Bug 21600 - Fail to detect invalid FDE header, can exhaust gdb process's virtual memory and terminate debug session
Summary: Fail to detect invalid FDE header, can exhaust gdb process's virtual memory a...
Status: RESOLVED FIXED
Alias: None
Product: gdb
Classification: Unclassified
Component: backtrace (show other bugs)
Version: HEAD
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-15 02:22 UTC by Kang
Modified: 2019-04-25 14:36 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
malformed core file (10.71 KB, application/x-core)
2017-06-15 02:23 UTC, Kang
Details
a regular ELF file (cb), used to load with the core file (290.12 KB, application/x-executable)
2017-06-15 02:24 UTC, Kang
Details
a malformed ELF file (1.57 KB, application/x-executable)
2017-06-15 02:26 UTC, Kang
Details
sample patch file (242 bytes, patch)
2017-06-15 02:28 UTC, Kang
Details | Diff
screenshot or gdb failure when open core file (482.91 KB, image/png)
2017-06-15 02:29 UTC, Kang
Details
screenshot when gdb fails during debugging (367.24 KB, image/png)
2017-06-15 02:30 UTC, Kang
Details
attachment-95212-0.html (487 bytes, text/html)
2017-06-15 20:02 UTC, Kang
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kang 2017-06-15 02:22:13 UTC
GDB fails to catch an invalid length informaiton in dwarf debug frame FDE headers. A carefully created ELF file or core file can cause gdb to terminate the debug session due to memory exhausted error.

This bug was found by Kang Li <kanglictf@gmail.com> and Yue Yin <yinyueacm@gmail.com>.  We also thank Guodong Zhu for help troubleshooting.

This bug was found and verified on 32-bit Ubuntu 14.04 LTS (and tested on Ubuntu 12.04.5 as well)

The software was checkout from git://sourceware.org/git/binutils-gdb.git  on 2017/06/14
and the latest commit f7e16c2a9cc405707e646e951397938d2b4eea48

The package was built with gcc 4.8.3 .


* Two ways to reproduce the error

  Method A:

  1. Use gdb to open a malformed core file (file cb and core are in attachment)
  $ gdb cb core
	
  2. after sometime, gdb will show virtual memory exhausted error. 


  Method B:

  1. Use gdb to load a malformed ELF binary (file trouble_bin is in attachment)
  $ gdb trouble_bin
	
  2. Set a breakpoint. It does not matter where as long as it will be hit at run time.
     In this example, we put a breakpoint at the start of .init section.

  (gdb) br *0x80482b0		
 
  3. run and gdb will show virtual memory exhausted error after it hit a breakpoint.
Comment 1 Kang 2017-06-15 02:23:46 UTC
Created attachment 10141 [details]
malformed core file

gdb runs into error when open this file along with the normal binary (the attachment called cb)
Comment 2 Kang 2017-06-15 02:24:51 UTC
Created attachment 10142 [details]
a regular ELF file (cb), used to load with the core file

use gdb to load this ELF and the core file together.
Comment 3 Kang 2017-06-15 02:26:32 UTC
Created attachment 10143 [details]
a malformed ELF file

gdb shows error message after run this with a breakpoint.
Comment 4 Kang 2017-06-15 02:28:22 UTC
Created attachment 10144 [details]
sample patch file
Comment 5 Kang 2017-06-15 02:29:54 UTC
Created attachment 10145 [details]
screenshot or gdb failure when open core file
Comment 6 Kang 2017-06-15 02:30:32 UTC
Created attachment 10146 [details]
screenshot when gdb fails during debugging
Comment 7 Sergio Durigan Junior 2017-06-15 16:58:22 UTC
Thanks for the bug report.  I see you have a possible patch to fix this issue, and it is rather trivial (in the sense that it just modifies a few lines of code).  In this case, I would suggest you to submit the patch, along with a description of what it does, to gdb-patches@sourceware.org.  We have a wiki page which contains a contribution checklist: https://sourceware.org/gdb/wiki/ContributionChecklist.

Thanks.
Comment 8 Sergio Durigan Junior 2017-06-15 19:51:45 UTC
BTW, bug is confirmed on i686 targets.
Comment 9 Kang 2017-06-15 20:02:05 UTC
Created attachment 10148 [details]
attachment-95212-0.html

Got it!   Will check how to fix this.

On Thu, Jun 15, 2017 at 3:51 PM, sergiodj at redhat dot com <
sourceware-bugzilla@sourceware.org> wrote:

> https://sourceware.org/bugzilla/show_bug.cgi?id=21600
>
> --- Comment #8 from Sergio Durigan Junior <sergiodj at redhat dot com> ---
> BTW, bug is confirmed on i686 targets.
>
> --
> You are receiving this mail because:
> You reported the bug.
>
Comment 10 Kang 2017-06-15 20:09:37 UTC
BTW, we just tested on earlier version of gdb (7.4 & 7.7).  The bug affects earlier versions of gdb as well,  i.e. malformed/malicious ELF binaries can prevent gdb from debugging by forcing session termination.  We will work on a new patch.
Comment 11 Sourceware Commits 2019-04-25 14:33:51 UTC
The master branch has been updated by Sandra Loosemore <sandra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed

commit 723adb650a31859d7cc45832cb8adca0206455ed
Author: Sandra Loosemore <sandra@codesourcery.com>
Date:   Thu Apr 25 07:27:02 2019 -0700

    Detect invalid length field in debug frame FDE header.
    
    GDB was failing to catch cases where a corrupt ELF or core file
    contained an invalid length value in a Dwarf debug frame FDE header.
    It was checking for buffer overflow but not cases where the length was
    negative or caused pointer wrap-around.
    
    In addition to the additional validity check, this patch cleans up the
    multiple signed/unsigned conversions on the length field so that an
    unsigned representation is used consistently throughout.
    
    This patch fixes CVE-2017-9778 and PR gdb/21600.
    
    2019-04-25  Sandra Loosemore  <sandra@codesourcery.com>
    	    Kang Li <kanglictf@gmail.com>
    
    	PR gdb/21600
    
    	* dwarf2-frame.c (read_initial_length): Be consistent about using
    	unsigned representation of length.
    	(decode_frame_entry_1): Likewise.  Check for wraparound of
    	end pointer as well as buffer overflow.
Comment 12 Simon Marchi 2019-04-25 14:36:45 UTC
Should be fixed by commit mentioned above.