public inbox for binutils-cvs@sourceware.org
help / color / mirror / Atom feed
* [binutils-gdb] asan: heap buffer overflow in _bfd_mips_elf_section_from_shdr
@ 2022-06-03 14:03 Alan Modra
  0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2022-06-03 14:03 UTC (permalink / raw)
  To: bfd-cvs

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3dc8d5eadaecc37722ec6979acf320cf0b969be8

commit 3dc8d5eadaecc37722ec6979acf320cf0b969be8
Author: Alan Modra <amodra@gmail.com>
Date:   Fri Jun 3 22:47:50 2022 +0930

    asan: heap buffer overflow in _bfd_mips_elf_section_from_shdr
    
            * elfxx-mips.c (_bfd_mips_elf_section_from_shdr): Sanity check
            intopt.size and remaining bytes in section for reginfo.

Diff:
---
 bfd/elfxx-mips.c | 55 ++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 32 insertions(+), 23 deletions(-)

diff --git a/bfd/elfxx-mips.c b/bfd/elfxx-mips.c
index 97a406a8d1a..e0e23926f03 100644
--- a/bfd/elfxx-mips.c
+++ b/bfd/elfxx-mips.c
@@ -7542,34 +7542,43 @@ _bfd_mips_elf_section_from_shdr (bfd *abfd,
 					&intopt);
 	  if (intopt.size < sizeof (Elf_External_Options))
 	    {
+	    bad_opt:
 	      _bfd_error_handler
 		/* xgettext:c-format */
-		(_("%pB: warning: bad `%s' option size %u smaller than"
-		   " its header"),
-		abfd, MIPS_ELF_OPTIONS_SECTION_NAME (abfd), intopt.size);
+		(_("%pB: warning: truncated `%s' option"),
+		 abfd, MIPS_ELF_OPTIONS_SECTION_NAME (abfd));
 	      break;
 	    }
-	  if (ABI_64_P (abfd) && intopt.kind == ODK_REGINFO)
-	    {
-	      Elf64_Internal_RegInfo intreg;
-
-	      bfd_mips_elf64_swap_reginfo_in
-		(abfd,
-		 ((Elf64_External_RegInfo *)
-		  (l + sizeof (Elf_External_Options))),
-		 &intreg);
-	      elf_gp (abfd) = intreg.ri_gp_value;
-	    }
-	  else if (intopt.kind == ODK_REGINFO)
+	  if (intopt.kind == ODK_REGINFO)
 	    {
-	      Elf32_RegInfo intreg;
-
-	      bfd_mips_elf32_swap_reginfo_in
-		(abfd,
-		 ((Elf32_External_RegInfo *)
-		  (l + sizeof (Elf_External_Options))),
-		 &intreg);
-	      elf_gp (abfd) = intreg.ri_gp_value;
+	      if (ABI_64_P (abfd))
+		{
+		  Elf64_Internal_RegInfo intreg;
+		  size_t needed = (sizeof (Elf_External_Options)
+				   + sizeof (Elf64_External_RegInfo));
+		  if (intopt.size < needed || (size_t) (lend - l) < needed)
+		    goto bad_opt;
+		  bfd_mips_elf64_swap_reginfo_in
+		    (abfd,
+		     ((Elf64_External_RegInfo *)
+		      (l + sizeof (Elf_External_Options))),
+		     &intreg);
+		  elf_gp (abfd) = intreg.ri_gp_value;
+		}
+	      else
+		{
+		  Elf32_RegInfo intreg;
+		  size_t needed = (sizeof (Elf_External_Options)
+				   + sizeof (Elf32_External_RegInfo));
+		  if (intopt.size < needed || (size_t) (lend - l) < needed)
+		    goto bad_opt;
+		  bfd_mips_elf32_swap_reginfo_in
+		    (abfd,
+		     ((Elf32_External_RegInfo *)
+		      (l + sizeof (Elf_External_Options))),
+		     &intreg);
+		  elf_gp (abfd) = intreg.ri_gp_value;
+		}
 	    }
 	  l += intopt.size;
 	}


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-06-03 14:03 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-03 14:03 [binutils-gdb] asan: heap buffer overflow in _bfd_mips_elf_section_from_shdr Alan Modra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).