From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by sourceware.org (Postfix) with ESMTPS id 829A9384B82E for ; Wed, 26 Oct 2022 05:08:25 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 829A9384B82E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-x102b.google.com with SMTP id q9-20020a17090a178900b00212fe7c6bbeso1131492pja.4 for ; Tue, 25 Oct 2022 22:08:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=a3DIIyrhPBqfWwN9NoGTb5YEauU1PkW0JkmP7h6Yv5E=; b=GgFgX9Mx5iYiNvtI+YXmMLqEXzGD3S7n4cn2Z8QXrDt7hHIxwHz5pIkhluQrGVG2+a n7M8oEi7ULZ9YH1rWSLmBKdbuU0qB7FCwclQkLFcRjFpmW1ukJmeWDH2D0T6NzXK6Izg yKgZI6tLOrGySSwiAWxLhHgj4odMjqoeEcAL/cm9hVs0J2EqODXNTjfvvcwvXEwzdkMD 5zs9nT2F4hHwTxlxLhc5aFVLUdZ8sIcYWbvtIBa+IWjfxJRIogVkBxBsu1kuPP61ZOuK aFMq0E0DRmk8/VPWMpjVLF3qiMdXrWyrRm0uR/0EWLoDQ1XvvOgyIl+d7l+c73Q/XQir /qNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a3DIIyrhPBqfWwN9NoGTb5YEauU1PkW0JkmP7h6Yv5E=; b=DWjzCuUIc0AAJNdO660LpjbJ7XM8bivyU0Di90YjiwKP9DLzdLa44kGmpp87q48PW8 Xj+HUNkAsudfRk1Al28RV+HUFglABARyuQuAQbfohbXj8ynxd+MNY17LrqG+wMPQpiCI 8fTBzCsEPIsdsh+F4UEG0zm7FQ11xk5ELqbNaT+mOSPvlRPREhd7ca4llrXeGsmb3LNp UYc+fq8TbXWGJ7Bp5j29gjaxsVX3+06NUKzdQ1AqdLUjZakErfClkc1wM8NckSisuY6k DLaW8sOMiJEJmUWd3fTTN2Rpd9mdEvaBuKYxtzSObEOObhHkfTBlKiBYldrEIA/1zEQ/ 9l5g== X-Gm-Message-State: ACrzQf1M6IEY/wnpTmg5JeAQSJdKyvnj6OlvFF+HpbJ7xcgAJf0qswiO T6bzsQvryqOHUFaOWb0FQ8RjLYJTSe8= X-Google-Smtp-Source: AMsMyM4v/bHsusYJXgMLL6boDpI5SKHk8sPPr4bmbj0kSTWxFq5QsrVcV1oT9SNz7uUkw5ahKhq4rw== X-Received: by 2002:a17:902:db0e:b0:186:9b38:ad26 with SMTP id m14-20020a170902db0e00b001869b38ad26mr17643902plx.43.1666760904224; Tue, 25 Oct 2022 22:08:24 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:a3ea:1d22:1394:10bb]) by smtp.gmail.com with ESMTPSA id a64-20020a624d43000000b005632c49693asm2200835pfb.202.2022.10.25.22.08.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Oct 2022 22:08:23 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id CE8751142D9C; Wed, 26 Oct 2022 15:38:20 +1030 (ACDT) Date: Wed, 26 Oct 2022 15:38:20 +1030 From: Alan Modra To: binutils@sourceware.org Subject: som.c buffer overflow Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3035.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Fuzzed object files can put random values in bfd_reloc->address, leading to large som_reloc_skip output. * som.c (som_write_fixups): Allow for maximal som_reloc_skip. diff --git a/bfd/som.c b/bfd/som.c index 9b0a5513209..b9114e630fe 100644 --- a/bfd/som.c +++ b/bfd/som.c @@ -3005,10 +3005,12 @@ som_write_fixups (bfd *abfd, then dump the current buffer contents now. Also reinitialize the relocation queue. - No single BFD relocation could ever translate into more - than 100 bytes of SOM relocations (20bytes is probably the - upper limit, but leave lots of space for growth). */ - if (p - tmp_space + 100 > SOM_TMP_BUFSIZE) + A single BFD relocation would probably only ever + translate into at most 20 bytes of SOM relocations. + However with fuzzed object files and resulting silly + values for "skip" below, som_reloc_skip can emit 262 + bytes. Leave lots of space for growth. */ + if (p - tmp_space + 512 > SOM_TMP_BUFSIZE) { amt = p - tmp_space; if (bfd_bwrite ((void *) tmp_space, amt, abfd) != amt) -- Alan Modra Australia Development Lab, IBM