From patchwork Tue Feb 28 00:05:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Modra X-Patchwork-Id: 62197 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2714663wrd; Mon, 27 Feb 2023 16:06:01 -0800 (PST) X-Google-Smtp-Source: AK7set9mRMl87V/LFM+EEcKguoVp630J444QmT74IHEuUrticquNTcZfzMuSiaAaJzAeGxCgX/pz X-Received: by 2002:a17:906:6454:b0:870:58ae:842e with SMTP id l20-20020a170906645400b0087058ae842emr518890ejn.24.1677542761519; Mon, 27 Feb 2023 16:06:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677542761; cv=none; d=google.com; s=arc-20160816; b=yssDmMVuHBukk5Yk4CEKPdnJXqxgw3F9cn0Y30YBK3kWMfSPgkIVy43aYoagKUHlGD G8fFrcwCX6sDicM/b8TwcErVqCsSx4Cx4BzceN4nBkregLT7pN57z8dVF9NzV8uBXKT9 TbcdzUDLcastm5yu2hVLDiv2S1AsO8GYd2We6njpCLEYuWSBLHIKcDvrau4Zc8JsCa9D gO9O/TXJxS/wW9FObPZjKGX1UBsQy6FSl9acELdNbWl26ItPU7J8HRC+HCVf416VMgRr ukJYGAjMxep4LDBHju97igFvJxX4/8MhRw4JCDMHM3MBNYeiONACptidJ8lc5p9RQO1O VIJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:reply-to:from:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence :content-disposition:mime-version:message-id:subject:to:date :dmarc-filter:delivered-to:dkim-signature:dkim-filter; bh=mkF9lfudGTuUvya0YGWMjbMJ8bG6D2BqR4qJoupamaY=; b=XcWUq7DOOT30K+Oa7ajWIb26NuN0P4uzlnnuo+ePVXASsp62zREst6wtpOz48ngNxs ZGPcwakqgh4g3nLBirNN5y3UU1K1IxGWyUY2EfUhTgxE1JmxY2ZrZPQc+Mf4ocE4+1Qh Gvkjj00A+vm/aO7AnsmaLu0QIMnWNDVAplRwfBgzKXi0d1BCTsGFQYyDWS6BLLHwxZlh xNNW5B0h2lo3mA/9K9p3bosWAIJHOMaiAJv4DhCa3z6008BcF7fEsY07icxEKuNAnxZO 6vuMQv/2WlX2k5gV/JxqHL0nuBetb3c5UxlOn6RERPNpHZLk2GPCPnR+TiqCgDMvB0Ne NPbA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b="o2EzoBQ/"; spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org Received: from sourceware.org (server2.sourceware.org. [2620:52:3:1:0:246e:9693:128c]) by mx.google.com with ESMTPS id r20-20020aa7da14000000b004acc1b383e3si9339551eds.427.2023.02.27.16.06.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 16:06:01 -0800 (PST) Received-SPF: pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) client-ip=2620:52:3:1:0:246e:9693:128c; Authentication-Results: mx.google.com; dkim=pass header.i=@sourceware.org header.s=default header.b="o2EzoBQ/"; spf=pass (google.com: domain of binutils-bounces+ouuuleilei=gmail.com@sourceware.org designates 2620:52:3:1:0:246e:9693:128c as permitted sender) smtp.mailfrom="binutils-bounces+ouuuleilei=gmail.com@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C7C743858291 for ; Tue, 28 Feb 2023 00:05:59 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C7C743858291 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1677542759; bh=mkF9lfudGTuUvya0YGWMjbMJ8bG6D2BqR4qJoupamaY=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=o2EzoBQ/tM4OSVnz7DnNkCphH72ej58FxmC/KmAeP5rv8384O0wfi/xJe0W+x3XHK L5ylhuEkZz9WqNU/u14amvIorVYNefsPB1rc3adVz5WATcNSJUcbwf5X4IPfaHRGSo gaeh1u4KAzEYKGe7T+0aS9snxUETim6rN4Yr8Iv8= X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) by sourceware.org (Postfix) with ESMTPS id 0427C385841A for ; Tue, 28 Feb 2023 00:05:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0427C385841A Received: by mail-pj1-x102e.google.com with SMTP id y15-20020a17090aa40f00b00237ad8ee3a0so7904130pjp.2 for ; Mon, 27 Feb 2023 16:05:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mkF9lfudGTuUvya0YGWMjbMJ8bG6D2BqR4qJoupamaY=; b=VxCRx9uR9QZn/7s2gJpNskihol+rgTXKWnHJ+Z15ytN++peBSLQkguvMCiseG5Jskk XdJGnHBsRjb/5EKpj+UF5qhtVRvwrTqmznB7ZKS4AwS/JJj17pm1J97gO5cAi/v4ZiPe Jbj9L3DsVGLQ4rU/kRrapxjK/+qfai7TtyTALRQDPo2MbWjUGbHkJESRXc7ltAktwfur vhzNiiKpfz/WHjIpAff447edHvhDBtic1mtMaerNcauWwQ+XDfOy2NMoaUrKJK0mQKX+ bn1q6eb9joJS1dGmkV8aVuKErGjAYfcd8PyIGYRqeDl6mtYBwZeOv3zocdNkYHgHHIMs te/g== X-Gm-Message-State: AO0yUKUsUDJNX71bcvKlhWBdSg9GWhKet43aFRU233XkcH/WMa7sJuyh 3hUE5r9NYKknYUlITueRUV6q20ZSVbE= X-Received: by 2002:a17:902:d2c5:b0:19a:a9d8:e48a with SMTP id n5-20020a170902d2c500b0019aa9d8e48amr927913plc.22.1677542748851; Mon, 27 Feb 2023 16:05:48 -0800 (PST) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id ix17-20020a170902f81100b0019cbb055a95sm5167336plb.94.2023.02.27.16.05.