[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/29370] New: dwarf.c: infinite loop in display_debug_abbrev
|
From: |
h3xrabbit at gmail dot com |
|
Subject: |
[Bug binutils/29370] New: dwarf.c: infinite loop in display_debug_abbrev |
|
Date: |
Fri, 15 Jul 2022 09:06:21 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=29370
Bug ID: 29370
Summary: dwarf.c: infinite loop in display_debug_abbrev
Product: binutils
Version: 2.40 (HEAD)
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: h3xrabbit at gmail dot com
Target Milestone: ---
Created attachment 14211
--> https://sourceware.org/bugzilla/attachment.cgi?id=14211&action=edit
file that caused infinite loop
During fuzzing campaign, I found some files will cause infinite loop inside
`display_debug_abbrev()` with the command below:
readelf -w poc
build on the latest commit (9afca381e2e46ccee433ce09001506e7683b273f), with
default config `../configure`
Command output:
readelf: Warning: The e_shentsize field in the ELF header is larger than the
size of an ELF section header
readelf: Error: Reading 3584 bytes extends past end of file for program headers
readelf: Error: Reading 1717502016 bytes extends past end of file for
.trace_abbrev section data
... warnings ...
Contents of the .trace_abbrev section:
... contents ...
Section '.trace_abbrev' has no debugging data.
Contents of the .trace_abbrev section:
Number TAG (0x0)
3878592198768 DW_TAG_padding [no children]
Unknown AT value: 70e1c3870e1c3870 Unknown FORM value: 45
DW_AT_virtuality Unknown FORM value: 46
DW_AT_location DW_FORM_addr
DW_AT_sibling DW_FORM value: 0
DW_AT value: 0 DW_FORM value: 0
readelf: Warning: Debug info is corrupted, abbrev offset (1240) is larger than
abbrev section size (8)
Contents of the .trace_abbrev section:
Number TAG (0x0)
3878592198768 DW_TAG_padding [no children]
Unknown AT value: 70e1c3870e1c3870 Unknown FORM value: 45
DW_AT_virtuality Unknown FORM value: 46
DW_AT_location DW_FORM_addr
DW_AT_sibling DW_FORM value: 0
DW_AT value: 0 DW_FORM value: 0
... looping same contents ...
I observed through gdb when the program starts to loop, break on `if (list ==
NULL)` line and print out the variables:
gdb$ p start
$43 = (unsigned char *) 0x555555660b70 "\177ELF.trace_abbrev"
gdb$ p section->start
$44 = (unsigned char *) 0x555555660b70 "\177ELF.trace_abbrev"
gdb$ p *list
$45 = {
first_abbrev = 0x55555565f3d0,
last_abbrev = 0x55555565f3d0,
abbrev_base = 0x0,
abbrev_offset = 0x0,
next = 0x0,
start_of_next_abbrevs = 0x555555660b70 "\177ELF.trace_abbrev"
}
The `offset` variable will always be 0, and the `start` variable will never
updated since `list->start_of_next_abbrevs` is the same as `start`, maybe it's
caused by entering this function more than once?
--
You are receiving this mail because:
You are on the CC list for the bug.
- [Bug binutils/29370] New: dwarf.c: infinite loop in display_debug_abbrev,
h3xrabbit at gmail dot com <=
- [Bug binutils/29370] dwarf.c: infinite loop in display_debug_abbrev, h3xrabbit at gmail dot com, 2022/07/15
- [Bug binutils/29370] dwarf.c: infinite loop in display_debug_abbrev, h3xrabbit at gmail dot com, 2022/07/19
- [Bug binutils/29370] dwarf.c: infinite loop in display_debug_abbrev, amodra at gmail dot com, 2022/07/20
- [Bug binutils/29370] dwarf.c: infinite loop in display_debug_abbrev, cvs-commit at gcc dot gnu.org, 2022/07/21
- [Bug binutils/29370] dwarf.c: infinite loop in display_debug_abbrev, amodra at gmail dot com, 2022/07/21