Bug 22219 - infinite loop in process_debug_info in dwarf.c in binutils 2.30(HEAD)
Summary: infinite loop in process_debug_info in dwarf.c in binutils 2.30(HEAD)
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30 (HEAD)
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-27 07:00 UTC by skysider
Modified: 2017-09-27 09:46 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
poc of infinite loop (40.23 KB, application/x-executable)
2017-09-27 07:00 UTC, skysider
Details

Note You need to log in before you can comment on or make changes to this bug.
Description skysider 2017-09-27 07:00:52 UTC
Created attachment 10490 [details]
poc of infinite loop

When I run "objdump -x -D -S -s -g -e -G --dwarf -t -T -r -R --special-syms --inlines --dwarf-check loop.elf", it traps into function process_debug_info.

Some of the function snippet is here:

for (section_begin = start, unit = 0; start < end; unit++)
    {
......
  start += compunit.cu_length + initial_length_size;
......
}

When I debug it with gdb, I can see that compuint.cu_length = 0xfffffff4 and initial_length_size =12 which leads to start +=0 each loop. Maybe there is an integer overflow here.
The poc is attached here.
Comment 1 cvs-commit@gcc.gnu.org 2017-09-27 09:44:11 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b

commit 19485196044b2521af979f1e5c4a89bfb90fba0b
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Sep 27 10:42:51 2017 +0100

    Prevent an infinite loop in the DWARF parsing code when encountering a CU structure with a small negative size.
    
    	PR 22219
    	* dwarf.c (process_debug_info): Add a check for a negative
    	cu_length field.
Comment 2 Nick Clifton 2017-09-27 09:46:46 UTC
Hi Skysider,

  Thanks for reporting this bug.  I have checked in a patch to test for negative lengths in the comp_unit structure, which will prevent this infinite loop from happening again.

Cheers
  Nick