GDB fails to catch an invalid length informaiton in dwarf debug frame FDE headers. A carefully created ELF file or core file can cause gdb to terminate the debug session due to memory exhausted error. This bug was found by Kang Li <kanglictf@gmail.com> and Yue Yin <yinyueacm@gmail.com>. We also thank Guodong Zhu for help troubleshooting. This bug was found and verified on 32-bit Ubuntu 14.04 LTS (and tested on Ubuntu 12.04.5 as well) The software was checkout from git://sourceware.org/git/binutils-gdb.git on 2017/06/14 and the latest commit f7e16c2a9cc405707e646e951397938d2b4eea48 The package was built with gcc 4.8.3 . * Two ways to reproduce the error Method A: 1. Use gdb to open a malformed core file (file cb and core are in attachment) $ gdb cb core 2. after sometime, gdb will show virtual memory exhausted error. Method B: 1. Use gdb to load a malformed ELF binary (file trouble_bin is in attachment) $ gdb trouble_bin 2. Set a breakpoint. It does not matter where as long as it will be hit at run time. In this example, we put a breakpoint at the start of .init section. (gdb) br *0x80482b0 3. run and gdb will show virtual memory exhausted error after it hit a breakpoint.
Created attachment 10141 [details] malformed core file gdb runs into error when open this file along with the normal binary (the attachment called cb)
Created attachment 10142 [details] a regular ELF file (cb), used to load with the core file use gdb to load this ELF and the core file together.
Created attachment 10143 [details] a malformed ELF file gdb shows error message after run this with a breakpoint.
Created attachment 10144 [details] sample patch file
Created attachment 10145 [details] screenshot or gdb failure when open core file
Created attachment 10146 [details] screenshot when gdb fails during debugging
Thanks for the bug report. I see you have a possible patch to fix this issue, and it is rather trivial (in the sense that it just modifies a few lines of code). In this case, I would suggest you to submit the patch, along with a description of what it does, to gdb-patches@sourceware.org. We have a wiki page which contains a contribution checklist: https://sourceware.org/gdb/wiki/ContributionChecklist. Thanks.
BTW, bug is confirmed on i686 targets.
Created attachment 10148 [details] attachment-95212-0.html Got it! Will check how to fix this. On Thu, Jun 15, 2017 at 3:51 PM, sergiodj at redhat dot com < sourceware-bugzilla@sourceware.org> wrote: > https://sourceware.org/bugzilla/show_bug.cgi?id=21600 > > --- Comment #8 from Sergio Durigan Junior <sergiodj at redhat dot com> --- > BTW, bug is confirmed on i686 targets. > > -- > You are receiving this mail because: > You reported the bug. >
BTW, we just tested on earlier version of gdb (7.4 & 7.7). The bug affects earlier versions of gdb as well, i.e. malformed/malicious ELF binaries can prevent gdb from debugging by forcing session termination. We will work on a new patch.
The master branch has been updated by Sandra Loosemore <sandra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed commit 723adb650a31859d7cc45832cb8adca0206455ed Author: Sandra Loosemore <sandra@codesourcery.com> Date: Thu Apr 25 07:27:02 2019 -0700 Detect invalid length field in debug frame FDE header. GDB was failing to catch cases where a corrupt ELF or core file contained an invalid length value in a Dwarf debug frame FDE header. It was checking for buffer overflow but not cases where the length was negative or caused pointer wrap-around. In addition to the additional validity check, this patch cleans up the multiple signed/unsigned conversions on the length field so that an unsigned representation is used consistently throughout. This patch fixes CVE-2017-9778 and PR gdb/21600. 2019-04-25 Sandra Loosemore <sandra@codesourcery.com> Kang Li <kanglictf@gmail.com> PR gdb/21600 * dwarf2-frame.c (read_initial_length): Be consistent about using unsigned representation of length. (decode_frame_entry_1): Likewise. Check for wraparound of end pointer as well as buffer overflow.
Should be fixed by commit mentioned above.