bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug binutils/22204] New: integer overflow in decode_line_info in dwarf2


From: luanjunchao at 163 dot com
Subject: [Bug binutils/22204] New: integer overflow in decode_line_info in dwarf2.c:2294 in binutils 2.29
Date: Mon, 25 Sep 2017 13:29:00 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=22204

            Bug ID: 22204
           Summary: integer overflow in decode_line_info in dwarf2.c:2294
                    in binutils 2.29
           Product: binutils
           Version: 2.30 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: luanjunchao at 163 dot com
  Target Milestone: ---

Created attachment 10477
  --> https://sourceware.org/bugzilla/attachment.cgi?id=10477&action=edit
poc of integer overflow

When I run "nm-new -a -A -D -l -n -P -r -S --size-sort --special-syms
--synthetic --with-symbol-versions integer_overflow.elf", it just hangs there
and lasts for long time. And When I run ltrace with above command, I find that
it call malloc persistly.

And then I debug it with gdb, I finall find the reason in function
decode_line_info. Here is the snippet of it:

 /* Decode the table.  */
      while (! end_sequence)
        {
          op_code = read_1_byte (abfd, line_ptr, line_end);
          line_ptr += 1;

          if (op_code >= lh.opcode_base)
            {
              /* Special operand.  */
              adj_opcode = op_code - lh.opcode_base;
              if (lh.line_range == 0)
                goto line_fail;
              if (lh.maximum_ops_per_insn == 1)
                address += (adj_opcode / lh.line_range
                            * lh.minimum_instruction_length);
              else
                {
                  address += ((op_index + adj_opcode / lh.line_range)
                              / lh.maximum_ops_per_insn
                              * lh.minimum_instruction_length);
                  op_index = ((op_index + adj_opcode / lh.line_range)
                              % lh.maximum_ops_per_insn);
                }
2294:         line += lh.line_base + (adj_opcode % lh.line_range);
              /* Append row to matrix using current values.  */
              if (!add_line_info (table, address, op_index, filename,
                                  line, column, discriminator, 0))
                goto line_fail;
              discriminator = 0;
              if (address < low_pc)
                low_pc = address;
              if (address > high_pc)
                high_pc = address;
            }


When I debug the process, the lh.line_base=-5 (int type), while the line is
declared a unsigned int with initial value 0, when it meets a specific
condition, it just traps in the while loop.

The poc is attached.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]