RFC: Change readelf/objdump to automatically follow debug links
Florian Weimer
fweimer@redhat.com
Fri Feb 12 11:24:16 GMT 2021
* Nick Clifton:
> Hi Florian,
>
>>> The patch adds a new configure time option
>>> --enable-follow-debugs-links=[yes|no] which can be used to set the
>>> default behaviour for both objdump and readelf. If the option is
>>> not used, the default is to follow the links.
>> What happens if the debuglink contains '/'? Maybe it's prudent to
>> restrict loading of debuginfo data if it comes from the system default
>> location.
>
> Hmm, this could pose problems. There are binaries with debug-links that
> use absolute paths that are not rooted in system directories, but which
> are still valid. For example see:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=27391
>
> Is there really a problem with following these paths ? Could an attacker
> really exploit this somehow ?
Such indirection can lead to information disclosure if the output is
shared. Whether this applies in this particular case is hard to tell.
A compromise might be to follow the debuglinks by default as long as
they are under /usr/lib/debug, otherwise require explicit opt-in.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
More information about the Binutils
mailing list