From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031])
	by sourceware.org (Postfix) with ESMTPS id 3A76E3857368
	for <binutils@sourceware.org>; Sun, 30 Oct 2022 09:55:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 3A76E3857368
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-x1031.google.com with SMTP id v4-20020a17090a088400b00212cb0ed97eso8008313pjc.5
        for <binutils@sourceware.org>; Sun, 30 Oct 2022 02:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=lDZulGvAc7QopQW1KPIJGJGCoaxyE1VuAxIivlqQvIo=;
        b=IQZ2CFCU6bWiaUC081T05VuwuJr76sjfEEwbnw4/o+fPkuQDBwUsGIyfbRbiniW4p1
         kiFU9Kws3+Ho6BfFRA4mDLRjcFeDDR2bJU8NUncJGX95Hh3qSEmo0OsaHpwwijRrtKPT
         e76w5kc2uNjzX/jEmTNG6s746T6SDiL9gXpMtYMIxFtudKUE+fU/wxjuR+1pa/TwRJG/
         06pDzx1pSyTpkJH3JUE6GO9vLhNEQLAVJS/aflk00rhDK/QsEQ1fDmqNZpOrNbGGJeyY
         wxQrAs8Wgyya+twMFzoBXqIJxe83ZtJZq1s7pQpKzbRIUuzrwf8YRHVWC+pTC21QZgt6
         RtNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-disposition:mime-version:message-id:subject:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=lDZulGvAc7QopQW1KPIJGJGCoaxyE1VuAxIivlqQvIo=;
        b=n4Sj2M5ucBw+DmmHXFPsz803JSSkSAphV2DJGzF87SxCEsxPRY9IPQ46LIGeIzqnzP
         d1Ui2HUdrBi+uPPcH8hM6EdombXTAs5/7rc+lru3pv4cefwmfpeefWISrVwOIOqyjm+5
         3zegyqC2fCk4w9VW0JMsWtNg/wGYE10uHZWbnQwRGebqLAG1hUzEGBvYFS162V2lE9lA
         XCUKDS1EZC4p/LyCPX2FHrw0chzS3vOy37CrnFZ53rqWM+q1DQEhktlA0vk+mXdDNv6+
         KQYFJ2STMXlFn7vO8hvaZOJ8CJPJTGNfXyVeJ4LDqVt7rXu9XzQSHeSi2Zj/MYe9Erl2
         6w+w==
X-Gm-Message-State: ACrzQf1zdygH2ZduUthZ1z3V8X4EzvsJWWExtvv51vAi7z7YRIkKCEi8
	ysr0tn0jf/v6qb9VNFhr1VY7MfT6WnA=
X-Google-Smtp-Source: AMsMyM6HVQXyQPxDZwuZdU6rGwuu13JyDcPFW8tCVBTikH5I73F27TaO/o7uh+Sb1l5sp9duyl6uFg==
X-Received: by 2002:a17:90b:3013:b0:213:ab5f:d388 with SMTP id hg19-20020a17090b301300b00213ab5fd388mr7232243pjb.66.1667123735817;
        Sun, 30 Oct 2022 02:55:35 -0700 (PDT)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id a10-20020a17090a688a00b00212d9a06edcsm2156630pjd.42.2022.10.30.02.55.34
        for <binutils@sourceware.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 30 Oct 2022 02:55:35 -0700 (PDT)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 1496D1142D72; Sun, 30 Oct 2022 20:25:33 +1030 (ACDT)
Date: Sun, 30 Oct 2022 20:25:33 +1030
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: Pool section entries for DWP version 1
Message-ID: <Y15KFY32CyFhh/+u@squeak.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-3036.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,KAM_NUMSUBJECT,KAM_SHORT,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3

Fuzzers have found a weakness in the code stashing pool section
entries.  With random nonsensical values in the index entries (rather
than each index pointing to its own set distinct from other sets),
it's possible to overflow the space allocated, losing the NULL
terminator.  Without a terminator, find_section_in_set can run off the
end of the shndx_pool buffer.  Fix this by scanning the pool directly.

Does anyone still have dwp version 1 files they can use to test my
change?

binutils/
	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
	(end_cu_tu_entry): Likewise.
	(process_cu_tu_index): Fill shndx_pool by directly scanning
	pool, rather than indirectly from index entries.

diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index c6340a28906..7730293326a 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
 static void
 add_shndx_to_cu_tu_entry (unsigned int shndx)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
   shndx_pool [shndx_pool_used++] = shndx;
 }
 
 static void
 end_cu_tu_entry (void)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
   shndx_pool [shndx_pool_used++] = 0;
 }
 
@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 
   if (version == 1)
     {
+      unsigned char *shndx_list;
+      unsigned int shndx;
+
       if (!do_display)
-	prealloc_cu_tu_list ((limit - ppool) / 4);
-      for (i = 0; i < nslots; i++)
 	{
-	  unsigned char *shndx_list;
-	  unsigned int shndx;
-
-	  SAFE_BYTE_GET (signature, phash, 8, limit);
-	  if (signature != 0)
+	  prealloc_cu_tu_list ((limit - ppool) / 4);
+	  for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
 	    {
-	      SAFE_BYTE_GET (j, pindex, 4, limit);
-	      shndx_list = ppool + j * 4;
-	      /* PR 17531: file: 705e010d.  */
-	      if (shndx_list < ppool)
-		{
-		  warn (_("Section index pool located before start of section\n"));
-		  return 0;
-		}
+	      shndx = byte_get (shndx_list, 4);
+	      add_shndx_to_cu_tu_entry (shndx);
+	    }
+	  end_cu_tu_entry ();
+	}
+      else
+	for (i = 0; i < nslots; i++)
+	  {
+	    SAFE_BYTE_GET (signature, phash, 8, limit);
+	    if (signature != 0)
+	      {
+		SAFE_BYTE_GET (j, pindex, 4, limit);
+		shndx_list = ppool + j * 4;
+		/* PR 17531: file: 705e010d.  */
+		if (shndx_list < ppool)
+		  {
+		    warn (_("Section index pool located before start of section\n"));
+		    return 0;
+		  }
 
-	      if (do_display)
 		printf (_("  [%3d] Signature:  %#" PRIx64 "  Sections: "),
 			i, signature);
-	      for (;;)
-		{
-		  if (shndx_list >= limit)
-		    {
-		      warn (_("Section %s too small for shndx pool\n"),
-			    section->name);
-		      return 0;
-		    }
-		  SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
-		  if (shndx == 0)
-		    break;
-		  if (do_display)
+		for (;;)
+		  {
+		    if (shndx_list >= limit)
+		      {
+			warn (_("Section %s too small for shndx pool\n"),
+			      section->name);
+			return 0;
+		      }
+		    SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
+		    if (shndx == 0)
+		      break;
 		    printf (" %d", shndx);
-		  else
-		    add_shndx_to_cu_tu_entry (shndx);
-		  shndx_list += 4;
-		}
-	      if (do_display)
+		    shndx_list += 4;
+		  }
 		printf ("\n");
-	      else
-		end_cu_tu_entry ();
-	    }
-	  phash += 8;
-	  pindex += 4;
-	}
+	      }
+	    phash += 8;
+	    pindex += 4;
+	  }
     }
   else if (version == 2)
     {

-- 
Alan Modra
Australia Development Lab, IBM