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Feb 2023 16:05:48 -0800 (PST) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 014F71142CE6; Tue, 28 Feb 2023 10:35:45 +1030 (ACDT) Date: Tue, 28 Feb 2023 10:35:45 +1030 To: binutils@sourceware.org Subject: Add some sanity checking in ECOFF lookup_line Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Spam-Status: No, score=-3035.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Alan Modra via Binutils From: Alan Modra Reply-To: Alan Modra Errors-To: binutils-bounces+ouuuleilei=gmail.com@sourceware.org Sender: "Binutils" X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1759031078780841600?= X-GMAIL-MSGID: =?utf-8?q?1759031078780841600?= More anti-fuzzer bounds checking for the ECOFF support. A lot of this is in ancient code using "long" for counts and sizes, which is why the patch uses "(long) ((unsigned long) x + 1) > 0" in a few places. The unsigned long cast is so that "x + 1" doesn't trigger ubsan warnings about signed integer overflow. It would be a good idea to replace most of the longs used in binutils with size_t, but that's more than I care to do for COFF/ECOFF. * ecofflink.c (mk_fdrtab): Sanity check string offsets. (lookup_line): Likewise, and symbol indices. diff --git a/bfd/ecofflink.c b/bfd/ecofflink.c index e902bd51d53..422ce57f430 100644 --- a/bfd/ecofflink.c +++ b/bfd/ecofflink.c @@ -1782,8 +1782,13 @@ mk_fdrtab (bfd *abfd, sym_ptr = ((char *) debug_info->external_sym + (fdr_ptr->isymBase + 1) * debug_swap->external_sym_size); (*debug_swap->swap_sym_in) (abfd, sym_ptr, &sym); - if (strcmp (debug_info->ss + fdr_ptr->issBase + sym.iss, - STABS_SYMBOL) == 0) + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && sym.iss >= 0 + && sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase) + && strcmp (debug_info->ss + fdr_ptr->issBase + sym.iss, + STABS_SYMBOL) == 0) stabs = true; } @@ -1981,14 +1986,27 @@ lookup_line (bfd *abfd, char *sym_ptr; SYMR sym; - sym_ptr = ((char *) debug_info->external_sym - + (fdr_ptr->isymBase + 1) * debug_swap->external_sym_size); - (*debug_swap->swap_sym_in) (abfd, sym_ptr, &sym); - if (strcmp (debug_info->ss + fdr_ptr->issBase + sym.iss, - STABS_SYMBOL) == 0) - stabs = true; + if ((long) ((unsigned long) fdr_ptr->isymBase + 1) > 0 + && fdr_ptr->isymBase + 1 < debug_info->symbolic_header.isymMax) + { + sym_ptr = ((char *) debug_info->external_sym + + (fdr_ptr->isymBase + 1) * debug_swap->external_sym_size); + (*debug_swap->swap_sym_in) (abfd, sym_ptr, &sym); + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && sym.iss >= 0 + && sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase) + && strcmp (debug_info->ss + fdr_ptr->issBase + sym.iss, + STABS_SYMBOL) == 0) + stabs = true; + } } + line_info->cache.filename = NULL; + line_info->cache.functionname = NULL; + line_info->cache.line_num = 0; + if (!stabs) { bfd_size_type external_pdr_size; @@ -2167,38 +2185,50 @@ lookup_line (bfd *abfd, symbols, at least according to gdb/mipsread.c. */ if (fdr_ptr->rss == -1) { - line_info->cache.filename = NULL; - if (pdr.isym == -1) - line_info->cache.functionname = NULL; - else - { - EXTR proc_ext; + EXTR proc_ext; + if (pdr.isym >= 0 + && pdr.isym < debug_info->symbolic_header.iextMax) + { (*debug_swap->swap_ext_in) - (abfd, - ((char *) debug_info->external_ext - + pdr.isym * debug_swap->external_ext_size), + (abfd, ((char *) debug_info->external_ext + + pdr.isym * debug_swap->external_ext_size), &proc_ext); - line_info->cache.functionname = (debug_info->ssext - + proc_ext.asym.iss); + if (proc_ext.asym.iss >= 0 + && proc_ext.asym.iss < debug_info->symbolic_header.issExtMax) + line_info->cache.functionname = (debug_info->ssext + + proc_ext.asym.iss); } } - else + else if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && fdr_ptr->rss >= 0 + && fdr_ptr->rss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) { SYMR proc_sym; line_info->cache.filename = (debug_info->ss + fdr_ptr->issBase + fdr_ptr->rss); - (*debug_swap->swap_sym_in) - (abfd, - ((char *) debug_info->external_sym - + ((fdr_ptr->isymBase + pdr.isym) - * debug_swap->external_sym_size)), - &proc_sym); - line_info->cache.functionname = (debug_info->ss - + fdr_ptr->issBase - + proc_sym.iss); + if (fdr_ptr->isymBase >= 0 + && fdr_ptr->isymBase < debug_info->symbolic_header.isymMax + && pdr.isym >= 0 + && pdr.isym < (debug_info->symbolic_header.isymMax + - fdr_ptr->isymBase)) + { + (*debug_swap->swap_sym_in) + (abfd, ((char *) debug_info->external_sym + + ((fdr_ptr->isymBase + pdr.isym) + * debug_swap->external_sym_size)), + &proc_sym); + if (proc_sym.iss >= 0 + && proc_sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) + line_info->cache.functionname = (debug_info->ss + + fdr_ptr->issBase + + proc_sym.iss); + } } if (lineno == ilineNil) lineno = 0; @@ -2230,10 +2260,6 @@ lookup_line (bfd *abfd, looking through the symbols until we find both a line number and a function name which are beyond the address we want. */ - line_info->cache.filename = NULL; - line_info->cache.functionname = NULL; - line_info->cache.line_num = 0; - directory_name = NULL; main_file_name = NULL; current_file_name = NULL; @@ -2246,9 +2272,21 @@ lookup_line (bfd *abfd, external_sym_size = debug_swap->external_sym_size; - sym_ptr = ((char *) debug_info->external_sym - + (fdr_ptr->isymBase + 2) * external_sym_size); - sym_ptr_end = sym_ptr + (fdr_ptr->csym - 2) * external_sym_size; + if (fdr_ptr->isymBase >= 0 + && fdr_ptr->isymBase < debug_info->symbolic_header.isymMax + && fdr_ptr->csym >= 2 + && fdr_ptr->csym < (debug_info->symbolic_header.isymMax + - fdr_ptr->isymBase)) + { + sym_ptr = ((char *) debug_info->external_sym + + (fdr_ptr->isymBase + 2) * external_sym_size); + sym_ptr_end = sym_ptr + (fdr_ptr->csym - 2) * external_sym_size; + } + else + { + sym_ptr = NULL; + sym_ptr_end = sym_ptr; + } for (; sym_ptr < sym_ptr_end && (! past_line || ! past_fn); sym_ptr += external_sym_size) @@ -2262,8 +2300,13 @@ lookup_line (bfd *abfd, switch (ECOFF_UNMARK_STAB (sym.index)) { case N_SO: - main_file_name = current_file_name = - debug_info->ss + fdr_ptr->issBase + sym.iss; + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && sym.iss >= 0 + && sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) + main_file_name = current_file_name + = debug_info->ss + fdr_ptr->issBase + sym.iss; /* Check the next symbol to see if it is also an N_SO symbol. */ @@ -2278,16 +2321,26 @@ lookup_line (bfd *abfd, && ECOFF_UNMARK_STAB (nextsym.index) == N_SO) { directory_name = current_file_name; - main_file_name = current_file_name = - debug_info->ss + fdr_ptr->issBase + nextsym.iss; + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && nextsym.iss >= 0 + && nextsym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) + main_file_name = current_file_name + = debug_info->ss + fdr_ptr->issBase + nextsym.iss; sym_ptr += external_sym_size; } } break; case N_SOL: - current_file_name = - debug_info->ss + fdr_ptr->issBase + sym.iss; + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && sym.iss >= 0 + && sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) + current_file_name + = debug_info->ss + fdr_ptr->issBase + sym.iss; break; case N_FUN: @@ -2296,8 +2349,13 @@ lookup_line (bfd *abfd, else if (sym.value >= low_func_vma) { low_func_vma = sym.value; - function_name = - debug_info->ss + fdr_ptr->issBase + sym.iss; + if (fdr_ptr->issBase >= 0 + && fdr_ptr->issBase < debug_info->symbolic_header.issMax + && sym.iss >= 0 + && sym.iss < (debug_info->symbolic_header.issMax + - fdr_ptr->issBase)) + function_name + = debug_info->ss + fdr_ptr->issBase + sym.iss; } break; }