Date: Wed, 05 Apr 2017 11:16:59 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 218395] readelf --debug-dump=loc dumps core when inspecting various ar archives Message-ID: <bug-218395-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218395 Bug ID: 218395 Summary: readelf --debug-dump=loc dumps core when inspecting various ar archives Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: fk@fabiankeil.de A recent rebase on FreeBSD 11-STABLE resulted in unexpected binary changes for ElectroBSD. Trying diffoscope to look into this triggered a readelf coredump. The core dump is reproducible with vanilla FreeBSD as well. Using the FreeBSD 11.0-STABLE #0 r315855 amd64 snapshot: # readelf --wide --debug-dump=loc /usr/lib/libc_pic.a File: /usr/lib/libc_pic.a(machdep_ldisx.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 00000018 (DW_OP_reg5 (rdi)) 00000000 00000018 00000073 (DW_OP_reg15 (r15)) 00000000 00000075 0000007c (DW_OP_reg15 (r15)) 00000000 <End of list> 00000049 00000000 00000015 (DW_OP_reg4 (rsi)) 00000049 00000015 00000071 (DW_OP_reg14 (r14)) 00000049 00000075 0000007c (DW_OP_reg14 (r14)) 00000049 <End of list> 00000092 00000000 00000012 (DW_OP_reg1 (rdx)) 00000092 00000012 00000039 (DW_OP_reg3 (rbx)) 00000092 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000092 00000047 0000006d (DW_OP_reg3 (rbx)) 00000092 00000075 0000007c (DW_OP_reg3 (rbx)) 00000092 <End of list> 00000101 00000027 00000039 (DW_OP_reg3 (rbx)) 00000101 0000003b 00000042 (DW_OP_reg3 (rbx)) 00000101 <End of list> 00000137 0000005e 0000007c (DW_OP_nop) 00000137 <End of list> File: /usr/lib/libc_pic.a(bt_close.pico) Contents of section .debug_loc: Offset Begin End Expression 00000000 00000000 0000000d (DW_OP_reg5 (rdi)) 00000000 0000000d 000000d7 (DW_OP_reg14 (r14)) 00000000 <End of list> 00000036 00000011 000000d5 (DW_OP_reg3 (rbx)) 00000036 <End of list> 00000049 <End of list> 00000059 000000b0 000000cd (DW_OP_reg15 (r15); DW_OP_piece: 4) 00000059 <End of list> 0000007e 000000e0 000000f9 (DW_OP_reg5 (rdi)) 0000007e <End of list> readelf: dwarf_loclist_n failed: Loclist section too short [_dwarf_loclist_add_locdesc(68)] 000000a1 000000e0 000000e9 (DW_OP_reg4 (rsi); DW_OP_piece: 4) 000000a1 000000e9 0000011d (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 00000121 000001bd (DW_OP_reg3 (rbx); DW_OP_piece: 4) 000000a1 <End of list> 000000f0 000000ed 0000011f (DW_OP_reg14 (r14)) 000000f0 00000121 000001bd (DW_OP_reg14 (r14)) 000000f0 <End of list> Assertion failed: (in_len > 0), function _dwarf_loc_fill_locdesc, file /usr/src/contrib/elftoolchain/libdwarf/libdwarf_loc.c, line 627. Abort trap (core dumped) The FreeBSD 12.0-CURRENT #0 r315864 amd64 snapshot can be used to reproduce the issue as well. Manually trying the command on various other ar files triggers the same assertion. Trying to paper over the issue with: --- a/contrib/elftoolchain/libdwarf/libdwarf_loclist.c +++ b/contrib/elftoolchain/libdwarf/libdwarf_loclist.c @@ -63,7 +63,7 @@ _dwarf_loclist_add_locdesc(Dwarf_Debug dbg, Dwarf_CU cu, Dwarf_Section *ds, /* Otherwise it's normal entry. */ len = dbg->read(ds->ds_data, off, 2); - if (*off + len > ds->ds_size) { + if (len <= 0 || *off + len > ds->ds_size) { DWARF_SET_ERROR(dbg, error, DW_DLE_DEBUG_LOC_SECTION_SHORT); return (DW_DLE_DEBUG_LOC_SECTION_SHORT); didn't work as it results in SIGBUS crashes later on. I suspect that architectures other than amd64 are affected as well but did not confirm this. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-218395-8>