[Bug libdw/24102] A Heap-buffer-overflow problem was discovered in the function read_srclines in dwarf_getsrclines.c in libdw
https://sourceware.org/bugzilla/show_bug.cgi?id=24102 --- Comment #5 from Mark Wielaard --- Apparently this bug got assigned CVE-2019-7149 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug libdw/24103] dwfl_segment_report_module doesn't check whether the dyn data read from core file is truncated
https://sourceware.org/bugzilla/show_bug.cgi?id=24103 --- Comment #4 from Mark Wielaard --- Apparently this bug got assigned CVE-2019-7150 -- You are receiving this mail because: You are on the CC list for the bug.
Re: [PATCHv1 0/2] specify a sysroot to search when examining a core file
Hi Luke, (BTW. Note that HTML emails will get dropped, you should get a bounce from the mailinglist.) On Tue, 2019-01-29 at 19:46 +, Luke Diamand wrote: > Thanks for the comments on the other emails, I'll rework my patch to > incorporate them. > > I've got a small test case I've been using which uses a prebuilt ARM > and MIPS(!) libc.so (from buildroot) and a core file. But I think in > theory it ought to be possible to fake something up with a purely > source code based test. Perhaps create a shared library which dumps > core, and play around with the rpath? > > Is there an existing test case you would suggest that I start from? > > I'll have a look. To test cross arch things it is sometimes just necessary to include precompiled binaries in the test files (hopefully as small as possible of course). For example the tests/run-backtrace-core-.sh tests include such pregenerated binaries: # executable generated by: # # gcc -D_GNU_SOURCE -I. -I.. -I../lib -m32 -pthread -static -g \ # -o backtrace.ppc.exec backtrace-child.c # # core generated by: # # ./backtrace.ppc.exec --gencore tests/backtrace-subr.sh has some overly complicated code to generate a core file for the run-backtrace-native-core.sh testcase. For none-core, running native tests you could look at tests/run-native-test.sh All these are slightly fragile though. Cheers, Mark
Re: [PATCH elfutils 2/2] [tests] parse inode in /proc/pid/maps correctly in run-backtrace-data.sh
On Tue, Jan 29, 2019 at 09:23:39PM +, Yonghong Song wrote:
> On 1/29/19 12:50 PM, Mark Wielaard wrote:
> > On Fri, Jan 25, 2019 at 01:20:09PM -0800, Yonghong Song wrote:
> >> The backtrace-data.c parsed the inode in /proc/pid/maps with
> >> format "%*x".
> >> This caused failure if inode is big. For example,
> >>7f269223d000-7f269226b000 r-xp 00:50 10224326387095067468
> >> /home/...
> >
> > I have a bit of trouble replicating this (with a simple sscanf).
> > How exactly does it fail?
>
> The error message looks like:
>
> -bash-4.4$ cat run-backtrace-data.sh.log
> backtrace-data:
> /home/engshare/elfutils/0.174/src/elfutils-0.174/tests/backtrace-data.c:110:
> maps_lookup: Assertion `errno == 0' failed.
> /home/engshare/elfutils/0.174/src/elfutils-0.174/tests/test-subr.sh:
> line 84: 3123578 Aborted (core dumped)
> LD_LIBRARY_PATH="${built_library_path}${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
> $VALGRIND_CMD "$@"
> data: no main
> -bash-4.4$
>
> The reason is errno is ERANGE.
Aha. Thanks. That is what I get for not testing against the actual
testcase. I wasn't checking errno. But that certainly explains the
issue. The %*x would parse the number as an hex number, causing the
number to be so big that it generated an ERANGE (also it would
accept some things that it shouldn't). But with %*u it uses base-10
encoding, so the number doesn't get too big.
So your fix is correct.
But the testcase is also slightly wrong.
It really shouldn't check errno if the function didn't fail.
There is no guarantee that it will be zero.
> "%u" works as well. Let me submit another patch for this.
Thanks,
Mark
Re: [PATCH elfutils] [tests] parse inode in /proc/pid/maps/correctly in run-backtrace-data.sh
On Tue, Jan 29, 2019 at 01:33:03PM -0800, Yonghong Song wrote:
> The backtrace-data.c parsed the inode in /proc/pid/maps with
> format "%*x".
> This caused failure if inode is big. For example,
> 7f269223d000-7f269226b000 r-xp 00:50 10224326387095067468
> /home/...
>
> The error likes below:
> -bash-4.4$ cat run-backtrace-data.sh.log
> backtrace-data:
> /home/engshare/elfutils/0.174/src/elfutils-0.174/tests/backtrace-data.c:110:
> maps_lookup: Assertion `errno == 0' failed.
