Description
Environment
Wed Nov 6 12:22:34 UTC 2024
radare2 5.8.9 31715 @ linux-x86-64
birth: git.5.8.9 2024-10-29__08:52:54
commit: 4eedc8a548bb3cfc898264ee827a086174efebc7
options: gpl -O? cs:5 cl:2 make
Linux x86_64
Description
When parsing DWARF information from debug sections such as .debug_line, radare2 does not check whether the section is compressed or not. This means that radare2 ends up parsing compressed content as raw DWARF.
Under specific conditions, this can lead to busy looping.
In the file that triggered this, we have a .debug_line section that contains the following bytes:
00000000 01 00 00 00 89 0d 00 00 01 00 00 00 78 9c 95 57 |............x..W|
When decompressed, we obtain these bytes:
00000000 68 00 00 00 03 00 2c 00 00 00 02 01 fb 0e 0d 00 |h.....,.........|
Since the content is not decompressed by radare2, the DWARF version is parsed as 0x0d89 (3465) then parse_line_header_source_dwarf5 is called, which ends up parsing a total_entries value of 218404728533093 and going into an (almost) endless loop.
Dumping the DWARF sections in compressed / decompressed state can be done with objcopy:
arm-linux-gnueabi-objcopy --dump-section .debug_line=sample.debug_line sample
arm-linux-gnueabi-objcopy --decompress-debug-sections --dump-section .debug_line=sample.debug_line.dec sample
Implementation Hints
There's already a check for sections with zdebug in their names:
Lines 387 to 390 in d56955a
A similar approach should be implemented, checking the section flags for SHF_COMPRESSED.
Test
It's unlikely that I can provide the sample, but I'll try to synthesize one.
Activity