[Bug binutils/29370] New: dwarf.c: infinite loop in display_debug_abbrev

Fri, 15 Jul 2022 02:12:10 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=29370

            Bug ID: 29370
           Summary: dwarf.c: infinite loop in display_debug_abbrev
           Product: binutils
           Version: 2.40 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: h3xrabbit at gmail dot com
  Target Milestone: ---

Created attachment 14211
  --> https://sourceware.org/bugzilla/attachment.cgi?id=14211&action=edit
file that caused infinite loop

During fuzzing campaign, I found some files will cause infinite loop inside
`display_debug_abbrev()` with the command below:

readelf -w poc


build on the latest commit (9afca381e2e46ccee433ce09001506e7683b273f), with
default config `../configure`

Command output:

readelf: Warning: The e_shentsize field in the ELF header is larger than the
size of an ELF section header
readelf: Error: Reading 3584 bytes extends past end of file for program headers
readelf: Error: Reading 1717502016 bytes extends past end of file for
.trace_abbrev section data

... warnings ...

Contents of the .trace_abbrev section:

... contents ...

Section '.trace_abbrev' has no debugging data.
Contents of the .trace_abbrev section:

  Number TAG (0x0)
   3878592198768      DW_TAG_padding    [no children]
    Unknown AT value: 70e1c3870e1c3870 Unknown FORM value: 45
    DW_AT_virtuality   Unknown FORM value: 46
    DW_AT_location     DW_FORM_addr
    DW_AT_sibling      DW_FORM value: 0
    DW_AT value: 0     DW_FORM value: 0
readelf: Warning: Debug info is corrupted, abbrev offset (1240) is larger than
abbrev section size (8)

Contents of the .trace_abbrev section:

  Number TAG (0x0)
   3878592198768      DW_TAG_padding    [no children]
    Unknown AT value: 70e1c3870e1c3870 Unknown FORM value: 45
    DW_AT_virtuality   Unknown FORM value: 46
    DW_AT_location     DW_FORM_addr
    DW_AT_sibling      DW_FORM value: 0
    DW_AT value: 0     DW_FORM value: 0

... looping same contents ...


I observed through gdb when the program starts to loop, break on `if (list ==
NULL)` line and print out the variables:

gdb$ p start
$43 = (unsigned char *) 0x555555660b70 "\177ELF.trace_abbrev"

gdb$ p section->start
$44 = (unsigned char *) 0x555555660b70 "\177ELF.trace_abbrev"

gdb$ p *list
$45 = {
  first_abbrev = 0x55555565f3d0,
  last_abbrev = 0x55555565f3d0,
  abbrev_base = 0x0,
  abbrev_offset = 0x0,
  next = 0x0,
  start_of_next_abbrevs = 0x555555660b70 "\177ELF.trace_abbrev"
}

The `offset` variable will always be 0, and the `start` variable will never
updated since `list->start_of_next_abbrevs` is the same as `start`, maybe it's
caused by entering this function more than once?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to