From patchwork Sun Oct 30 09:55:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Modra X-Patchwork-Id: 12988 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp1723133wru; Sun, 30 Oct 2022 02:55:52 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4JIsJDSZsCFkIxzaQblr9wUNIQQrpjSJi64vYk3efUn6E+kuanuae7fQARw3kMMxrEsNaM X-Received: by 2002:a17:907:7d8d:b0:78d:d467:dd3 with SMTP id oz13-20020a1709077d8d00b0078dd4670dd3mr7673471ejc.547.1667123752424; Sun, 30 Oct 2022 02:55:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667123752; cv=none; d=google.com; s=arc-20160816; b=LsqU8O79vt8nzeJBsyCLjlDxelVVlzJ1dNJat9SA4JF2gLoTy6W0FHjvneHSgFZZ8F 1rJse74OpmujB66e/S7MjGJlnjwOhaYJAOABeaWU4cxeDovE3i7U0LvfrfV0IC/DjdEV 4co2ARkY6gmymfENR34kZFJYsoyULq8uIudG3BfgLLHba+zJOPZFQh1pVHoOFUeSgX6R K6pNFwy7mAoFPOwR79mxaACgm26QPGrh0ShGVZDhfUmz80LmvvNy4toQ4F3RR4+F2Fwh f755nG80xG0k2HCjiFQNx9pLtRZaOvL621RXZwFNcdT9pkxLl/daqOJKNVdzp0zrIZtQ CUcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-disposition:mime-version:message-id:subject:to:date :dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=lDZulGvAc7QopQW1KPIJGJGCoaxyE1VuAxIivlqQvIo=; b=vE6PVWLDqxxfVuSj8bB2ncYnhiXeDMCu1P2Vcx5SosHjtlD1r6ytOqyUkvZyFU37r5 GPonWS+zQcChdtRVs85ks0dQxvqdPUTlBvofz/Yt1UuB7RDQcjqivn++PtOd/xVH8wJw jMqOLbMgM1WsvgP3YlaiblTsdP1xsLxCl+urVLWNZU1/PuqcqeESAVPOm1rqn9QbSRFX kpxrxGYksg9y7N6Ysb5I2otZzFWBWqFVI7cmZZa6WU7RvEZaf9W5IwpXLLUHvTM0A/MP YrHNRNdaUfHqxjKUGmgeaq1AqgFU2o3VhAbjVUtk3jJAivlu1itw5xqx56G1hD5MEENz lkFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=HS1YRLKj; spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org Received: from sourceware.org (ip-8-43-85-97.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id nb26-20020a1709071c9a00b0078dcf11ccf7si3573985ejc.802.2022.10.30.02.55.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Oct 2022 02:55:52 -0700 (PDT) Received-SPF: pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b=HS1YRLKj; spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7D9483856973 for ; Sun, 30 Oct 2022 09:55:45 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7D9483856973 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1667123745; bh=lDZulGvAc7QopQW1KPIJGJGCoaxyE1VuAxIivlqQvIo=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=HS1YRLKjv829YBoH1pBqnfLQ10xT9ahWSC5tNq9wAQCKFXHb2kTmPj1yAOrNdqU8V dUw66A99xDoXulncEwnfsN26UFYFgbp6VlSvQhLrGlBqHncKoUOLXgdDGJcOsCCxHZ cPTCUN+yhnmr6tBcdVL9TUkcuzrDhgXDuulyGuc8= X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by sourceware.org (Postfix) with ESMTPS id 3A76E3857368 for ; Sun, 30 Oct 2022 09:55:37 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3A76E3857368 Received: by mail-pj1-x1031.google.com with SMTP id v4-20020a17090a088400b00212cb0ed97eso8008313pjc.5 for ; Sun, 30 Oct 2022 02:55:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lDZulGvAc7QopQW1KPIJGJGCoaxyE1VuAxIivlqQvIo=; b=n4Sj2M5ucBw+DmmHXFPsz803JSSkSAphV2DJGzF87SxCEsxPRY9IPQ46LIGeIzqnzP d1Ui2HUdrBi+uPPcH8hM6EdombXTAs5/7rc+lru3pv4cefwmfpeefWISrVwOIOqyjm+5 3zegyqC2fCk4w9VW0JMsWtNg/wGYE10uHZWbnQwRGebqLAG1hUzEGBvYFS162V2lE9lA XCUKDS1EZC4p/LyCPX2FHrw0chzS3vOy37CrnFZ53rqWM+q1DQEhktlA0vk+mXdDNv6+ KQYFJ2STMXlFn7vO8hvaZOJ8CJPJTGNfXyVeJ4LDqVt7rXu9XzQSHeSi2Zj/MYe9Erl2 6w+w== X-Gm-Message-State: ACrzQf1zdygH2ZduUthZ1z3V8X4EzvsJWWExtvv51vAi7z7YRIkKCEi8 ysr0tn0jf/v6qb9VNFhr1VY7MfT6WnA= X-Received: by 2002:a17:90b:3013:b0:213:ab5f:d388 with SMTP id hg19-20020a17090b301300b00213ab5fd388mr7232243pjb.66.1667123735817; Sun, 30 Oct 2022 02:55:35 -0700 (PDT) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id a10-20020a17090a688a00b00212d9a06edcsm2156630pjd.42.2022.10.30.02.55.