145 [details]
screenshot or gdb failure when open core file
Created attachment 10146 [details]
screenshot when gdb fails during debugging
Thanks for the bug report. I see you have a possible patch to fix this issue, and it is rather trivial (in the sense that it just modifies a few lines of code). In this case, I would suggest you to submit the patch, along with a description of what it does, to firstname.lastname@example.org. We have a wiki page which contains a contribution checklist: https://sourceware.org/gdb/wiki/ContributionChecklist.
BTW, bug is confirmed on i686 targets.
Created attachment 10148 [details]
Got it! Will check how to fix this.
On Thu, Jun 15, 2017 at 3:51 PM, sergiodj at redhat dot com <
> --- Comment #8 from Sergio Durigan Junior <sergiodj at redhat dot com> ---
> BTW, bug is confirmed on i686 targets.
> You are receiving this mail because:
> You reported the bug.
BTW, we just tested on earlier version of gdb (7.4 & 7.7). The bug affects earlier versions of gdb as well, i.e. malformed/malicious ELF binaries can prevent gdb from debugging by forcing session termination. We will work on a new patch.
The master branch has been updated by Sandra Loosemore <email@example.com>:
Author: Sandra Loosemore <firstname.lastname@example.org>
Date: Thu Apr 25 07:27:02 2019 -0700
Detect invalid length field in debug frame FDE header.
GDB was failing to catch cases where a corrupt ELF or core file
contained an invalid length value in a Dwarf debug frame FDE header.
It was checking for buffer overflow but not cases where the length was
negative or caused pointer wrap-around.
In addition to the additional validity check, this patch cleans up the
multiple signed/unsigned conversions on the length field so that an
unsigned representation is used consistently throughout.
This patch fixes CVE-2017-9778 and PR gdb/21600.
2019-04-25 Sandra Loosemore <email@example.com>
Kang Li <firstname.lastname@example.org>
* dwarf2-frame.c (read_initial_length): Be consistent about using
unsigned representation of length.
(decode_frame_entry_1): Likewise. Check for wraparound of
end pointer as well as buffer overflow.
Should be fixed by commit mentioned above.