This is the mail archive of the gdb-patches@sourceware.org mailing list for the GDB project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Patch: check for over- and under-flow in decode_locdesc


I am going to check this in sometime soon, barring complaints.

This is a new version of a patch we've been carrying in Fedora for quite
some time.  It changes decode_locdesc to check for under- and
over-flow.  This is the topic of CVE-2006-4146.

This version of the patch issues a complaint where earlier versions
called internal_error.  I also cleaned up the comment formatting.

Writing a test case for this is a pain, but I tried it by hand (by
modifying state using a second gdb) to make sure it does the right
thing.

Built and regtested on x86-64 (compile farm).

Tom

2010-11-18  Will Drewry <wad@google.com>
	    Tavis Ormandy <taviso@google.com>
	    Jan Kratochvil  <jan.kratochvil@redhat.com>

	* dwarf2read.c (decode_locdesc): Enforce location description stack
	boundaries.

diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
index 33ebea8..30e1baa 100644
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@@ -13279,8 +13279,7 @@ read_signatured_type (struct objfile *objfile,
    callers will only want a very basic result and this can become a
    complaint.
 
-   Note that stack[0] is unused except as a default error return.
-   Note that stack overflow is not yet handled.  */
+   Note that stack[0] is unused except as a default error return.  */
 
 static CORE_ADDR
 decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
@@ -13297,6 +13296,7 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
   i = 0;
   stacki = 0;
   stack[stacki] = 0;
+  stack[++stacki] = 0;
 
   while (i < size)
     {
@@ -13478,6 +13478,22 @@ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
 		     dwarf_stack_op_name (op, 1));
 	  return (stack[stacki]);
 	}
+
+      /* Enforce maximum stack depth of SIZE-1 to avoid writing
+         outside of the allocated space.  Also enforce minimum>0.  */
+      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
+	{
+	  complaint (&symfile_complaints,
+		     _("location description stack overflow"));
+	  return 0;
+	}
+
+      if (stacki <= 0)
+	{
+	  complaint (&symfile_complaints,
+		     _("location description stack underflow"));
+	  return 0;
+	}
     }
   return (stack[stacki]);
 }


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]