1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From: Keith Seitz <keiths@...>
Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700)
Subject: Verify COFF symbol stringtab offset
X-Git-Tag: gdb-14-branchpoint~473
X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a
Verify COFF symbol stringtab offset
This patch addresses an issue with malformed/fuzzed debug information that
was recently reported in gdb/30639. That bug specifically deals with
an ASAN issue, but the reproducer provided by the reporter causes a
another failure outside of ASAN:
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a]
CVE: CVE-2023-39129
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
diff --git a/gdb/coffread.c b/gdb/coffread.c
--- a/gdb/coffread.c
+++ b/gdb/coffread.c
@@ -159,6 +160,7 @@ static file_ptr linetab_offset;
static file_ptr linetab_size;
static char *stringtab = NULL;
+static long stringtab_length = 0;
extern void stabsread_clear_cache (void);
@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora
/* This is in target format (probably not very useful, and not
currently used), not host format. */
memcpy (stringtab, lengthbuf, sizeof lengthbuf);
+ stringtab_length = length;
if (length == sizeof length) /* Empty table -- just the count. */
return 0;
@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry)
if (symbol_entry->_n._n_n._n_zeroes == 0)
{
- /* FIXME: Probably should be detecting corrupt symbol files by
- seeing whether offset points to within the stringtab. */
+ if (symbol_entry->_n._n_n._n_offset > stringtab_length)
+ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"),
+ symbol_entry->_n._n_n._n_offset, stringtab_length);
result = stringtab + symbol_entry->_n._n_n._n_offset;
}
else
|