[Bug libctf/30985] New: ctf_add_member_encoded of a type on a parent dumps core

Thu, 19 Oct 2023 06:13:17 -0700 

https://sourceware.org/bugzilla/show_bug.cgi?id=30985

            Bug ID: 30985
           Summary: ctf_add_member_encoded of a type on a parent dumps
                    core
           Product: binutils
           Version: 2.41
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libctf
          Assignee: unassigned at sourceware dot org
          Reporter: nick.alcock at oracle dot com
  Target Milestone: ---

This dumps core:

  ctf_dict_t *fp;
  ctf_encoding_t e = { CTF_INT_SIGNED, 0, sizeof (long) };
  ctf_id_t type;
  int err;

  if ((fp = ctf_create (&err)) == NULL)
    /* error handling */

  if ((type = ctf_add_struct (fp, CTF_ADD_ROOT, "foo")) == CTF_ERR)
    /* error handling */

  if (ctf_add_member_encoded (fp, type, "member", 666, 5, e) == CTF_ERR)
    /* error handling */

Now this is obviously invalid code (emitting a member of a nonexistent garbage
type ID). But this also dumps core for the same reason:

  ctf_dict_t *pfp, *cfp;
  ctf_encoding_t e = { CTF_INT_SIGNED, 0, sizeof (long) };
  ctf_id_t ptype;
  int err;

  if ((pfp = ctf_create (&err)) == NULL)
    /* error handling */

  if ((cfp = ctf_create (&err)) == NULL)
    /* error handling */

  if (ctf_import (cfp, pfp) < 0)
    /* error handling */

  if ((ptype = ctf_add_integer (pfp, CTF_ADD_NONROOT, "int", &e)) == CTF_ERR)
    /* error handling */

  if ((stype = ctf_add_struct (cfp, CTF_ADD_ROOT, "foo")) == CTF_ERR)
    /* error handling */

  if (ctf_add_member_encoded (cfp, stype, "cmember", ptype, 5, e) == CTF_ERR)
    /* error handling */

The underlying problem is that ctf_add_member_encoded operation looks up the
DTD of 'ptype' to try to figure out its type kind (for error handling), but
does not allow for the possibility that the DTD lookup might fail. Firstly, of
course, it might fail because you provided an invalid ptype; but secondly, DTD
lookup doesn't recurse to parents if nothing is found in a child dict, but
ctf_add_member_encoded() assumes that it does.

An audit while fixing this revealed other, related problems with ctf_set_array,
ctf_add_enumerator, ctf_add_member and ctf_add_member_offset, all of which
produce ECTF_BADID errors if asked to modify a type in an imported parent dict
via a child dict.

Fixing. Thanks to Kris Van Hees for identifying the first of these problems and
tracking it down.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to