Date: Wed, 05 Apr 2017 11:16:59 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218395] readelf --debug-dump=loc dumps core when inspecting various ar archives Message-ID: <bug-218395-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218395 Bug ID: 218395 Summary: readelf --debug-dump=3Dloc dumps core when inspecting various ar archives Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: fk@fabiankeil.de A recent rebase on FreeBSD 11-STABLE resulted in unexpected binary changes for ElectroBSD. Trying diffoscope to look into this triggered a readelf coredump. The core dump is reproducible with vanilla FreeBSD as well. Using the FreeBSD 11.0-STABLE #0 r315855 amd64 snapshot: # readelf --wide --debug-dump=3Dloc /usr/lib/libc_pic.a File: /usr/lib/libc_pic.a(machdep_ldisx.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 00000018 (DW_OP_reg5 (rdi)) 00000000 00000018 00000073 (DW_OP_reg15 (r15)) 00000000 00000075 0000007c (DW_OP_reg15 (r15)) 00000000 <End of list> 00000049 00000000 00000015 (DW_OP_reg4 (rsi)) 00000049 00000015 00000071 (DW_OP_reg14 (r14)) 00000049 00000075 0000007c (DW_OP_reg14 (r14)) 00000049 <End of list> 00000092 00000000 00000012 (DW_OP_reg1 (rdx)) 00000092 00000012 00000039 (DW_OP_reg3 (rbx)) 00000092 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000092 00000047 0000006d (DW_OP_reg3 (rbx)) 00000092 00000075 0000007c (DW_OP_reg3 (rbx)) 00000092 <End of list> 00000101 00000027 00000039 (DW_OP_reg3 (rbx)) 00000101 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000101 <End of list> 00000137 0000005e 0000007c (DW_OP_nop) 00000137 <End of list> File: /usr/lib/libc_pic.a(bt_close.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 0000000d (DW_OP_reg5 (rdi)) 00000000 0000000d 000000d7 (DW_OP_reg14 (r14)) 00000000 <End of list> 00000036 00000011 000000d5 (DW_OP_reg3 (rbx)) 00000036 <End of list> 00000049 <End of list> 00000059 000000b0 000000cd (DW_OP_reg15 (r15); DW_OP_piece: 4) 00000059 <End of list> 0000007e 000000e0 000000f9 (DW_OP_reg5 (rdi)) 0000007e <End of list> readelf: dwarf_loclist_n failed: Loclist section too short [_dwarf_loclist_add_locdesc(68)] 000000a1 000000e0 000000e9 (DW_OP_reg4 (rsi); DW_OP_piece: 4) 000000a1 000000e9 0000011d (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 00000121 000001bd (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 <End of list> 000000f0 000000ed 0000011f (DW_OP_reg14 (r14)) 000000f0 00000121 000001bd (DW_OP_reg14 (r14)) 000000f0 <End of list> Assertion failed: (in_len > 0), function _dwarf_loc_fill_locdesc, file /usr/src/contrib/elftoolchain/libdwarf/libdwarf_loc.c, line 627. Abort trap (core dumped) The FreeBSD 12.0-CURRENT #0 r315864 amd64 snapshot can be used to reproduce= the issue as well. Manually trying the command on various other ar files triggers the same assertion. Trying to paper over the issue with: --- a/contrib/elftoolchain/libdwarf/libdwarf_loclist.c +++ b/contrib/elftoolchain/libdwarf/libdwarf_loclist.c @@ -63,7 +63,7 @@ _dwarf_loclist_add_locdesc(Dwarf_Debug dbg, Dwarf_CU cu, Dwarf_Section *ds, /* Otherwise it's normal entry. */ len =3D dbg->read(ds->ds_data, off, 2); - if (*off + len > ds->ds_size) { + if (len <=3D 0 || *off + len > ds->ds_size) { DWARF_SET_ERROR(dbg, error, DW_DLE_DEBUG_LOC_SECTION_SHORT); return (DW_DLE_DEBUG_LOC_SECTION_SHORT); didn't work as it results in SIGBUS crashes later on. I suspect that architectures other than amd64 are affected as well but did = not confirm this. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218395-8>