[Bug libctf/30985] New: ctf_add_member_encoded of a type on a parent dum

bug-binutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug libctf/30985] New: ctf_add_member_encoded of a type on a parent dum

From:	nick.alcock at oracle dot com
Subject:	[Bug libctf/30985] New: ctf_add_member_encoded of a type on a parent dumps core
Date:	Thu, 19 Oct 2023 13:12:47 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=30985

            Bug ID: 30985
           Summary: ctf_add_member_encoded of a type on a parent dumps
                    core
           Product: binutils
           Version: 2.41
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libctf
          Assignee: unassigned at sourceware dot org
          Reporter: nick.alcock at oracle dot com
  Target Milestone: ---

This dumps core:

  ctf_dict_t *fp;
  ctf_encoding_t e = { CTF_INT_SIGNED, 0, sizeof (long) };
  ctf_id_t type;
  int err;

  if ((fp = ctf_create (&err)) == NULL)
    /* error handling */

  if ((type = ctf_add_struct (fp, CTF_ADD_ROOT, "foo")) == CTF_ERR)
    /* error handling */

  if (ctf_add_member_encoded (fp, type, "member", 666, 5, e) == CTF_ERR)
    /* error handling */

Now this is obviously invalid code (emitting a member of a nonexistent garbage
type ID). But this also dumps core for the same reason:

  ctf_dict_t *pfp, *cfp;
  ctf_encoding_t e = { CTF_INT_SIGNED, 0, sizeof (long) };
  ctf_id_t ptype;
  int err;

  if ((pfp = ctf_create (&err)) == NULL)
    /* error handling */

  if ((cfp = ctf_create (&err)) == NULL)
    /* error handling */

  if (ctf_import (cfp, pfp) < 0)
    /* error handling */

  if ((ptype = ctf_add_integer (pfp, CTF_ADD_NONROOT, "int", &e)) == CTF_ERR)
    /* error handling */

  if ((stype = ctf_add_struct (cfp, CTF_ADD_ROOT, "foo")) == CTF_ERR)
    /* error handling */

  if (ctf_add_member_encoded (cfp, stype, "cmember", ptype, 5, e) == CTF_ERR)
    /* error handling */

The underlying problem is that ctf_add_member_encoded operation looks up the
DTD of 'ptype' to try to figure out its type kind (for error handling), but
does not allow for the possibility that the DTD lookup might fail. Firstly, of
course, it might fail because you provided an invalid ptype; but secondly, DTD
lookup doesn't recurse to parents if nothing is found in a child dict, but
ctf_add_member_encoded() assumes that it does.

An audit while fixing this revealed other, related problems with ctf_set_array,
ctf_add_enumerator, ctf_add_member and ctf_add_member_offset, all of which
produce ECTF_BADID errors if asked to modify a type in an imported parent dict
via a child dict.

Fixing. Thanks to Kris Van Hees for identifying the first of these problems and
tracking it down.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug libctf/30985] New: ctf_add_member_encoded of a type on a parent dumps core, nick.alcock at oracle dot com <=
- [Bug libctf/30985] ctf_add_member_encoded of a type on a parent dumps core, nick.alcock at oracle dot com, 2023/10/19
- [Bug libctf/30985] ctf_add_member_encoded of a type on a parent dumps core, cvs-commit at gcc dot gnu.org, 2023/10/20

Prev by Date: [Bug ld/30984] New: assertion fail ../../bfd/elf.c:8485
Next by Date: [Bug libctf/30985] ctf_add_member_encoded of a type on a parent dumps core
Previous by thread: [Bug ld/30984] New: assertion fail ../../bfd/elf.c:8485
Next by thread: [Bug libctf/30985] ctf_add_member_encoded of a type on a parent dumps core
Index(es):
- Date
- Thread