Calculating "0 - pointer" can indeed result in seeming randomness as
the pointer address varies.
PR 28541
* dwarf.c (display_debug_frames): Don't print cie offset when
invalid, print "invalid" instead. Remove now redundant warning.
While looking at an apparently malformed executable with
"readelf --debug-dump=loc", I got this warning:
readelf: ./main: Warning: There is a hole [0x89 - 0x95] in .debug_loc section.
However, the executable only has a .debug_loclists section.
This patch fixes the warning messages in display_debug_loc to use the
name of the section that is being processed.
binutils/ChangeLog
2021-11-03 Tom Tromey <tromey@adacore.com>
* dwarf.c (display_debug_loc): Use section name in warnings.
That assert would be more obvious if it were reported as
"addr_ranges <= end_ranges". Fix that by using the obvious variable
in the final loop. Stop the assertion by using a signed comparison:
It's possible for the rounding up of the arange pointer to exceed the
end of the block when the block size is fuzzed.
* dwarf.c (display_debug_aranges): Use "end_ranges" in loop
displaying ranges rather that "start". Simplify rounding up
to 2*address_size boundary. Use signed comparison in loop.
I'd missed the fact that the .debug_rnglists dump doesn't exactly
display the contents of the section. Instead readelf rummages through
.debug_info looking for DW_AT_ranges entries, then displays the
entries in .debug_rnglists pointed at, sorted. A simpler dump of the
actual section contents might be more useful and robust, but it was
likely done that way to detect overlap and holes.
Anyway, the headers in .debug_rnglists besides the first are ignored,
and limiting to the unit length of the first header fails if there is
more than one unit.
PR 28459
* dwarf.c (display_debug_ranges): Don't constrain data to length
in header.
For DWARF revision 4 and earlier, display_debug_lines_decoded
populates the file_table array with entries read from .debug_line
after the directory table. file_table[0] contains the first entry.
DWARF rev 4 line number programs index this entry as file number one.
DWARF revision 5 changes .debug_line format quite extensively, and in
particular gives file number zero a meaning.
PR 27202
* dwarf.c (display_debug_lines_decoded): Correct indexing used
for DWARF5 files.
DWARF sections have special names on AIX which need be handled
by objdump in order to correctly print them.
This patch also adds the correlation in bfd for future uses.
bfd/
* libxcoff.h (struct xcoff_dwsect_name): Add DWARF name.
* coff-rs6000.c (xcoff_dwsect_names): Update.
* coffcode.h (sec_to_styp_flags): Likewise.
(coff_new_section_hook): Likewise.
binutils/
* dwarf.h (struct dwarf_section): Add XCOFF name.
* dwarf.c (struct dwarf_section_display): Update.
* objdump.c (load_debug_section): Add XCOFF name handler.
(dump_dwarf_section): Likewise.
gas/
* config/tc-ppc.c (ppc_change_debug_section): Update to
match new name's field.
We shouldn't be asserting on anything to do with leb128 values, or
reporting file and line numbers when something unexpected happens.
leb128 data is of indeterminate length, perfect for fuzzer mayhem.
It would only make sense to assert or report dwarf.c/readelf.c source
lines if the code had already sized and sanity checked the leb128
values.
After removing the assertions, the testcase then gave:
<37> DW_AT_discr_list : 5 byte block: 0 0 0 0 0 (label 0, label 0, label 0, label 0, <corrupt>
readelf: Warning: corrupt discr_list - unrecognized discriminant byte 0x5
<3d> DW_AT_encoding : 0 (void)
<3e> DW_AT_identifier_case: 0 (case_sensitive)
<3f> DW_AT_virtuality : 0 (none)
<40> DW_AT_decimal_sign: 5 (trailing separate)
So the DW_AT_discr_list was showing more data than just the 5 byte
block. That happened due to "end" pointing a long way past the end of
block, and uvalue decrementing past zero on one of the leb128 bytes.
PR 28069
* dwarf.c (display_discr_list): Remove assertions. Delete "end"
parameter, use initial "data" pointer as the end. Formatting.
Don't count down bytes as they are read.
(read_and_display_attr_value): Adjust display_discr_list call.
(read_and_print_leb128): Don't pass __FILE__ and __LINE__ to
report_leb_status.
* dwarf.h (report_leb_status): Don't report file and line
numbers. Delete file and lnum parameters,
(READ_ULEB, READ_SLEB): Adjust.
