* PE objdump -x
@ 2022-08-02 7:46 Alan Modra
2022-08-02 10:46 ` Hannes Domani
0 siblings, 1 reply; 3+ messages in thread
From: Alan Modra @ 2022-08-02 7:46 UTC (permalink / raw)
To: binutils
objdump -x on PE executables produces lots of "xdata section corrupt"
and "corrupt unwind data" warnings, and refuses to dump that info. It
turns out that the sanity checks were bad, not the data. Fix them.
* pei-x86_64.c (pex64_get_unwind_info): Correct buffer overrun
sanity checks.
(pex64_xdata_print_uwd_codes): Similarly.
diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
index 7d8fc8f0721..795bf66f8b4 100644
--- a/bfd/pei-x86_64.c
+++ b/bfd/pei-x86_64.c
@@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
memset (ui, 0, sizeof (struct pex64_unwind_info));
- if (ex_dta >= ex_dta_end || ex_dta + 4 >= ex_dta_end)
+ if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end)
return false;
ui->Version = PEX64_UWI_VERSION (ex_ui->Version_Flags);
@@ -124,13 +124,13 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
ui->rawUnwindCodesEnd = ex_dta_end;
ex_dta += ui->SizeOfBlock;
- if (ex_dta >= ex_dta_end)
+ if (ex_dta > ex_dta_end)
return false;
switch (ui->Flags)
{
case UNW_FLAG_CHAININFO:
- if (ex_dta + 12 >= ex_dta_end)
+ if (ex_dta + 12 > ex_dta_end)
return false;
ui->rva_BeginAddress = bfd_get_32 (abfd, ex_dta + 0);
ui->rva_EndAddress = bfd_get_32 (abfd, ex_dta + 4);
@@ -140,7 +140,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
case UNW_FLAG_EHANDLER:
case UNW_FLAG_UHANDLER:
case UNW_FLAG_FHANDLER:
- if (ex_dta + 4 >= ex_dta_end)
+ if (ex_dta + 4 > ex_dta_end)
return false;
ui->rva_ExceptionHandler = bfd_get_32 (abfd, ex_dta);
ui->SizeOfBlock += 4;
@@ -172,7 +172,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
i = 0;
- if (ui->rawUnwindCodes + 1 >= ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodes + ui->CountOfCodes * 2 > ui->rawUnwindCodesEnd)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -186,12 +186,6 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
to decode instruction flow if outside an epilog. */
unsigned int func_size = rf->rva_EndAddress - rf->rva_BeginAddress;
- if (ui->rawUnwindCodes + 1 + (ui->CountOfCodes * 2) >= ui->rawUnwindCodesEnd)
- {
- fprintf (file, _("warning: corrupt unwind data\n"));
- return;
- }
-
fprintf (file, "\tv2 epilog (length: %02x) at pc+:",
ui->rawUnwindCodes[0]);
@@ -215,12 +209,6 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
fputc ('\n', file);
}
- if (ui->rawUnwindCodes + 2 + (ui->CountOfCodes * 2) >= ui->rawUnwindCodesEnd)
- {
- fprintf (file, _("warning: corrupt unwind data\n"));
- return;
- }
-
for (; i < ui->CountOfCodes; i++)
{
const bfd_byte *dta = ui->rawUnwindCodes + 2 * i;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PE objdump -x
2022-08-02 7:46 PE objdump -x Alan Modra
@ 2022-08-02 10:46 ` Hannes Domani
2022-08-03 6:36 ` Alan Modra
0 siblings, 1 reply; 3+ messages in thread
From: Hannes Domani @ 2022-08-02 10:46 UTC (permalink / raw)
To: binutils, Alan Modra
Am Dienstag, 2. August 2022 um 09:47:17 MESZ hat Alan Modra via Binutils <binutils@sourceware.org> Folgendes geschrieben:
> objdump -x on PE executables produces lots of "xdata section corrupt"
> and "corrupt unwind data" warnings, and refuses to dump that info. It
> turns out that the sanity checks were bad, not the data. Fix them.
>
> * pei-x86_64.c (pex64_get_unwind_info): Correct buffer overrun
> sanity checks.
> (pex64_xdata_print_uwd_codes): Similarly.
>
> diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
> index 7d8fc8f0721..795bf66f8b4 100644
> --- a/bfd/pei-x86_64.c
> +++ b/bfd/pei-x86_64.c
> @@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
>
> memset (ui, 0, sizeof (struct pex64_unwind_info));
>
> - if (ex_dta >= ex_dta_end || ex_dta + 4 >= ex_dta_end)
> + if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end)
> return false;
Are here really both if-conditions necessary?
