From owner-freebsd-bugs@freebsd.org Wed Apr 5 11:16:59 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 896EAD2F51F for ; Wed, 5 Apr 2017 11:16:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 793F23FC for ; Wed, 5 Apr 2017 11:16:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v35BGx5H031464 for ; Wed, 5 Apr 2017 11:16:59 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218395] readelf --debug-dump=loc dumps core when inspecting various ar archives Date: Wed, 05 Apr 2017 11:16:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: fk@fabiankeil.de X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 11:16:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D218395 Bug ID: 218395 Summary: readelf --debug-dump=3Dloc dumps core when inspecting various ar archives Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: fk@fabiankeil.de A recent rebase on FreeBSD 11-STABLE resulted in unexpected binary changes for ElectroBSD. Trying diffoscope to look into this triggered a readelf coredump. The core dump is reproducible with vanilla FreeBSD as well. Using the FreeBSD 11.0-STABLE #0 r315855 amd64 snapshot: # readelf --wide --debug-dump=3Dloc /usr/lib/libc_pic.a File: /usr/lib/libc_pic.a(machdep_ldisx.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 00000018 (DW_OP_reg5 (rdi)) 00000000 00000018 00000073 (DW_OP_reg15 (r15)) 00000000 00000075 0000007c (DW_OP_reg15 (r15)) 00000000 00000049 00000000 00000015 (DW_OP_reg4 (rsi)) 00000049 00000015 00000071 (DW_OP_reg14 (r14)) 00000049 00000075 0000007c (DW_OP_reg14 (r14)) 00000049 00000092 00000000 00000012 (DW_OP_reg1 (rdx)) 00000092 00000012 00000039 (DW_OP_reg3 (rbx)) 00000092 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000092 00000047 0000006d (DW_OP_reg3 (rbx)) 00000092 00000075 0000007c (DW_OP_reg3 (rbx)) 00000092 00000101 00000027 00000039 (DW_OP_reg3 (rbx)) 00000101 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000101 00000137 0000005e 0000007c (DW_OP_nop) 00000137 File: /usr/lib/libc_pic.a(bt_close.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 0000000d (DW_OP_reg5 (rdi)) 00000000 0000000d 000000d7 (DW_OP_reg14 (r14)) 00000000 00000036 00000011 000000d5 (DW_OP_reg3 (rbx)) 00000036 00000049 00000059 000000b0 000000cd (DW_OP_reg15 (r15); DW_OP_piece: 4) 00000059 0000007e 000000e0 000000f9 (DW_OP_reg5 (rdi)) 0000007e readelf: dwarf_loclist_n failed: Loclist section too short [_dwarf_loclist_add_locdesc(68)] 000000a1 000000e0 000000e9 (DW_OP_reg4 (rsi); DW_OP_piece: 4) 000000a1 000000e9 0000011d (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 00000121 000001bd (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 000000f0 000000ed 0000011f (DW_OP_reg14 (r14)) 000000f0 00000121 000001bd (DW_OP_reg14 (r14)) 000000f0 Assertion failed: (in_len > 0), function _dwarf_loc_fill_locdesc, file /usr/src/contrib/elftoolchain/libdwarf/libdwarf_loc.c, line 627. Abort trap (core dumped) The FreeBSD 12.0-CURRENT #0 r315864 amd64 snapshot can be used to reproduce= the issue as well. Manually trying the command on various other ar files triggers the same assertion. Trying to paper over the issue with: --- a/contrib/elftoolchain/libdwarf/libdwarf_loclist.c +++ b/contrib/elftoolchain/libdwarf/libdwarf_loclist.c @@ -63,7 +63,7 @@ _dwarf_loclist_add_locdesc(Dwarf_Debug dbg, Dwarf_CU cu, Dwarf_Section *ds, /* Otherwise it's normal entry. */ len =3D dbg->read(ds->ds_data, off, 2); - if (*off + len > ds->ds_size) { + if (len <=3D 0 || *off + len > ds->ds_size) { DWARF_SET_ERROR(dbg, error, DW_DLE_DEBUG_LOC_SECTION_SHORT); return (DW_DLE_DEBUG_LOC_SECTION_SHORT); didn't work as it results in SIGBUS crashes later on. I suspect that architectures other than amd64 are affected as well but did = not confirm this. --=20 You are receiving this mail because: You are the assignee for the bug.=