DW_FORM_ref1, DW_FORM_ref2, DW_FORM_ref4, DW_FORM_ref1, and
DW_FORM_ref_udata are all supposed to be within the containing unit.
PR 28047
* dwarf.c (get_type_abbrev_from_form): Add cu_end parameter.
Check DW_FORM_ref1 etc. arg against cu_end rather than end of
section. Adjust all callers.
In function 'strncpy',
inlined from 'display_debug_lines_decoded' at /home/alan/src/binutils-gdb/binutils/dwarf.c:5434:5,
inlined from 'display_debug_lines' at /home/alan/src/binutils-gdb/binutils/dwarf.c:5567:21:
/usr/include/bits/string_fortified.h:95:10: error: '__builtin_strncpy' specified bound 36 equals destination size [-Werror=stringop-truncation]
No need for strncpy here, the string being copied always fits the
destination buffer.
* dwarf.c (display_debug_lines_decoded): Use memcpy rather than
strncpy when trimming file name length to MAX_FILENAME_LENGTH.
Don't make an unnecessary copy when length is good.
If you look at the type used for implicit_const objects in binutils/dwarf.c,
you'll get sometimes bfd_signed_vma and sometimes dwarf_signed_vma.
They are the same on 64-bit hosts, but not on 32-bit hosts, and the latter
discrepancy, in particular in process_abbrev_set, is responsible for the
following error issued by objdump on some object files containing DWARF 5:
binutils/dwarf.c:1108: read LEB value is too large to store in destination
variable
binutis/
* dwarf.c (struct abbrev_attr): Change type of implicit_const.
(add_abbrev_attr): Likewise.
(process_abbrev_set): Likewise.
(display_debug_abbrev): Adjust to above change.
Older gcc reports:
.../bfd/dwarf2.c: In function 'read_ranges':
.../bfd/dwarf2.c:3107: error: comparison between signed and unsigned
.../bfd/dwarf2.c: In function 'read_rnglists':
.../bfd/dwarf2.c:3189: error: comparison between signed and unsigned
Similarly for binutils/dwarf.c. Arrange for the left sides of the > to
also be unsigned quantities.
PR 27884
* dwarf.c (get_type_abbrev_from_form): Replace cu_offset_return
param with map_return, and return map for DW_FORM_ref_addr.
(get_type_signedness): Adjust calls to get_type_abbrev_from_form.
Pass returned cu map start and end to recursive call.
(read_and_display_attr_value): Similarly.
* dwarf.c (display_debug_names): Complain when header length is
too small. Avoid pointer UB. Sanity check augmentation string,
CU table, TU table and foreign TU table sizes.
* dwarf.c (display_debug_frames): Delete initial_length_size.
Avoid pointer UB. Constrain data reads to length given in header.
Sanity check cie header length. Only skip up to next FDE on
finding augmentation data too long.
* dwarf.c (display_debug_ranges): Delete initial_length_size.
Correct fallback size calculated on finding a reloc. Constrain
data reads to length given in header. Avoid pointer UB.
* dwarf.c (get_line_filename_and_dirname): Delete initial_length_size.
Simplify length sanity check, and check for too small lengths.
Constrain data reads to header length. Avoid pointer UB.
The existing code went to the bother of using strnlen for scanning but
went wild when printing, and possibly incremented curr past end.
* dwarf.c (display_debug_macinfo): Print strings that might not
be zero terminated with %*s. Don't bump curr if unterminated.
The directory_table strnlen used the negative of the proper size. After
fixing that I realised we don't need strnlen here.
* dwarf.c (display_debug_lines_decoded): Don't use strnlen when
we have already checked for NUL termination.
This patch also better constrains the data read, and removes pointer UB.
* dwarf.c (read_debug_line_header): Delete initial_length_size.
Avoid pointer UB. Keep within length specified by header.
Delete dead code.
This patch constrains process_debug_info to stay within the data
specified by the CU length rather than allowing access up to the end
of the section.
* dwarf.c (process_debug_info): Always do the first CU length
scan for sanity checks. Remove initial_length_size var and
instead calculate end_cu. Use end_cu to limit data reads.
Delete now dead code checking length.
A sufficiently mad compiler optimiser can take undefined behaviour
according to the C standard as an opportunity to remove code. Since
"data + size" might be seen to be past the end of an array,
calculating such an expression is UB.
_mul_overflow is infrastructure for later patches.
* bucomm.h (_mul_overflow): Define.
* dwarf.c (get_encoded_value): Avoid pointer UB.
Well it didn't take long for the SAFE_BYTE_GET assert to trigger.
