From: Alan Modra <amodra@sourceware.org>
To: binutils-cvs@sourceware.org
Subject: [binutils-gdb] Re: PR31692, objdump fails .debug_info size check
Date: Fri, 10 May 2024 13:47:25 +0000 (GMT) [thread overview]
Message-ID: <20240510134725.A07F03844775@sourceware.org> (raw)
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad658482c1e4feec4ac99c8e7df17ff78d0c2996
commit ad658482c1e4feec4ac99c8e7df17ff78d0c2996
Author: Alan Modra <amodra@gmail.com>
Date: Fri May 10 22:15:06 2024 +0930
Re: PR31692, objdump fails .debug_info size check
The fuzzers found a hole. bfd_section_size_insane doesn't check
!SEC_HAS_CONTENTS sections against file size for obvious reasons,
which allows fuzzed debug sections to be stupidly large. Real debug
sections of course always have contents.
PR 31692
* objdump.c (load_specific_debug_section): Don't allow sections
without contents.
Diff:
---
binutils/objdump.c | 58 +++++++++++++++++++++++++++++-------------------------
1 file changed, 31 insertions(+), 27 deletions(-)
diff --git a/binutils/objdump.c b/binutils/objdump.c
index 3d70df470f2..7182abdab98 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -4307,41 +4307,45 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
return false;
}
- section->start = contents = xmalloc (alloced);
- /* Ensure any string section has a terminating NUL. */
- section->start[section->size] = 0;
-
- if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0
- && debug_displays [debug].relocate)
- {
- ret = bfd_simple_get_relocated_section_contents (abfd,
- sec,
- section->start,
- syms) != NULL;
- if (ret)
- {
- long reloc_size = bfd_get_reloc_upper_bound (abfd, sec);
+ ret = false;
+ if ((sec->flags & SEC_HAS_CONTENTS) != 0)
+ {
+ section->start = contents = xmalloc (alloced);
+ /* Ensure any string section has a terminating NUL. */
+ section->start[section->size] = 0;
- if (reloc_size > 0)
+ if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0
+ && debug_displays [debug].relocate)
+ {
+ ret = bfd_simple_get_relocated_section_contents (abfd,
+ sec,
+ section->start,
+ syms) != NULL;
+ if (ret)
{
- long reloc_count;
- arelent **relocs;
+ long reloc_size = bfd_get_reloc_upper_bound (abfd, sec);
- relocs = (arelent **) xmalloc (reloc_size);
-
- reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms);
- if (reloc_count <= 0)
- free (relocs);
- else
+ if (reloc_size > 0)
{
- section->reloc_info = relocs;
- section->num_relocs = reloc_count;
+ long reloc_count;
+ arelent **relocs;
+
+ relocs = (arelent **) xmalloc (reloc_size);
+
+ reloc_count = bfd_canonicalize_reloc (abfd, sec, relocs, syms);
+ if (reloc_count <= 0)
+ free (relocs);
+ else
+ {
+ section->reloc_info = relocs;
+ section->num_relocs = reloc_count;
+ }
}
}
}
+ else
+ ret = bfd_get_full_section_contents (abfd, sec, &contents);
}
- else
- ret = bfd_get_full_section_contents (abfd, sec, &contents);
if (!ret)
{
reply other threads:[~2024-05-10 13:47 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240510134725.A07F03844775@sourceware.org \
--to=amodra@sourceware.org \
--cc=binutils-cvs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).