Menu

#592 gendef segfaults when running on OpenWatcom-built dlls

v1.0 (example)
closed-fixed
nobody
None
5
2017-03-07
2017-03-05
Ozkan Sezer
No

gendef segfaults when running on OpenWatcom-built dlls.

With something simple as this:

$ cat 1.c
void __declspec(dllexport) foo(void) {}
$ wcc386 -bt=nt -bd -3s -q 1.c
$ wlink NAM 1.dll SYSTEM nt_dll FIL {1.o}
[...]
$ gdb --args ./gendef 1.dll
[...]
Starting program: /home/sezero/gendef/gendef 1.dll
 * [1.dll] Found PE image
 * export directory at VA = 0xb000 size=0x3e

Program received signal SIGSEGV, Segmentation fault.
0x080499ad in do_export_read (va_exp=45056, sz_exp=62, be64=0) at src/gendef.c:570
570   fndllname = strdup ((char *) map_va (exp_dir->Name));
(gdb) bt
#0  0x080499ad in do_export_read (va_exp=45056, sz_exp=62, be64=0) at src/gendef.c:570
#1  0x08049709 in do_pedef () at src/gendef.c:478
#2  0x08048df6 in main (argc=2, argv=0xbfb0e3d4) at src/gendef.c:231

The example 1.dll is attached.

1 Attachments
1.dll.7z

Discussion

  • Ozkan Sezer

    Ozkan Sezer - 2017-03-06

    Obviously map_va() returns NULL for exp_dir and exp_dir->Name
    becomes a NULL pointer dereference. Now, why do we get NULL from
    map_va()..

    Kai?

    P.S.: Curiously, the pexports tool from mingw.org woks fine with these dlls.

     

  • Kai Tietz

    Kai Tietz - 2017-03-06

    No idea. Sadly I don't have time to look into this. Debugging map_va doesn't reveal here anything?

     

  • Ozkan Sezer

    Ozkan Sezer - 2017-03-07

    Kai:

    Some sections seem to have Misc.VirtualSize==0, therefore map_va()
    skips them and when there are none left it returns NULL.

    I made a patch (inlined below, also attached) so if Misc.VirtualSize
    is zero it would use SizeOfRawData instead. With this, gendef does
    not crash and generates the def.

    diff --git a/mingw-w64-tools/gendef/src/gendef.c b/mingw-w64-tools/gendef/src/gendef.c
index d70c1ad..cc5e120 100644
--- a/mingw-w64-tools/gendef/src/gendef.c
+++ b/mingw-w64-tools/gendef/src/gendef.c
@@ -432,7 +432,7 @@ static void *
 map_va (uint32_t va)
 {
   PIMAGE_SECTION_HEADER sec;
-  uint32_t sec_cnt,i;
+  uint32_t sec_cnt,sz,i;
   char *dptr;

   if (gPEDta)
@@ -447,7 +447,9 @@ map_va (uint32_t va)
     }
   for (i = 0;i < sec_cnt;i++)
     {
-      if (va >= sec[i].VirtualAddress && va < (sec[i].VirtualAddress+sec[i].Misc.VirtualSize))
+      sz = sec[i].Misc.VirtualSize;
+      if (!sz) sz = sec[i].SizeOfRawData;
+      if (va >= sec[i].VirtualAddress && va < (sec[i].VirtualAddress+sz))
         {
           dptr = (char *) &gDta[va-sec[i].VirtualAddress+sec[i].PointerToRawData];
           return (void *)dptr;

    Comments? Is the patch correct?

     
    gendef-test.patch

    • Kai Tietz

      Kai Tietz - 2017-03-07

      Patch looks sensible to me. Please go ahead and apply it to master.
      I guess this fix will be something for open branches, too.

      Thanks,
      Kai

      2017-03-07 13:29 GMT+01:00 Ozkan Sezer sezero@users.sf.net:

      Kai:

      Some sections seem to have Misc.VirtualSize==0, therefore map_va()
      skips them and when there are none left it returns NULL.

      I made a patch (inlined below, also attached) so if Misc.VirtualSize
      is zero it would use SizeOfRawData instead. With this, gendef does
      not crash and generates the def.

      diff --git a/mingw-w64-tools/gendef/src/gendef.c
      b/mingw-w64-tools/gendef/src/gendef.c
      index d70c1ad..cc5e120 100644
      --- a/mingw-w64-tools/gendef/src/gendef.c
      +++ b/mingw-w64-tools/gendef/src/gendef.c
      @@ -432,7 +432,7 @@ static void
      map_va (uint32_t va)
      {
      PIMAGE_SECTION_HEADER sec;
      - uint32_t sec_cnt,i;
      + uint32_t sec_cnt,sz,i;
      char       dptr;

      if (gPEDta)
      @@ -447,7 +447,9 @@ map_va (uint32_t va)
      }
      for (i = 0;i < sec_cnt;i++)
      {
      - if (va >= sec[i].VirtualAddress && va <
      (sec[i].VirtualAddress+sec[i].Misc.VirtualSize))
      + sz = sec[i].Misc.VirtualSize;
      + if (!sz) sz = sec[i].SizeOfRawData;
      + if (va >= sec[i].VirtualAddress && va < (sec[i].VirtualAddress+sz))
      {
      dptr = (char )
      &gDta[va-sec[i].VirtualAddress+sec[i].PointerToRawData];
      return (void       )dptr;

      Comments? Is the patch correct?

      Attachments:

      gendef-test.patch (835 Bytes; application/octet-stream)

      [bugs:#592] gendef segfaults when running on OpenWatcom-built dlls

      Status: open
      Group: v1.0 (example)
      Created: Sun Mar 05, 2017 08:29 PM UTC by Ozkan Sezer
      Last Updated: Mon Mar 06, 2017 02:48 PM UTC
      Owner: nobody
      Attachments:

      1.dll.7z (13.8 kB; application/octet-stream)

      gendef segfaults when running on OpenWatcom-built dlls.

      With something simple as this:

      $ cat 1.c
      void __declspec(dllexport) foo(void) {}
      $ wcc386 -bt=nt -bd -3s -q 1.c
      $ wlink NAM 1.dll SYSTEM nt_dll FIL {1.o}
      [...]
      $ gdb --args ./gendef 1.dll
      [...]
      Starting program: /home/sezero/gendef/gendef 1.dll
      * [1.dll] Found PE image
      * export directory at VA = 0xb000 size=0x3e

      Program received signal SIGSEGV, Segmentation fault.
      0x080499ad in do_export_read (va_exp=45056, sz_exp=62, be64=0) at
      src/gendef.c:570
      570 fndllname = strdup ((char *) map_va (exp_dir->Name));
      (gdb) bt

      0 0x080499ad in do_export_read (va_exp=45056, sz_exp=62, be64=0) at

      src/gendef.c:570

      1 0x08049709 in do_pedef () at src/gendef.c:478

      2 0x08048df6 in main (argc=2, argv=0xbfb0e3d4) at src/gendef.c:231

      The example 1.dll is attached.

      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/mingw-w64/bugs/592/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

  • Ozkan Sezer

    Ozkan Sezer - 2017-03-07
    • status: open --> closed-fixed
     

  • Ozkan Sezer

    Ozkan Sezer - 2017-03-07

    Patch applied to master and all branches. Closing as fixed.

     

Log in to post a comment.