From patchwork Fri Nov  1 21:21:30 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Will Newton <will.newton@linaro.org>
X-Patchwork-Id: 21315
Return-Path: <patchwork-forward+bncBCXPZFGDUEJBBXNW2CJQKGQEZWB4YHA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-ie0-f200.google.com (mail-ie0-f200.google.com
 [209.85.223.200])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 59E0A23908
 for <linaro@patches.linaro.org>; Fri,  1 Nov 2013 21:21:34 +0000 (UTC)
Received: by mail-ie0-f200.google.com with SMTP id aq17sf13920732iec.3
 for <linaro@patches.linaro.org>; Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:message-id:date:from:user-agent
 :mime-version:to:cc:subject:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe:content-type
 :content-transfer-encoding;
 bh=mtu0MMaiXY41w1St8cHmRByqzTOQ5lunsUpKdv6WnEE=;
 b=fRCNuaz6U1M9f9eoilspTfH2M2KbqPkXYiqnhXtra4BtkbkDpParam+WioEE1C/kLb
 DH68ZLUEnnXwUm1NmeTVgkKu++oxtLXWxolIktKPBD38K8ybrlgRUXpfHZm+tZfAtEXH
 Z//71bHY97VSBcrLJvW6Xgcn1UdMd9SoyIv3Bb3i7K3Ufz+GvPP6VFxd0xHl9iP01rd1
 q/PYrQuX/Q3rL86GIAk6johOx2XO/1yb29FREuMfSGovl/lO7blKIVhmDXIxPSsYgynm
 G8acDIl9wmsdoCfKSU8VKNgs/N9Ej4lYuhtQLym9gdySERpPlEUg5FeOZHMGzrLfefIq
 rfYA==
X-Gm-Message-State: ALoCoQkr+VUs6wofLp302jZXdtXvxcLxyw+fgrF8Wos3IUr6z+EvmxfWMlF8jlk5YeI92JsvWCW1
X-Received: by 10.182.191.8 with SMTP id gu8mr1516605obc.8.1383340893617;
 Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.49.129.166 with SMTP id nx6ls1464563qeb.12.gmail; Fri, 01 Nov
 2013 14:21:33 -0700 (PDT)
X-Received: by 10.52.26.69 with SMTP id j5mr2759139vdg.21.1383340893512;
 Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
Received: from mail-vb0-f41.google.com (mail-vb0-f41.google.com
 [209.85.212.41]) by mx.google.com with ESMTPS id
 k10si2449755vca.124.2013.11.01.14.21.33
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.212.41 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.212.41; 
Received: by mail-vb0-f41.google.com with SMTP id w8so48725vbj.14
 for <patchwork-forward@linaro.org>;
 Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
X-Received: by 10.52.163.65 with SMTP id yg1mr509405vdb.58.1383340893429;
 Fri, 01 Nov 2013 14:21:33 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp71166vcz;
 Fri, 1 Nov 2013 14:21:33 -0700 (PDT)
X-Received: by 10.66.188.80 with SMTP id fy16mr5152086pac.168.1383340892608; 
 Fri, 01 Nov 2013 14:21:32 -0700 (PDT)
Received: from mail-pb0-f47.google.com (mail-pb0-f47.google.com
 [209.85.160.47]) by mx.google.com with ESMTPS id
 z1si5409724pbw.339.2013.11.01.14.21.32 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 01 Nov 2013 14:21:32 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.160.47 is neither permitted nor
 denied by best guess record for domain of
 will.newton@linaro.org) client-ip=209.85.160.47; 
Received: by mail-pb0-f47.google.com with SMTP id rq13so694252pbb.34
 for <patches@linaro.org>; Fri, 01 Nov 2013 14:21:32 -0700 (PDT)
X-Received: by 10.66.4.105 with SMTP id j9mr5189247paj.84.1383340892104;
 Fri, 01 Nov 2013 14:21:32 -0700 (PDT)
Received: from localhost.localdomain ([63.239.94.10])
 by mx.google.com with ESMTPSA id
 ed3sm12803021pbc.6.2013.11.01.14.21.31 for <multiple recipients>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Fri, 01 Nov 2013 14:21:31 -0700 (PDT)
Message-ID: <52741B5A.6090800@linaro.org>
Date: Fri, 01 Nov 2013 14:21:30 -0700
From: Will Newton <will.newton@linaro.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:17.0) Gecko/20130805 Thunderbird/17.0.8
MIME-Version: 1.0
To: gdb-patches@sourceware.org
CC: Patch Tracking <patches@linaro.org>
Subject: [PATCH] gdb/dwarf2read.c: Sanity check DW_AT_sibling values.
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: will.newton@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.212.41 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

When reading objects with corrupt debug information it is possible that
the sibling chain can form a loop, which leads to an infinite loop and
memory exhaustion.

Avoid this situation by disregarding and DW_AT_sibling values that point
to a lower address than the current entry.

gdb/ChangeLog:

2013-11-01  Will Newton  <will.newton@linaro.org>

	PR gdb/12866
	* dwarf2read.c (skip_one_die): Sanity check DW_AT_sibling
	values.  (read_partial_die): Likewise.
---
 gdb/dwarf2read.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/gdb/dwarf2read.c b/gdb/dwarf2read.c
index 3974d0b..d4dfd45 100644
--- a/gdb/dwarf2read.c
+++ b/gdb/dwarf2read.c
@@ -7016,7 +7016,14 @@ skip_one_die (const struct die_reader_specs *reader, const gdb_byte *info_ptr,
 	    complaint (&symfile_complaints,
 		       _("ignoring absolute DW_AT_sibling"));
 	  else
-	    return buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	    {
+	      const gdb_byte *sibling_ptr = buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	      if (sibling_ptr < info_ptr)
+		complaint (&symfile_complaints,
+			   _("DW_AT_sibling points backwards"));
+	      else
+		return buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	    }
 	}

       /* If it isn't DW_AT_sibling, skip this attribute.  */
@@ -15134,7 +15141,14 @@ read_partial_die (const struct die_reader_specs *reader,
 	    complaint (&symfile_complaints,
 		       _("ignoring absolute DW_AT_sibling"));
 	  else
-	    part_die->sibling = buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	    {
+	      const gdb_byte *sibling_ptr = buffer + dwarf2_get_ref_die_offset (&attr).sect_off;
+	      if (sibling_ptr < info_ptr)
+		complaint (&symfile_complaints,
+			   _("DW_AT_sibling points backwards"));
+	      else
+		part_die->sibling = sibling_ptr;
+	    }
 	  break;
         case DW_AT_byte_size:
           part_die->has_byte_size = 1;