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Oct 2022 02:55:35 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 1496D1142D72; Sun, 30 Oct 2022 20:25:33 +1030 (ACDT) Date: Sun, 30 Oct 2022 20:25:33 +1030 To: binutils@sourceware.org Subject: Pool section entries for DWP version 1 Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Spam-Status: No, score=-3036.0 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, KAM_NUMSUBJECT, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Alan Modra via Binutils From: Alan Modra Reply-To: Alan Modra Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org Sender: "Binutils" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748105955624809090?= X-GMAIL-MSGID: =?utf-8?q?1748105955624809090?= Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 Fuzzers have found a weakness in the code stashing pool section entries. With random nonsensical values in the index entries (rather than each index pointing to its own set distinct from other sets), it's possible to overflow the space allocated, losing the NULL terminator. Without a terminator, find_section_in_set can run off the end of the shndx_pool buffer. Fix this by scanning the pool directly. Does anyone still have dwp version 1 files they can use to test my change? binutils/ * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. (end_cu_tu_entry): Likewise. (process_cu_tu_index): Fill shndx_pool by directly scanning pool, rather than indirectly from index entries. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index c6340a28906..7730293326a 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx) static void add_shndx_to_cu_tu_entry (unsigned int shndx) { - if (shndx_pool_used >= shndx_pool_size) - { - error (_("Internal error: out of space in the shndx pool.\n")); - return; - } shndx_pool [shndx_pool_used++] = shndx; } static void end_cu_tu_entry (void) { - if (shndx_pool_used >= shndx_pool_size) - { - error (_("Internal error: out of space in the shndx pool.\n")); - return; - } shndx_pool [shndx_pool_used++] = 0; } @@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) if (version == 1) { + unsigned char *shndx_list; + unsigned int shndx; + if (!do_display) - prealloc_cu_tu_list ((limit - ppool) / 4); - for (i = 0; i < nslots; i++) { - unsigned char *shndx_list; - unsigned int shndx; - - SAFE_BYTE_GET (signature, phash, 8, limit); - if (signature != 0) + prealloc_cu_tu_list ((limit - ppool) / 4); + for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) { - SAFE_BYTE_GET (j, pindex, 4, limit); - shndx_list = ppool + j * 4; - /* PR 17531: file: 705e010d. */ - if (shndx_list < ppool) - { - warn (_("Section index pool located before start of section\n")); - return 0; - } + shndx = byte_get (shndx_list, 4); + add_shndx_to_cu_tu_entry (shndx); + } + end_cu_tu_entry (); + } + else + for (i = 0; i < nslots; i++) + { + SAFE_BYTE_GET (signature, phash, 8, limit); + if (signature != 0) + { + SAFE_BYTE_GET (j, pindex, 4, limit); + shndx_list = ppool + j * 4; + /* PR 17531: file: 705e010d. */ + if (shndx_list < ppool) + { + warn (_("Section index pool located before start of section\n")); + return 0; + } - if (do_display) printf (_(" [%3d] Signature: %#" PRIx64 " Sections: "), i, signature); - for (;;) - { - if (shndx_list >= limit) - { - warn (_("Section %s too small for shndx pool\n"), - section->name); - return 0; - } - SAFE_BYTE_GET (shndx, shndx_list, 4, limit); - if (shndx == 0) - break; - if (do_display) + for (;;) + { + if (shndx_list >= limit) + { + warn (_("Section %s too small for shndx pool\n"), + section->name); + return 0; + } + SAFE_BYTE_GET (shndx, shndx_list, 4, limit); + if (shndx == 0) + break; printf (" %d", shndx); - else - add_shndx_to_cu_tu_entry (shndx); - shndx_list += 4; - } - if (do_display) + shndx_list += 4; + } printf ("\n"); - else - end_cu_tu_entry (); - } - phash += 8; - pindex += 4; - } + } + phash += 8; + pindex += 4; + } } else if (version == 2) {