PR 27860
* dwarf.c (display_debug_frames): Sanity check cie_off before
attempting to read cie.
* dwarf.c (process_extended_line_op): Don't bump data pointer past
end when strnlen doesn't find string terminator.
(decode_location_expression): Remove dead code.
(skip_attr_bytes): Remove const from end param. Ensure data
pointer doesn't pass end.
(get_type_signedness): Remove const from end param.
(read_and_display_attr_value): Ensure data pointer doesn't pass end.
(display_debug_lines_raw, display_debug_lines_decoded): Likewise.
(display_debug_pubnames_worker): Likewise.
(display_debug_pubnames_worker): Use SAFE_BYTE_GET_AND INC rather
than blindly incrementing data pointer.
(display_debug_addr, display_debug_str_offsets): Likewise. Don't
compare pointers, compare lengths.
This rearranges SAFE_BYTE_GET* macros, eliminating some duplication,
and making sure that the _INC variants never increment their PTR arg
past END. I've added an assertion that should show us places where we
use them improperly with user derived PTR args, which I'm sure the
fuzzers will find for us.
* dwarf.c (SAFE_BYTE_GET_INTERNAL): Define.
(SAFE_BYTE_GET, SAFE_BYTE_GET_AND_INC): Define using the above.
(SAFE_SIGNED_BYTE_GET, SAFE_SIGNED_BYTE_GET_AND_INC): Likewise.
(display_discr_list): Use SAFE_BYTE_GET_AND_INC rather than
SAFE_BYTE_GET followed by increment.
(process_debug_info): Likewise, and test bytes remaining before
incrementing section_begin rather than using pointer comparison.
(display_debug_names): Pass lvalue as SAFE_BYTE_GET PTR.
(process_cu_tu_index): Likewise for SAFE_BYTE_GET_AND_INC.
Not quite infinite but much longer than it need be. The problem is
triggered by read_and_display_attr_value incrementing "data" past
"end". read_and_display_attr_value shouldn't do that, but be
defensive.
PR 27853
* dwarf.c (display_formatted_table): Test for data >= end rather
than data == end.
(process_extended_line_op): Likewise.
(display_debug_lines_raw): Likewise.
(display_debug_lines_decoded): Likewise.
Building as ILP32 shows:
gcc -m32 -DHAVE_CONFIG_H -I. -I/checkout/binutils -I. -I/checkout/binutils -I../bfd -I/checkout/binutils/../bfd -I/checkout/binutils/../include -DLOCALEDIR="\"/usr/local/share/locale\"" -Dbin_dummy_emulation=bin_vanilla_emulation -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -Wstack-usage=262144 -Werror -I/checkout/binutils/../zlib -g -O2 -MT dwarf.o -MD -MP -MF $depbase.Tpo -c -o dwarf.o /checkout/binutils/dwarf.c &&\
mv -f $depbase.Tpo $depbase.Po
In file included from /checkout/binutils/sysdep.h:101:0,
from /checkout/binutils/dwarf.c:21:
/checkout/binutils/dwarf.c: In function 'process_abbrev_set':
/checkout/binutils/dwarf.c:1072:15: error: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'dwarf_vma {aka long long unsigned int}' [-Werror=format=]
warn (_("Debug info is corrupted, abbrev size (%lx) is larger than "
^
/checkout/binutils/dwarf.c:1072:13: note: in expansion of macro '_'
warn (_("Debug info is corrupted, abbrev size (%lx) is larger than "
^
cc1: all warnings being treated as errors
Makefile:1101: recipe for target 'dwarf.o' failed
The recent commit, casting one of the terms, has an obvious
typo. To wit, the (non-cast) term abbrev_size is a
dwarf_vma and causes the whole expression to (still) be 64
bits.
binutils:
* dwarf.c (process_abbrev_set): Properly parenthesize before
casting to unsigned long.
PR 27845
* dwarf.c (process_abbrev_set): Replace start and end parameters
with section, abbrev_base, abbrev_size, abbrev_offset. Update
all callers. Sanity check parameters correctly and emit warnings
here rather than..
(process_debug_info): ..here.
PTR supplied to these macros can be read from user input, END is an
end of buffer pointer. It's safer to do arithmetic on END than on PTR.
* dwarf.c (SAFE_BYTE_GET): Check bounds by subtracting amount from
END rather than adding amount to PTR.
(SAFE_SIGNED_BYTE_GET, SAFE_BYTE_GET64): Likewise.
