Created attachment 1103406 [details] the elf file with bug There is a out of bound read in latest release version dwarf-20151114, and we have tested the other version dwarf-20140805, so we guess the versions which are between these two version will be affected too. when an odd elf file passed to dwarfdump, it would cause segment fault by invalid memory access. please see the attachment for the elf file. ========================================= Details: ========================================== if an elf file is passed to dwarfdump, a SIGSEGV will occur in libdwarf/dwarf_leb.c. please see attachment for the elf file. when debugging it with gdb, the error information as follows: -------------------------------- Program received signal SIGSEGV, Segmentation fault. _dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57 57 if ((*leb128 & 0x80) == 0) { (gdb) bt #0 _dwarf_decode_u_leb128 (leb128=leb128@entry=0x80006a5be7a4 <error: Cannot access memory at address 0x80006a5be7a4>, leb128_length=leb128_length@entry=0x7fffffffda68) at dwarf_leb.c:57 #1 0x00000000004319fb in dwarf_attrlist (die=die@entry=0x6bb850, attrbuf=attrbuf@entry=0x7fffffffdb18, attrcnt=attrcnt@entry=0x7fffffffdb10, error=0x67c298 <err>) at dwarf_query.c:246 #2 0x0000000000410909 in print_one_die (dbg=dbg@entry=0x67ef00, die=die@entry=0x6bb850, print_information=1, die_indent_level=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0, ignore_die_stack=ignore_die_stack@entry=0) at print_die.c:1211 #3 0x00000000004111d8 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6a4a30, is_info=is_info@entry=1, srcfiles=srcfiles@entry=0x0, cnt=cnt@entry=0) at print_die.c:896 #4 0x00000000004115e5 in print_die_and_children_internal (dbg=dbg@entry=0x67ef00, in_die_in=0x6811a0, is_info=is_info@entry=1, srcfiles=0x0, cnt=0) at print_die.c:990 #5 0x0000000000411d1f in print_die_and_children (cnt=<optimized out>, srcfiles=<optimized out>, is_info=1, in_die_in=<optimized out>, dbg=0x67ef00) at print_die.c:778 #6 print_one_die_section (dbg=0x67ef00, is_info=is_info@entry=1) at print_die.c:725 #7 0x00000000004126a3 in print_infos (dbg=<optimized out>, is_info=is_info@entry=1) at print_die.c:319 #8 0x000000000040217a in process_one_file (config_file_data=0x6660c0 <config_file_data>, archive=0, tied_file_name=0x0, file_name=0x67d110 "./simplereader.elf", elftied=0x0, elf=<optimized out>) at dwarfdump.c:1280 #9 main (argc=<optimized out>, argv=<optimized out>) at dwarfdump.c:630 -----------------------------------------------
This is almost certainly an upstream bug given that we don't really do any patching of libdwarf (and assuming that the DWARF in your file is valid of course).
Interesting that although readelf doesn't crash it does issue various warnings about the debug data: % readelf --debug-dump simplereader.elf > /tmp/readelf readelf: Warning: Corrupt attribute block length: 72617744 readelf: Warning: Bogus end-of-siblings marker detected at offset 7d8f in .debug_info section readelf: Warning: Bogus end-of-siblings marker detected at offset 7d90 in .debug_info section readelf: Warning: Bogus end-of-siblings marker detected at offset 7d91 in .debug_info section readelf: Warning: Further warnings about bogus end-of-sibling markers suppressed readelf: Warning: Corrupt attribute block length: 72617744
This is (from readelf) the entry that is crashing it: <1><3047>: Abbrev Number: 30 (DW_TAG_structure_type) <3048> DW_AT_sibling : <0x375e> <304c> DW_AT_name : 219477 byte block: 66 5f 44 ... Note that readelf is report a structure with a 219477 byte name (I've truncated it but it really did output a massively long line) which seems very wrong...
I think I have a fix (to make it safely abort instead of crashing) and I've asked upstream about it. The actual problem is this seemingly corrupt abbreviation entry: < 67><0x00000390><code: 30> DW_TAG_structure_type DW_children_yes <0x00000393> DW_AT_sibling DW_FORM_ref4 <0x00000395> DW_AT_name DW_FORM_block4 <0x00000397> <Unknown AT value 0x0> <Unknown FORM value 0x7f> < 68><0x000003a0><code: 0> null .debug_abbrev entry < 69><0x000003a1><code: 0> null .debug_abbrev entry < 70><0x000003a2><code: 3> DW_TAG_imported_declaration <Unknown children value 0x49> <0x000003a5> DW_AT_language <Unknown FORM value 0x3f> <0x000003a7> DW_AT_bit_offset <Unknown FORM value 0x3a> <0x000003a9> DW_AT_byte_size <Unknown FORM value 0x3b> <0x000003ab> DW_AT_byte_size <Unknown FORM value 0x2> <0x000003ad> DW_AT_subscr_data <Unknown FORM value 0x0> <0x000003af> <Unknown AT value 0x0> DW_FORM_ref_sig8 <0x000003b1> DW_AT_artificial <Unknown FORM value 0x0> <0x000003b3> DW_AT_name DW_FORM_string <0x000003b5> DW_AT_type DW_FORM_ref4 <0x000003b7> DW_AT_decl_file DW_FORM_data1 <0x000003b9> DW_AT_decl_line DW_FORM_data1
Upstream patch applied in libdwarf-20151114-2.fc24 build.