Regards
Hannes
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: PE objdump -x
2022-08-02 10:46 ` Hannes Domani
@ 2022-08-03 6:36 ` Alan Modra
0 siblings, 0 replies; 3+ messages in thread
From: Alan Modra @ 2022-08-03 6:36 UTC (permalink / raw)
To: Hannes Domani; +Cc: binutils
On Tue, Aug 02, 2022 at 10:46:52AM +0000, Hannes Domani wrote:
> >
> > - if (ex_dta >= ex_dta_end || ex_dta + 4 >= ex_dta_end)
> > + if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end)
> > return false;
>
> Are here really both if-conditions necessary?
No, I was lazy in not cleaning that up. All of these tests are better
written as a comparison against size remaining, due to ISO C 9899
standard 6.5.2 para 8 regarding adding a constant to a pointer:
"If both the pointer operand and the result point to elements of the
same array object, or one past the last element of the array object,
the evaluation shall not produce an overflow; otherwise, the behavior
is undefined."
So "ex_dta + 4" might be undefined behaviour, if you interpret "the
array object" in this case to be the malloc'd section contents! This
sort of thing is quite a surprise to anyone used to the nice flat
memory models of current machines, and even with some of the weird old
machines the part of the spec I'm quoting likely doesn't apply to
malloc'd memory. But it's easy to avoid the potential UB.
* pei-x86_64.c (pex64_get_unwind_info): Tidy sanity checks.
(pex64_xdata_print_uwd_codes): Likewise.
diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
index 795bf66f8b4..9d0ff81ec4b 100644
--- a/bfd/pei-x86_64.c
+++ b/bfd/pei-x86_64.c
@@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
memset (ui, 0, sizeof (struct pex64_unwind_info));
- if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end)
+ if (ex_dta_end - ex_dta < 4)
return false;
ui->Version = PEX64_UWI_VERSION (ex_ui->Version_Flags);
@@ -123,14 +123,14 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
ui->rawUnwindCodes = ex_dta + 4;
ui->rawUnwindCodesEnd = ex_dta_end;
- ex_dta += ui->SizeOfBlock;
- if (ex_dta > ex_dta_end)
+ if ((size_t) (ex_dta_end - ex_dta) < ui->SizeOfBlock)
return false;
+ ex_dta += ui->SizeOfBlock;
switch (ui->Flags)
{
case UNW_FLAG_CHAININFO:
- if (ex_dta + 12 > ex_dta_end)
+ if (ex_dta_end - ex_dta < 12)
return false;
ui->rva_BeginAddress = bfd_get_32 (abfd, ex_dta + 0);
ui->rva_EndAddress = bfd_get_32 (abfd, ex_dta + 4);
@@ -140,7 +140,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui,
case UNW_FLAG_EHANDLER:
case UNW_FLAG_UHANDLER:
case UNW_FLAG_FHANDLER:
- if (ex_dta + 4 > ex_dta_end)
+ if (ex_dta_end - ex_dta < 4)
return false;
ui->rva_ExceptionHandler = bfd_get_32 (abfd, ex_dta);
ui->SizeOfBlock += 4;
@@ -172,7 +172,8 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
i = 0;
- if (ui->rawUnwindCodes + ui->CountOfCodes * 2 > ui->rawUnwindCodesEnd)
+ if ((size_t) (ui->rawUnwindCodesEnd - ui->rawUnwindCodes)
+ < ui->CountOfCodes * 2)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -226,7 +227,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
case UWOP_ALLOC_LARGE:
if (info == 0)
{
- if (dta + 4 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 4)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -236,7 +237,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
}
else
{
- if (dta + 6 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 6)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -261,7 +262,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
break;
case UWOP_SAVE_NONVOL:
- if (dta + 4 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 4)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -273,7 +274,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
break;
case UWOP_SAVE_NONVOL_FAR:
- if (dta + 6 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 6)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -287,7 +288,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
case UWOP_SAVE_XMM:
if (ui->Version == 1)
{
- if (dta + 4 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 4)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -305,7 +306,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
break;
case UWOP_SAVE_XMM_FAR:
- if (dta + 6 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 6)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -317,7 +318,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
break;
case UWOP_SAVE_XMM128:
- if (dta + 4 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 4)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
@@ -329,7 +330,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd,
break;
case UWOP_SAVE_XMM128_FAR:
- if (dta + 6 > ui->rawUnwindCodesEnd)
+ if (ui->rawUnwindCodesEnd - dta < 6)
{
fprintf (file, _("warning: corrupt unwind data\n"));
return;
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-03 6:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-02 7:46 PE objdump -x Alan Modra
2022-08-02 10:46 ` Hannes Domani
2022-08-03 6:36 ` Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).