> /home/engshare/elfutils/0.174/src/elfutils-0.174/tests/test-subr.sh: line
> 84:
> 3123578 Aborted (core dumped)
>
> LD_LIBRARY_PATH="${built_library_path}${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH"
> $VALGRIND_CMD "$@"
> data: no main
> -bash-4.4$
> The reason is errno is ERANGE.
>
> Fix the test with inode format string "%*u" as inode here is presented
> as decimal numbers.
Thanks. Added a ChangeLog entry and pushed to master.
Re: [PATCH elfutils 2/2] [tests] parse inode in /proc/pid/maps correctly in run-backtrace-data.sh
On Thu, Jan 31, 2019 at 10:14:32PM +0100, Mark Wielaard wrote:
> So your fix is correct.
> But the testcase is also slightly wrong.
> It really shouldn't check errno if the function didn't fail.
> There is no guarantee that it will be zero.
So, even though it found a bug, I am removing these asserts.
They really aren't correct. When a function fails, it will
set errno. But if a function succeeds, there is no guarantee
that it will set errno to zero.
Attached patch pushed to master.
Cheers,
Mark
>From fe7d3f3635e66fe8ec1fde91f886857b0dea7d22 Mon Sep 17 00:00:00 2001
From: Mark Wielaard
Date: Thu, 31 Jan 2019 23:18:25 +0100
Subject: [PATCH] tests: Remove assert (errno == 0) from tests.
When a function fails it might set errno. But it isn't a guarantee
that if a function succeeds that it sets errno to zero.
Signed-off-by: Mark Wielaard
---
tests/ChangeLog | 10 ++
tests/backtrace-child.c | 2 --
tests/backtrace-data.c | 10 --
tests/backtrace.c | 5 -
4 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/tests/ChangeLog b/tests/ChangeLog
index c91764fb3..c2d868878 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,13 @@
+2019-01-31 Mark Wielaard
+
+ * backtrace-child.c (stdarg): Remove assert (errno == 0).
+ (main): Likewise.
+ * backtrace-data.c (maps_lookup): Likewise.
+ (set_initial_registers): Likewise.
+ (main): Likewise.
+ * backtrace.c (prepare_thread): Likewise.
+ (exec_dump): Likewise.
+
2019-01-29 Yonghong Song
* backtrace-data.c (maps_lookup): Use %*u, not %*x, to parse
diff --git a/tests/backtrace-child.c b/tests/backtrace-child.c
index 9c6ba94f1..8bfed478c 100644
--- a/tests/backtrace-child.c
+++ b/tests/backtrace-child.c
@@ -164,7 +164,6 @@ stdarg (int f UNUSED, ...)
if (ptraceme)
{
long l = ptrace (PTRACE_TRACEME, 0, NULL, NULL);
- assert (errno == 0);
assert (l == 0);
}
#ifdef RAISE_JMP_PATCHING
@@ -236,7 +235,6 @@ main (int argc UNUSED, char **argv)
{
errno = 0;
long l = ptrace (PTRACE_TRACEME, 0, NULL, NULL);
- assert (errno == 0);
assert (l == 0);
}
if (gencore)
diff --git a/tests/backtrace-data.c b/tests/backtrace-data.c
index b389d6aff..907b47801 100644
--- a/tests/backtrace-data.c
+++ b/tests/backtrace-data.c
@@ -96,10 +96,8 @@ maps_lookup (pid_t pid, Dwarf_Addr addr, GElf_Addr *basep)
{
char *fname;
int i = asprintf (&fname, "/proc/%ld/maps", (long) pid);
- assert (errno == 0);
assert (i > 0);
FILE *f = fopen (fname, "r");
- assert (errno == 0);
assert (f);
free (fname);
for (;;)
@@ -107,7 +105,6 @@ maps_lookup (pid_t pid, Dwarf_Addr addr, GElf_Addr *basep)
// 37e3c22000-37e3c23000 rw-p 00022000 00:11 49532 /lib64/ld-2.14.90.so */
unsigned long start, end, offset;
i = fscanf (f, "%lx-%lx %*s %lx %*x:%*x %*u", &start, &end, &offset);
- assert (errno == 0);
if (i != 3)
break;
char *filename = strdup ("");
@@ -129,7 +126,6 @@ maps_lookup (pid_t pid, Dwarf_Addr addr, GElf_Addr *basep)
if (start <= addr && addr < end)
{
i = fclose (f);
- assert (errno == 0);
assert (i == 0);
*basep = start - offset;
@@ -183,7 +179,6 @@ set_initial_registers (Dwfl_Thread *thread,
struct user_regs_struct user_regs;
long l = ptrace (PTRACE_GETREGS, child, NULL, &user_regs);
- assert (errno == 0);
assert (l == 0);
Dwarf_Word dwarf_regs[17];
@@ -284,11 +279,9 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
switch (child)
