From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by sourceware.org (Postfix) with ESMTPS id 055253858CDB for ; Wed, 3 Aug 2022 06:36:52 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 055253858CDB Received: by mail-pl1-x632.google.com with SMTP id v18so15505738plo.8 for ; Tue, 02 Aug 2022 23:36:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=yHwLpEx1DLQ4liYHgg/gX8q1CGNFoVjPrFwrk2ZsRyI=; b=f5Po9RAEjGbu4KYRrERDtR+IB3Rv8I0DsP0fjF33EayFPM/mO0EgS/Ictlwny2Ncu0 gMqoKO60v8gVPAkVJjCLHf7HTs6oLJ08Hownpk9dVQ6+bCtlCtuCrypdYywn7XAHESw8 Zs9nrpoUrwTX6uLoX7GnoGS5UyxQWB4BvwZsnO0Lc2yKTPzBIVCdu5MkoaPACOSfxcbL 856Dgw+xI9RkVEti0Ltzy6p5uKzkXX925BMqSKL+EgETuu99h+Hzoa2jag9d356qT2Q0 HB7FPZpEJ1oV+5ijAp4+yLmQHbmPC/URV1lfShsiH695bkJBI6WrvOPaagKjEJn55rQK OjnQ== X-Gm-Message-State: ACgBeo0Ab2yEtZNGCXNjKQbIOIOBT13NEqel5F2bKbwS4V5fkZuboQcp 4nxalFo3GINDb5zU0/55C0r07QsYDcw= X-Google-Smtp-Source: AA6agR5qIB4qPOP+FlyNIy+1RJAdOVZa+sjjfCDCmAPCMMo+QdBZuaapw8WYXbXuJlQoh83bG4/zHA== X-Received: by 2002:a17:902:d48a:b0:16f:c31:7005 with SMTP id c10-20020a170902d48a00b0016f0c317005mr4603000plg.173.1659508610824; Tue, 02 Aug 2022 23:36:50 -0700 (PDT) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id s125-20020a625e83000000b00528baea53afsm12020041pfb.46.2022.08.02.23.36.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Aug 2022 23:36:50 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 62E531141228; Wed, 3 Aug 2022 16:06:47 +0930 (ACST) Date: Wed, 3 Aug 2022 16:06:47 +0930 From: Alan Modra To: Hannes Domani Cc: "binutils@sourceware.org" Subject: Re: PE objdump -x Message-ID: References: <45264354.7432971.1659437212970@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <45264354.7432971.1659437212970@mail.yahoo.com> X-Spam-Status: No, score=-3036.7 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Aug 2022 06:36:53 -0000 On Tue, Aug 02, 2022 at 10:46:52AM +0000, Hannes Domani wrote: > > > > -  if (ex_dta >= ex_dta_end || ex_dta + 4 >= ex_dta_end) > > +  if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end) > >     return false; > > Are here really both if-conditions necessary? No, I was lazy in not cleaning that up. All of these tests are better written as a comparison against size remaining, due to ISO C 9899 standard 6.5.2 para 8 regarding adding a constant to a pointer: "If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined." So "ex_dta + 4" might be undefined behaviour, if you interpret "the array object" in this case to be the malloc'd section contents! This sort of thing is quite a surprise to anyone used to the nice flat memory models of current machines, and even with some of the weird old machines the part of the spec I'm quoting likely doesn't apply to malloc'd memory. But it's easy to avoid the potential UB. * pei-x86_64.c (pex64_get_unwind_info): Tidy sanity checks. (pex64_xdata_print_uwd_codes): Likewise. diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c index 795bf66f8b4..9d0ff81ec4b 100644 --- a/bfd/pei-x86_64.c +++ b/bfd/pei-x86_64.c @@ -109,7 +109,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui, memset (ui, 0, sizeof (struct pex64_unwind_info)); - if (ex_dta >= ex_dta_end || ex_dta + 4 > ex_dta_end) + if (ex_dta_end - ex_dta < 4) return false; ui->Version = PEX64_UWI_VERSION (ex_ui->Version_Flags); @@ -123,14 +123,14 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui, ui->rawUnwindCodes = ex_dta + 4; ui->rawUnwindCodesEnd = ex_dta_end; - ex_dta += ui->SizeOfBlock; - if (ex_dta > ex_dta_end) + if ((size_t) (ex_dta_end - ex_dta) < ui->SizeOfBlock) return false; + ex_dta += ui->SizeOfBlock; switch (ui->Flags) { case UNW_FLAG_CHAININFO: - if (ex_dta + 12 > ex_dta_end) + if (ex_dta_end - ex_dta < 12) return false; ui->rva_BeginAddress = bfd_get_32 (abfd, ex_dta + 0); ui->rva_EndAddress = bfd_get_32 (abfd, ex_dta + 4); @@ -140,7 +140,7 @@ pex64_get_unwind_info (bfd *abfd, struct pex64_unwind_info *ui, case UNW_FLAG_EHANDLER: case UNW_FLAG_UHANDLER: case UNW_FLAG_FHANDLER: - if (ex_dta + 4 > ex_dta_end) + if (ex_dta_end - ex_dta < 4) return false; ui->rva_ExceptionHandler = bfd_get_32 (abfd, ex_dta); ui->SizeOfBlock += 4; @@ -172,7 +172,8 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, i = 0; - if (ui->rawUnwindCodes + ui->CountOfCodes * 2 > ui->rawUnwindCodesEnd) + if ((size_t) (ui->rawUnwindCodesEnd - ui->rawUnwindCodes) + < ui->CountOfCodes * 2) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -226,7 +227,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, case UWOP_ALLOC_LARGE: if (info == 0) { - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -236,7 +237,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, } else { - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -261,7 +262,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; case UWOP_SAVE_NONVOL: - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -273,7 +274,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; case UWOP_SAVE_NONVOL_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -287,7 +288,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, case UWOP_SAVE_XMM: if (ui->Version == 1) { - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -305,7 +306,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; case UWOP_SAVE_XMM_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -317,7 +318,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; case UWOP_SAVE_XMM128: - if (dta + 4 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 4) { fprintf (file, _("warning: corrupt unwind data\n")); return; @@ -329,7 +330,7 @@ pex64_xdata_print_uwd_codes (FILE *file, bfd *abfd, break; case UWOP_SAVE_XMM128_FAR: - if (dta + 6 > ui->rawUnwindCodesEnd) + if (ui->rawUnwindCodesEnd - dta < 6) { fprintf (file, _("warning: corrupt unwind data\n")); return; -- Alan Modra Australia Development Lab, IBM