From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) by sourceware.org (Postfix) with ESMTPS id A0DF2385742B for ; Tue, 24 May 2022 04:18:02 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A0DF2385742B Received: by mail-pl1-x631.google.com with SMTP id n8so14843213plh.1 for ; Mon, 23 May 2022 21:18:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=QElvMZDt/MOgfNP8/+TJsq3gJjTNFK0N+gZRtDZPxb0=; b=n+Prc++mHpAU2zOgUEs7ZKR7dRMfNdWFwZJ87G3wBTGne7GSBUxk11F8LE2RoIAUH7 nNERXMOYzcpxevIRYtF1JV0cD5M62fgRT4S8EbTKJ+O81Q34WZNtr843e8ZsUZcDtr0l GS+GwXIoLnSDRSGExIF049W265jvBu20aC3j23fPgV06fliPHNZLm1TF/WR6cZZOC1XK ec4cc5yEQ9mDOnYY7pAMko/gXoFMBYFYPKYny6E4f+oinnZ9EZLIDMikNaQYmyvJNAaG 4ac+wtLfLQCdq69VmZ+2sWXOLAS+M9oqpRnXuh0sHZKogDaeywXrsKtnIvT7rBWC85DY A+Pw== X-Gm-Message-State: AOAM531VvjfU2kJiOrBaseyT9I3yBN1WJc1GeAg2e4GVoLTspgv2sLTM kfkTP5KZ+kc43xtVND3aJASJOZHMJ2g= X-Google-Smtp-Source: ABdhPJwhcEZg2MFWsD69zvS5/cG/HgB45ByfUsq7lDIp+caKeDY7O2olsD3AKLVNvym38NtzYAyI9Q== X-Received: by 2002:a17:90b:1201:b0:1df:ab42:c885 with SMTP id gl1-20020a17090b120100b001dfab42c885mr2557164pjb.223.1653365881204; Mon, 23 May 2022 21:18:01 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:8373:2d95:0:d7a9]) by smtp.gmail.com with ESMTPSA id d10-20020a62f80a000000b0050e0a43712esm7988425pfh.63.2022.05.23.21.17.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 21:17:59 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 22B5E1140124; Tue, 24 May 2022 13:47:57 +0930 (ACST) Date: Tue, 24 May 2022 13:47:57 +0930 From: Alan Modra To: binutils@sourceware.org Subject: PR29169, invalid read displaying fuzzed .gdb_index Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3036.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 May 2022 04:18:04 -0000 PR 29169 * dwarf.c (display_gdb_index): Combine sanity checks. Calculate element counts, not word counts. diff --git a/binutils/dwarf.c b/binutils/dwarf.c index 7de6f28161f..c855972a12f 100644 --- a/binutils/dwarf.c +++ b/binutils/dwarf.c @@ -10406,7 +10406,7 @@ display_gdb_index (struct dwarf_section *section, uint32_t cu_list_offset, tu_list_offset; uint32_t address_table_offset, symbol_table_offset, constant_pool_offset; unsigned int cu_list_elements, tu_list_elements; - unsigned int address_table_size, symbol_table_slots; + unsigned int address_table_elements, symbol_table_slots; unsigned char *cu_list, *tu_list; unsigned char *address_table, *symbol_table, *constant_pool; unsigned int i; @@ -10454,48 +10454,19 @@ display_gdb_index (struct dwarf_section *section, || tu_list_offset > section->size || address_table_offset > section->size || symbol_table_offset > section->size - || constant_pool_offset > section->size) + || constant_pool_offset > section->size + || tu_list_offset < cu_list_offset + || address_table_offset < tu_list_offset + || symbol_table_offset < address_table_offset + || constant_pool_offset < symbol_table_offset) { warn (_("Corrupt header in the %s section.\n"), section->name); return 0; } - /* PR 17531: file: 418d0a8a. */ - if (tu_list_offset < cu_list_offset) - { - warn (_("TU offset (%x) is less than CU offset (%x)\n"), - tu_list_offset, cu_list_offset); - return 0; - } - - cu_list_elements = (tu_list_offset - cu_list_offset) / 8; - - if (address_table_offset < tu_list_offset) - { - warn (_("Address table offset (%x) is less than TU offset (%x)\n"), - address_table_offset, tu_list_offset); - return 0; - } - - tu_list_elements = (address_table_offset - tu_list_offset) / 8; - - /* PR 17531: file: 18a47d3d. */ - if (symbol_table_offset < address_table_offset) - { - warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"), - symbol_table_offset, address_table_offset); - return 0; - } - - address_table_size = symbol_table_offset - address_table_offset; - - if (constant_pool_offset < symbol_table_offset) - { - warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"), - constant_pool_offset, symbol_table_offset); - return 0; - } - + cu_list_elements = (tu_list_offset - cu_list_offset) / 16; + tu_list_elements = (address_table_offset - tu_list_offset) / 24; + address_table_elements = (symbol_table_offset - address_table_offset) / 20; symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8; cu_list = start + cu_list_offset; @@ -10504,31 +10475,25 @@ display_gdb_index (struct dwarf_section *section, symbol_table = start + symbol_table_offset; constant_pool = start + constant_pool_offset; - if (address_table_offset + address_table_size > section->size) - { - warn (_("Address table extends beyond end of section.\n")); - return 0; - } - printf (_("\nCU table:\n")); - for (i = 0; i < cu_list_elements; i += 2) + for (i = 0; i < cu_list_elements; i++) { - uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8); - uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8); + uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8); + uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8); - printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2, + printf (_("[%3u] 0x%lx - 0x%lx\n"), i, (unsigned long) cu_offset, (unsigned long) (cu_offset + cu_length - 1)); } printf (_("\nTU table:\n")); - for (i = 0; i < tu_list_elements; i += 3) + for (i = 0; i < tu_list_elements; i++) { - uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8); - uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8); - uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8); + uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8); + uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8); + uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8); - printf (_("[%3u] 0x%lx 0x%lx "), i / 3, + printf (_("[%3u] 0x%lx 0x%lx "), i, (unsigned long) tu_offset, (unsigned long) type_offset); print_dwarf_vma (signature, 8); @@ -10536,12 +10501,11 @@ display_gdb_index (struct dwarf_section *section, } printf (_("\nAddress table:\n")); - for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4); - i += 2 * 8 + 4) + for (i = 0; i < address_table_elements; i++) { - uint64_t low = byte_get_little_endian (address_table + i, 8); - uint64_t high = byte_get_little_endian (address_table + i + 8, 8); - uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4); + uint64_t low = byte_get_little_endian (address_table + i * 20, 8); + uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); + uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); print_dwarf_vma (low, 8); print_dwarf_vma (high, 8); -- Alan Modra Australia Development Lab, IBM