{
case -1:
- assert (errno == 0);
assert (0);
case 0:;
long l = ptrace (PTRACE_TRACEME, 0, NULL, NULL);
- assert (errno == 0);
assert (l == 0);
raise (SIGUSR1);
return 0;
@@ -298,7 +291,6 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
int status;
pid_t pid = waitpid (child, &status, 0);
- assert (errno == 0);
assert (pid == child);
assert (WIFSTOPPED (status));
assert (WSTOPSIG (status) == SIGUSR1);
@@ -316,7 +308,6 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
struct user_regs_struct user_regs;
long l = ptrace (PTRACE_GETREGS, child, NULL, &user_regs);
- assert (errno == 0);
assert (l == 0);
report_module (dwfl, child, user_regs.rip);
@@ -330,7 +321,6 @@ main (int argc __attribute__ ((unused)), char **argv __attribute__ ((unused)))
dwfl_end (dwfl);
kill (child, SIGKILL);
pid = waitpid (child, &status, 0);
- assert (errno == 0);
assert (pid == child);
assert (WIFSIGNALED (status));
assert (WTERMSIG (status) == SIGKILL);
diff --git a/tests/backtrace.c b/tests/backtrace.c
index 24ab68dd4..05e8ef82e 100644
--- a/tests/backtrace.c
+++ b/tests/backtrace.c
@@ -281,16 +281,13 @@ prepare_thread (pid_t pid2 __attribute__ ((unused)),
struct user_regs_struct user_regs;
errno = 0;
l = ptrace (PTRACE_GETREGS, pid2, 0, (in
Re: [PATCH] configure: Add new --enable-install-elfh option.
On Wed, Jan 30, 2019 at 09:54:53AM +, Ulf Hermann wrote: > > Yes, it should indeed. > > I used a slightly different solution though. > > It relies on the default include flags already including the srcdirs. > > Does that work for your use case too? (See revised patch attached.) > > I'm not an expert in autotools. The reason I also have "else" case in my > code is that I want to do "+=" in the USE_GNULIB case below. That only > works if system_elf_libelf_test_CPPFLAGS is defined, which curiously it > is not if you don't explicitly set it before (even though it is > implicitly there somehow ... ?!?). > > In particular I get the following error from autoconf if I naively merge > your patch: > > > Ulf@Ulf-PC MINGW64 /d/elfutils$ autoreconf -fi > > tests/Makefile.am:617: error: cannot apply '+=' because > > 'system_elf_libelf_test_CPPFLAGS' is not defined in > > tests/Makefile.am:617: the following conditions: > > tests/Makefile.am:617: INSTALL_ELFH and USE_GNULIB > > tests/Makefile.am:617: either define 'system_elf_libelf_test_CPPFLAGS' in > > these conditions, or use > > tests/Makefile.am:617: '+=' in the same conditions as the definitions. > > autoreconf: automake failed with exit status: 1 > > As this only applies to my code, you are of course free to apply your > version upstream. It probably makes no difference if the USE_GNULIB case > isn't there. I will adapt my code then. That makes sense. I added the else to explicitly set it: diff --git a/tests/Makefile.am b/tests/Makefile.am index 4c4af7843..1b0c7d333 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -598,6 +598,8 @@ addsections_LDADD = $(libelf) # Don't include any -I CPPFLAGS. Except when we install our own elf.h. if !INSTALL_ELFH system_elf_libelf_test_CPPFLAGS = +else +system_elf_libelf_test_CPPFLAGS = -I$(top_srcdir)/libelf endif system_elf_libelf_test_LDADD = $(libelf) Pushed with that change. Thanks, Mark
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #4 from wcventure --- (In reply to Mark Wielaard from comment #3) Not completely repaired. Here is the Regression test case. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug tools/24116] A Heap-buffer-overflow problem was discovered in the function print_debug_line_section in readelf.c
https://sourceware.org/bugzilla/show_bug.cgi?id=24116 --- Comment #5 from wcventure --- Created attachment 11581 --> https://sourceware.org/bugzilla/attachment.cgi?id=11581&action=edit Regression -- You are receiving this mail because: You are on the CC list for the bug.
