[binutils-gdb] Fix illegal memory access implementing relocs in a fuzzed x86

public inbox for binutils-cvs@sourceware.org
 help / color / mirror / Atom feed

* [binutils-gdb] Fix illegal memory access implementing relocs in a fuzzed x86_64 object file.
@ 2023-06-19 11:09 Nick Clifton
  0 siblings, 0 replies; only message in thread
From: Nick Clifton @ 2023-06-19 11:09 UTC (permalink / raw)
  To: bfd-cvs

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=74d39f70cd9090ba1cdc406421480bb50a864cd2

commit 74d39f70cd9090ba1cdc406421480bb50a864cd2
Author: Nick Clifton <nickc@redhat.com>
Date:   Mon Jun 19 12:09:11 2023 +0100

    Fix illegal memory access implementing relocs in a fuzzed x86_64 object file.
    
      PR 30560
      * elf64-x86-64.c (elf_x86_64_relocate_section): Add more checks for a valid relocation offset.

Diff:
---
 bfd/ChangeLog      |  6 ++++++
 bfd/elf64-x86-64.c | 15 +++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 1f9b7ec14ba..4fed6e16874 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2023-06-19  Nick Clifton  <nickc@redhat.com>
+
+	PR 30560
+	* elf64-x86-64.c (elf_x86_64_relocate_section): Add more checks
+	for a valid relocation offset.
+
 2023-06-07  Nick Clifton  <nickc@redhat.com>
 
 	PR 30499
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index dd987ee011b..f926464d812 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -3501,6 +3501,9 @@ elf_x86_64_relocate_section (bfd *output_bfd,
 	    {
 	      bfd_vma roff = rel->r_offset;
 
+	      if (roff >= input_section->size)
+		goto corrupt_input;
+
 	      BFD_ASSERT (! unresolved_reloc);
 
 	      if (r_type == R_X86_64_TLSGD)
@@ -3541,6 +3544,8 @@ elf_x86_64_relocate_section (bfd *output_bfd,
 		  int largepic = 0;
 		  if (ABI_64_P (output_bfd))
 		    {
+		      if (roff + 5 >= input_section->size)
+			goto corrupt_input;
 		      if (contents[roff + 5] == 0xb8)
 			{
 			  if (roff < 3
@@ -3576,6 +3581,10 @@ elf_x86_64_relocate_section (bfd *output_bfd,
 			      "\x64\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0",
 			      15);
 		    }
+
+		  if (roff + 8 + largepic >= input_section->size)
+		    goto corrupt_input;
+
 		  bfd_put_32 (output_bfd,
 			      elf_x86_64_tpoff (info, relocation),
 			      contents + roff + 8 + largepic);
@@ -3633,12 +3642,18 @@ elf_x86_64_relocate_section (bfd *output_bfd,
 		    }
 		  if (prefix)
 		    {
+		      if (roff + 2 >= input_section->size)
+			goto corrupt_input;
+
 		      bfd_put_8 (output_bfd, 0x0f, contents + roff);
 		      bfd_put_8 (output_bfd, 0x1f, contents + roff + 1);
 		      bfd_put_8 (output_bfd, 0x00, contents + roff + 2);
 		    }
 		  else
 		    {
+		      if (roff + 1 >= input_section->size)
+			goto corrupt_input;
+
 		      bfd_put_8 (output_bfd, 0x66, contents + roff);
 		      bfd_put_8 (output_bfd, 0x90, contents + roff + 1);
 		    }

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-06-19 11:09 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-19 11:09 [binutils-gdb] Fix illegal memory access implementing relocs in a fuzzed x86_64 object file Nick Clifton

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).