[Bug 218395] readelf --debug-dump=loc dumps core when inspecting various ar archives
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Apr 5 11:16:59 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218395
Bug ID: 218395
Summary: readelf --debug-dump=loc dumps core when inspecting
various ar archives
Product: Base System
Version: CURRENT
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: freebsd-bugs at FreeBSD.org
Reporter: fk at fabiankeil.de
A recent rebase on FreeBSD 11-STABLE resulted in unexpected
binary changes for ElectroBSD.
Trying diffoscope to look into this triggered a readelf coredump.
The core dump is reproducible with vanilla FreeBSD as well.
Using the FreeBSD 11.0-STABLE #0 r315855 amd64 snapshot:
# readelf --wide --debug-dump=loc /usr/lib/libc_pic.a
File: /usr/lib/libc_pic.a(machdep_ldisx.pico)
Contents of section .debug_loc:
Offset Begin End Expression
00000000 00000000 00000018 (DW_OP_reg5 (rdi))
00000000 00000018 00000073 (DW_OP_reg15 (r15))
00000000 00000075 0000007c (DW_OP_reg15 (r15))
00000000 <End of list>
00000049 00000000 00000015 (DW_OP_reg4 (rsi))
00000049 00000015 00000071 (DW_OP_reg14 (r14))
00000049 00000075 0000007c (DW_OP_reg14 (r14))
00000049 <End of list>
00000092 00000000 00000012 (DW_OP_reg1 (rdx))
00000092 00000012 00000039 (DW_OP_reg3 (rbx))
00000092 0000003b 00000042 (DW_OP_reg3 (rbx))
00000092 00000047 0000006d (DW_OP_reg3 (rbx))
00000092 00000075 0000007c (DW_OP_reg3 (rbx))
00000092 <End of list>
00000101 00000027 00000039 (DW_OP_reg3 (rbx))
00000101 0000003b 00000042 (DW_OP_reg3 (rbx))
00000101 <End of list>
00000137 0000005e 0000007c (DW_OP_nop)
00000137 <End of list>
File: /usr/lib/libc_pic.a(bt_close.pico)
Contents of section .debug_loc:
Offset Begin End Expression
00000000 00000000 0000000d (DW_OP_reg5 (rdi))
00000000 0000000d 000000d7 (DW_OP_reg14 (r14))
00000000 <End of list>
00000036 00000011 000000d5 (DW_OP_reg3 (rbx))
00000036 <End of list>
00000049 <End of list>
00000059 000000b0 000000cd (DW_OP_reg15 (r15); DW_OP_piece: 4)
00000059 <End of list>
0000007e 000000e0 000000f9 (DW_OP_reg5 (rdi))
0000007e <End of list>
readelf: dwarf_loclist_n failed: Loclist section too short
[_dwarf_loclist_add_locdesc(68)]
000000a1 000000e0 000000e9 (DW_OP_reg4 (rsi); DW_OP_piece: 4)
000000a1 000000e9 0000011d (DW_OP_reg3 (rbx); DW_OP_piece: 4)
000000a1 00000121 000001bd (DW_OP_reg3 (rbx); DW_OP_piece: 4)
000000a1 <End of list>
000000f0 000000ed 0000011f (DW_OP_reg14 (r14))
000000f0 00000121 000001bd (DW_OP_reg14 (r14))
000000f0 <End of list>
Assertion failed: (in_len > 0), function _dwarf_loc_fill_locdesc, file
/usr/src/contrib/elftoolchain/libdwarf/libdwarf_loc.c, line 627.
Abort trap (core dumped)
The FreeBSD 12.0-CURRENT #0 r315864 amd64 snapshot can be used to reproduce the
issue as well.
Manually trying the command on various other ar files triggers the same
assertion.
Trying to paper over the issue with:
--- a/contrib/elftoolchain/libdwarf/libdwarf_loclist.c
+++ b/contrib/elftoolchain/libdwarf/libdwarf_loclist.c
@@ -63,7 +63,7 @@ _dwarf_loclist_add_locdesc(Dwarf_Debug dbg, Dwarf_CU cu,
Dwarf_Section *ds,
/* Otherwise it's normal entry. */
len = dbg->read(ds->ds_data, off, 2);
- if (*off + len > ds->ds_size) {
+ if (len <= 0 || *off + len > ds->ds_size) {
DWARF_SET_ERROR(dbg, error,
DW_DLE_DEBUG_LOC_SECTION_SHORT);
return (DW_DLE_DEBUG_LOC_SECTION_SHORT);
didn't work as it results in SIGBUS crashes later on.
I suspect that architectures other than amd64 are affected as well but did not
confirm this.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list