From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1062)
	id 894A53849AE5; Thu, 18 Apr 2024 01:02:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 894A53849AE5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1713402152;
	bh=fkdUoL0tmo7Sv23Yq0uZMNdIX/iXz0Fma27Qj0FBeXk=;
	h=From:To:Subject:Date:From;
	b=qko5WQDX1BLucCXtorF+0CqFYmXyHinV/VkMPkKR0IavAqQqf/8M0FigDHd6VmYOi
	 BE422fw66I0papR9WZQAaSKdYlaAvEllo30oWKLNskTlHQgkbk3T1qbuKPQQUjMdQY
	 Jvrgn6epOL5bPUy43RDCLwPjy8NCaPsvr8KXAWcU=
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
From: Alan Modra <amodra@sourceware.org>
To: binutils-cvs@sourceware.org
Subject: [binutils-gdb] alpha_vms_get_section_contents vs. fuzzed files
X-Act-Checkin: binutils-gdb
X-Git-Author: Alan Modra <amodra@gmail.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: 170957ff9b847cf44f6121fd846f5483f2090afd
X-Git-Newrev: ee19a4725c01f4924657a1d6f09f0e4dcd6bba17
Message-Id: <20240418010232.894A53849AE5@sourceware.org>
Date: Thu, 18 Apr 2024 01:02:32 +0000 (GMT)
List-Id: <binutils-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3Dee19a4725c01=
f4924657a1d6f09f0e4dcd6bba17

commit ee19a4725c01f4924657a1d6f09f0e4dcd6bba17
Author: Alan Modra <amodra@gmail.com>
Date:   Wed Apr 17 18:29:19 2024 +0930

    alpha_vms_get_section_contents vs. fuzzed files
   =20
    This patch is in response to an oss-fuzz report regarding
    use-of-uninitialized-value in bfd_is_section_compressed_info from
    section contents provided by alpha_vms_get_section_contents.  That
    hole is covered by using bfd_zalloc rather than bfd_alloc.
   =20
    The rest of the patch is mostly a tidy.  In a function returning
    section contents, I tend to prefer a test on the section properties
    over a test on file properties.  That's why I've changed the file
    flags test to one on section filepos and flags before calling
    _bfd_generic_get_section_contents.  Also, fuzzed objects can easily
    have sections with file backing in relocatable objects, or sections
    without file backing in images.  Possible confusion is avoided by
    testing each section.
   =20
    Note that we are always going to run into out-of-memory with fuzzed
    alpha-vms object files due to sections with contents via ETIR records.
    eg. ETIR__C_STO_IMMR stores a number of bytes repeatedly, with a
    32-bit repeat count.  So section contents can be very large from a
    relatively small file.  I'm inclined to think that an out-of-memory
    error is fine for such files.
   =20
            * vms-alpha.c (alpha_vms_get_section_contents): Handle sections
            with non-zero filepos or without SEC_HAS_CONTENTS via
            _bfd_generic_get_section_contents.  Zero memory allocated for
            sections filled by ETIR records.

Diff:
---
 bfd/vms-alpha.c | 50 ++++++++++++++++++++++++++------------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index 6b896d0f4ee..8b5e3c21ac6 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -9834,13 +9834,16 @@ alpha_vms_get_section_contents (bfd *abfd, asection=
 *section,
 				void *buf, file_ptr offset,
 				bfd_size_type count)
 {
-  asection *sec;
-
-  /* Image are easy.  */
-  if (bfd_get_file_flags (abfd) & (EXEC_P | DYNAMIC))
+  /* Handle image sections.  */
+  if (section->filepos !=3D 0
+      || (section->flags & SEC_HAS_CONTENTS) =3D=3D 0)
     return _bfd_generic_get_section_contents (abfd, section,
 					      buf, offset, count);
=20
+  /* A section with a zero filepos implies the section has no direct
+     file backing.  Its contents must be calculated by processing ETIR
+     records.  */
+
   /* Safety check.  */
   if (offset + count < count
       || offset + count > section->size)
@@ -9849,33 +9852,32 @@ alpha_vms_get_section_contents (bfd *abfd, asection=
 *section,
       return false;
     }
=20
-  /* If the section is already in memory, just copy it.  */
-  if (section->flags & SEC_IN_MEMORY)
-    {
-      BFD_ASSERT (section->contents !=3D NULL);
-      memcpy (buf, section->contents + offset, count);
-      return true;
-    }
   if (section->size =3D=3D 0)
     return true;
=20
-  /* Alloc in memory and read ETIRs.  */
-  for (sec =3D abfd->sections; sec; sec =3D sec->next)
+  /* If we haven't yet read ETIR/EDBG/ETBT records, do so.  */
+  if ((section->flags & SEC_IN_MEMORY) =3D=3D 0)
     {
-      BFD_ASSERT (sec->contents =3D=3D NULL);
-
-      if (sec->size !=3D 0 && (sec->flags & SEC_HAS_CONTENTS))
+      /* Alloc memory and read ETIRs.  */
+      for (asection *sec =3D abfd->sections; sec; sec =3D sec->next)
 	{
-	  sec->contents =3D bfd_alloc (abfd, sec->size);
-	  if (sec->contents =3D=3D NULL)
-	    return false;
+	  if (sec->size !=3D 0
+	      && sec->filepos =3D=3D 0
+	      && (sec->flags & SEC_HAS_CONTENTS) !=3D 0)
+	    {
+	      BFD_ASSERT (sec->contents =3D=3D NULL);
+
+	      sec->contents =3D bfd_zalloc (abfd, sec->size);
+	      sec->flags |=3D SEC_IN_MEMORY;
+	      if (sec->contents =3D=3D NULL)
+		return false;
+	    }
 	}
+      if (!alpha_vms_read_sections_content (abfd, NULL))
+	return false;
     }
-  if (!alpha_vms_read_sections_content (abfd, NULL))
-    return false;
-  for (sec =3D abfd->sections; sec; sec =3D sec->next)
-    if (sec->contents)
-      sec->flags |=3D SEC_IN_MEMORY;
+
+  BFD_ASSERT (section->contents !=3D NULL);
   memcpy (buf, section->contents + offset, count);
   return true;
 }