From patchwork Wed Nov  6 09:24:00 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Newton <will.newton@linaro.org>
X-Patchwork-Id: 21351
Return-Path: <patchwork-forward+bncBCXPZFGDUEJBBNEV5CJQKGQENORAX6A@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-pd0-f198.google.com (mail-pd0-f198.google.com
 [209.85.192.198])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 4E11E20DB9
 for <linaro@patches.linaro.org>; Wed,  6 Nov 2013 09:24:06 +0000 (UTC)
Received: by mail-pd0-f198.google.com with SMTP id v10sf17464763pde.5
 for <linaro@patches.linaro.org>; Wed, 06 Nov 2013 01:24:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:message-id:date:from:user-agent
 :mime-version:to:cc:subject:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe:content-type
 :content-transfer-encoding;
 bh=mibKkwCWdM+Cwhi57qglsNcabMFdGIOSi8HlfBnJZxI=;
 b=a9g7pttxV0P+TrROEpBHGf8xp7Ycy7f9/FQwYC8MBsEpisUotXXAqjfuInUx0fGc86
 LtWvSYWXwiIlrJz0zfEvYlEjfvfZ1cYf8VEaz52NtVi+CcsDfYJtN/yNK6QdK+uA7jDr
 iN5/qnAgkCSWJs1MaYM2WfGUFRcVaHLUa5x4T+bYxqLi6EHqghTrKIyV90PAkusTJpvF
 QoJo5iefmCangVouSsDhkQ8NSpitoq5e67WXmYYYdqqIRLZ4g4pvXuSEYIfLQYAJvYOH
 IOAPXV+JFmIRpwV+l96ir+flKZXvbkLp8ScNvp2jmbIPJjckzMToXlMnsjkV27pKjGI1
 9OEg==
X-Gm-Message-State: ALoCoQmabdUL2B1KAo/0bB83TznqK8BHg5g3ATHTFSJdTEaJE7o7xmqZM3FCDLa1di58uLxiS7Aa
X-Received: by 10.66.121.226 with SMTP id ln2mr977961pab.37.1383729845089;
 Wed, 06 Nov 2013 01:24:05 -0800 (PST)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.49.29.200 with SMTP id m8ls544885qeh.1.gmail;
 Wed, 06 Nov 2013 01:24:04 -0800 (PST)
X-Received: by 10.220.182.69 with SMTP id cb5mr247091vcb.41.1383729844893;
 Wed, 06 Nov 2013 01:24:04 -0800 (PST)
Received: from mail-ve0-f175.google.com (mail-ve0-f175.google.com
 [209.85.128.175]) by mx.google.com with ESMTPS id
 g7si8097225vcz.120.2013.11.06.01.24.04
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 06 Nov 2013 01:24:04 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.128.175 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.128.175; 
Received: by mail-ve0-f175.google.com with SMTP id jz11so3287858veb.6
 for <patchwork-forward@linaro.org>;
 Wed, 06 Nov 2013 01:24:04 -0800 (PST)
X-Received: by 10.58.44.72 with SMTP id c8mr469538vem.37.1383729844811;
 Wed, 06 Nov 2013 01:24:04 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp270356vcz;
 Wed, 6 Nov 2013 01:24:04 -0800 (PST)
X-Received: by 10.205.78.5 with SMTP id zk5mr1320566bkb.25.1383729843618;
 Wed, 06 Nov 2013 01:24:03 -0800 (PST)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com
 [209.85.214.44]) by mx.google.com with ESMTPS id
 j3si2516181bki.309.2013.11.06.01.24.03 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Wed, 06 Nov 2013 01:24:03 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.214.44 is neither permitted nor
 denied by best guess record for domain of
 will.newton@linaro.org) client-ip=209.85.214.44; 
Received: by mail-bk0-f44.google.com with SMTP id mx11so1372159bkb.31
 for <patches@linaro.org>; Wed, 06 Nov 2013 01:24:03 -0800 (PST)
X-Received: by 10.204.226.135 with SMTP id iw7mr1337671bkb.4.1383729842855; 
 Wed, 06 Nov 2013 01:24:02 -0800 (PST)
Received: from localhost.localdomain
 (cpc6-seac21-2-0-cust453.7-2.cable.virginm.net. [82.1.113.198])
 by mx.google.com with ESMTPSA id
 b7sm22265038bkg.1.2013.11.06.01.24.01 for <multiple recipients>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Wed, 06 Nov 2013 01:24:01 -0800 (PST)
Message-ID: <527A0AB0.6070904@linaro.org>
Date: Wed, 06 Nov 2013 09:24:00 +0000
From: Will Newton <will.newton@linaro.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:17.0) Gecko/20130805 Thunderbird/17.0.8
MIME-Version: 1.0
To: gdb-patches@sourceware.org
CC: Patch Tracking <patches@linaro.org>
Subject: [PATCH v2] gdb/dwarf2read.c: Sanity check DW_AT_sibling values.
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: will.newton@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.128.175 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

When reading objects with corrupt debug information it is possible that
the sibling chain can form a loop, which leads to an infinite loop and
memory exhaustion.

Avoid this situation by disregarding and DW_AT_sibling values that point
to a lower address than the current entry.

gdb/ChangeLog:

2013-11-01  Will Newton  <will.newton@linaro.org>

	PR gdb/12866
	* dwarf2read.c (skip_one_die): Sanity check DW_AT_sibling
	values.  (read_partial_die): Likewise.
---
 gdb/dwarf2read.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

Changes in v2:
 - Wrap over long lines

diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
index 3974d0b..bc8e8ca 100644
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@@ -7016,7 +7016,16 @@ skip_one_die (const struct die_reader_specs *reader, const gdb_byte *info_ptr,
 	    complaint (&symfile_complaints,
 		       _("ignoring absolute DW_AT_sibling"));
 	  else
-	    return buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	    {
+	      unsigned int off = dwarf2_get_ref_die_offset (&attr).sect_off;
+	      const gdb_byte *sibling_ptr = buffer + off;
+
+	      if (sibling_ptr < info_ptr)
+		complaint (&symfile_complaints,
+			   _("DW_AT_sibling points backwards"));
+	      else
+		return sibling_ptr;
+	    }
 	}

       /* If it isn't DW_AT_sibling, skip this attribute.  */
@@ -15134,7 +15143,16 @@ read_partial_die (const struct die_reader_specs *reader,
 	    complaint (&symfile_complaints,
 		       _("ignoring absolute DW_AT_sibling"));
 	  else
-	    part_die->sibling = buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	    {
+	      unsigned int off = dwarf2_get_ref_die_offset (&attr).sect_off;
+	      const gdb_byte *sibling_ptr = buffer + off;
+
+	      if (sibling_ptr < info_ptr)
+		complaint (&symfile_complaints,
+			   _("DW_AT_sibling points backwards"));
+	      else
+		part_die->sibling = sibling_ptr;
+	    }
 	  break;
         case DW_AT_byte_size:
           part_die->has_byte_size = 1;