From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1062) id A07F03844775; Fri, 10 May 2024 13:47:25 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A07F03844775 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1715348845; bh=L3mRtZY9NvX7DvKEUu5FfsOnZgVIuuljo4a2K6aKsIM=; h=From:To:Subject:Date:From; b=dcnKsiW95ZEfUpVwgdI6+D+MB/KCPcpVLRH4wyrhPL8/eoISnR0qy7PxUrKxe7pH2 bZQ4wI+CxtbN5I/JZYYpOtN6U9w1qveyTMgwCBAY1D1gnzmYnE8WgABdE6jJ3auhCd lTnIXsCmjd5/fBQ5x+ZrSJhtyszWpm+f7KkKieA0= Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Alan Modra To: binutils-cvs@sourceware.org Subject: [binutils-gdb] Re: PR31692, objdump fails .debug_info size check X-Act-Checkin: binutils-gdb X-Git-Author: Alan Modra X-Git-Refname: refs/heads/master X-Git-Oldrev: a4f76c0765a0b9c643dc91d5a398a1cd9519572b X-Git-Newrev: ad658482c1e4feec4ac99c8e7df17ff78d0c2996 Message-Id: <20240510134725.A07F03844775@sourceware.org> Date: Fri, 10 May 2024 13:47:25 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=3Dbinutils-gdb.git;h=3Dad658482c1e4= feec4ac99c8e7df17ff78d0c2996 commit ad658482c1e4feec4ac99c8e7df17ff78d0c2996 Author: Alan Modra Date: Fri May 10 22:15:06 2024 +0930 Re: PR31692, objdump fails .debug_info size check =20 The fuzzers found a hole. bfd_section_size_insane doesn't check !SEC_HAS_CONTENTS sections against file size for obvious reasons, which allows fuzzed debug sections to be stupidly large. Real debug sections of course always have contents. =20 PR 31692 * objdump.c (load_specific_debug_section): Don't allow sections without contents. Diff: --- binutils/objdump.c | 58 +++++++++++++++++++++++++++++---------------------= ---- 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/binutils/objdump.c b/binutils/objdump.c index 3d70df470f2..7182abdab98 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -4307,41 +4307,45 @@ load_specific_debug_section (enum dwarf_section_dis= play_enum debug, return false; } =20 - section->start =3D contents =3D xmalloc (alloced); - /* Ensure any string section has a terminating NUL. */ - section->start[section->size] =3D 0; - - if ((abfd->flags & (EXEC_P | DYNAMIC)) =3D=3D 0 - && debug_displays [debug].relocate) - { - ret =3D bfd_simple_get_relocated_section_contents (abfd, - sec, - section->start, - syms) !=3D NULL; - if (ret) - { - long reloc_size =3D bfd_get_reloc_upper_bound (abfd, sec); + ret =3D false; + if ((sec->flags & SEC_HAS_CONTENTS) !=3D 0) + { + section->start =3D contents =3D xmalloc (alloced); + /* Ensure any string section has a terminating NUL. */ + section->start[section->size] =3D 0; =20 - if (reloc_size > 0) + if ((abfd->flags & (EXEC_P | DYNAMIC)) =3D=3D 0 + && debug_displays [debug].relocate) + { + ret =3D bfd_simple_get_relocated_section_contents (abfd, + sec, + section->start, + syms) !=3D NULL; + if (ret) { - long reloc_count; - arelent **relocs; + long reloc_size =3D bfd_get_reloc_upper_bound (abfd, sec); =20 - relocs =3D (arelent **) xmalloc (reloc_size); - - reloc_count =3D bfd_canonicalize_reloc (abfd, sec, relocs, syms); - if (reloc_count <=3D 0) - free (relocs); - else + if (reloc_size > 0) { - section->reloc_info =3D relocs; - section->num_relocs =3D reloc_count; + long reloc_count; + arelent **relocs; + + relocs =3D (arelent **) xmalloc (reloc_size); + + reloc_count =3D bfd_canonicalize_reloc (abfd, sec, relocs, syms); + if (reloc_count <=3D 0) + free (relocs); + else + { + section->reloc_info =3D relocs; + section->num_relocs =3D reloc_count; + } } } } + else + ret =3D bfd_get_full_section_contents (abfd, sec, &contents); } - else - ret =3D bfd_get_full_section_contents (abfd, sec, &contents); =20 if (!ret) {