From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com
 [IPv6:2607:f8b0:4864:20::631])
 by sourceware.org (Postfix) with ESMTPS id EF5023937430
 for <binutils@sourceware.org>; Thu, 19 Mar 2020 03:26:16 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org EF5023937430
Received: by mail-pl1-x631.google.com with SMTP id f16so425155plj.4
 for <binutils@sourceware.org>; Wed, 18 Mar 2020 20:26:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition:user-agent;
 bh=M5RBoMqV7STYsSbYWA6JDMbKfh7yCg7XK8qu7lo1nHA=;
 b=GD4YM+ph2B00Hv/g5aGdKFyBpxL3LJ9C6oM8pOW1vj/LSgAyWaI9Sc8cDmWZ+HZ0cY
 fYMwWKw6rFZYcM2K0uLLAh/0VsgJBZYrQGY+HEFMWBPJBgeT3XLYISQttaI7bxm0RWdW
 SOeNJiQv0CchnJSWke4zKbqus0PeSBM37SDNCS6Fpa+0RIiRjSMwh47qhszVw1495+lI
 IDeSgcXSzWDmW8csMwAvNsIIKSHWSbF7jDqhS3reuTqA4RUk+Ja2eCIEHlzZ+/2xtb9P
 rT1AFhI/OeP+O6wDOfa8rnsWB9E1+G44DEl+jGQb3iJFQN8hg38JGcpQhg+smLWyocNK
 gVHA==
X-Gm-Message-State: ANhLgQ1tR6Sis/luQdvzNCG/2K7TrLru+diCA9gQUBikO1chPEqwQuhh
 2K/2ausvnCXkQ89vTNCIeAKMAorPcco=
X-Google-Smtp-Source: ADFU+vuK6gpAlbRFvpCbhUNoB5Ygq4aOmPNsXFTZllLougr1UKvA4FayLlDaoJ1OP5U6MIxaHM0X+A==
X-Received: by 2002:a17:90a:3328:: with SMTP id
 m37mr1552196pjb.158.1584588375700; 
 Wed, 18 Mar 2020 20:26:15 -0700 (PDT)
Received: from bubble.grove.modra.org
 ([2406:3400:51d:8cc0:8864:57bf:31b6:c0ea])
 by smtp.gmail.com with ESMTPSA id m12sm316657pjf.25.2020.03.18.20.26.14
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 18 Mar 2020 20:26:15 -0700 (PDT)
Received: by bubble.grove.modra.org (Postfix, from userid 1000)
 id 07C5C829CA; Thu, 19 Mar 2020 13:56:10 +1030 (ACDT)
Date: Thu, 19 Mar 2020 13:56:10 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Invalid read in process_netbsd_elf_note
Message-ID: <20200319032608.GB4583@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Spam-Status: No, score=-25.2 required=5.0 tests=DKIM_SIGNED, DKIM_VALID,
 DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, GIT_PATCH_1,
 GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <http://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 03:26:18 -0000

	* readelf.c (process_netbsd_elf_note): Validate descsz before
	accessing descdata.  Formatting.

diff --git a/binutils/readelf.c b/binutils/readelf.c
index a11297845e..c8ca66e52c 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -18402,15 +18402,17 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
   switch (pnote->type)
     {
     case NT_NETBSD_IDENT:
+      if (pnote->descsz < 1)
+	break;
       version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
       if ((version / 10000) % 100)
-        printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
+	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u%s%c)\n", pnote->descsz,
 		version, version / 100000000, (version / 1000000) % 100,
 		(version / 10000) % 100 > 26 ? "Z" : "",
 		'A' + (version / 10000) % 26);
       else
 	printf ("  NetBSD\t\t0x%08lx\tIDENT %u (%u.%u.%u)\n", pnote->descsz,
-	        version, version / 100000000, (version / 1000000) % 100,
+		version, version / 100000000, (version / 1000000) % 100,
 		(version / 100) % 100);
       return TRUE;
 
@@ -18421,6 +18423,8 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
 
 #ifdef   NT_NETBSD_PAX
     case NT_NETBSD_PAX:
+      if (pnote->descsz < 1)
+	break;
       version = byte_get ((unsigned char *) pnote->descdata, sizeof (version));
       printf ("  NetBSD\t\t0x%08lx\tPaX <%s%s%s%s%s%s>\n", pnote->descsz,
 	      ((version & NT_NETBSD_PAX_MPROTECT) ? "+mprotect" : ""),
@@ -18431,12 +18435,11 @@ process_netbsd_elf_note (Elf_Internal_Note * pnote)
 	      ((version & NT_NETBSD_PAX_NOASLR) ? "-ASLR" : ""));
       return TRUE;
 #endif
-
-    default:
-      printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n", pnote->descsz,
-	      pnote->type);
-      return FALSE;
     }
+
+  printf ("  NetBSD\t0x%08lx\tUnknown note type: (0x%08lx)\n",
+	  pnote->descsz, pnote->type);
+  return FALSE;
 }
 
 static const char *

-- 
Alan Modra
Australia Development Lab, IBM