From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) by sourceware.org (Postfix) with ESMTPS id 45FC4385829D for ; Fri, 7 Oct 2022 03:10:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 45FC4385829D Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-x436.google.com with SMTP id w191so3795960pfc.5 for ; Thu, 06 Oct 2022 20:10:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date; bh=WuU12lNf3wJ1y0usr4c7dD6Uu9QYvoihajaV0U4rWz4=; b=B+YqpODKTDqNt21Z73Yq+xDhlbFmNtQa1wyXau5/zNuC6uBhUXznDswKDqUez2A+jg 4XTljaZ7XEJg8s13A3DvCAPz4hBc5KfwBZECaZ2yJgfcW1E19wYgm/RP9Ol88Y0ytAwB sn3n0eYn/ZbjmX7q79tiEOXUTnqjTeGUkVIMODCLIRfe0R7rNIWOvQ4qnI0H6ao0X1Yh wEb0Pvs1smV1SaJmBlblDBUyTDukSVCoLkPPl2PTRr9mwqJd3YKDAz/Zt/3xb2k66lmx HUvVVbGC7lJKR4dq4BaY3paWYmQR7nEdLYMwON0/CeFHx+1v7QyS29AEPU83uMm2fSOx /MUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date; bh=WuU12lNf3wJ1y0usr4c7dD6Uu9QYvoihajaV0U4rWz4=; b=ko7Dq2W3NPbwGzEPYfdNcGuo0O9+ETcFMTGN/mlglkT7vkwXV2MheAS7LvZOqnCP8c Ix6ZJgxg5kQfY5Y0p+0rJzYXbkOOGaYYS1BnKA137NXVgx6x+S6fJWhUvyyXad/tHvcW +D7Laxus5TieGiCzMBE82RxyoPjQ7s4FCdQhlw0OJb7ulU4GKOFxAJ+0ZNsCBaFOG/9x MO7LchZNGXnueJfCPBmem9Ry3XtygXXT5KD1lAjJ+23wJ0EfpCrebIcYxJEuzIWh4txw Spsn83kmE7oxA6hAjSGvFMMdKTE5lYE6EdfSdcEGgyURvxniqSY16aSD9QPDnXwK5CVZ iQWw== X-Gm-Message-State: ACrzQf1LLN/zeE+wsOYf0fPM7kT/GYR+RMbcq3Xmz0JeQPnhyypF9p8S 2g9QsKNGnLACwnsTrtU+6lJR4Zt2etI= X-Google-Smtp-Source: AMsMyM49mlp/2FFj4QbT8wd4cOjqmqqkRgk80g2bJB/CMgcE5L5b1JarBNwTv1KaozoGpo7POkwYsQ== X-Received: by 2002:a05:6a00:2409:b0:54e:a3ad:d32d with SMTP id z9-20020a056a00240900b0054ea3add32dmr3083916pfh.70.1665112203694; Thu, 06 Oct 2022 20:10:03 -0700 (PDT) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id y16-20020a17090264d000b001786b712bf7sm346107pli.151.2022.10.06.20.10.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Oct 2022 20:10:02 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 038C21141D60; Fri, 7 Oct 2022 13:40:00 +1030 (ACDT) Date: Fri, 7 Oct 2022 13:39:59 +1030 From: Alan Modra To: binutils@sourceware.org Subject: PR29653, objcopy/strip: fuzzed small input file induces large output file Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3036.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: _bfd_check_format functions should not print errors or warnings if they return NULL. A NULL return means the particular target under test does not match, so there isn't any reason to make a complaint about the target. In fact there isn't a good reason to warn even if the target matches, except via the _bfd_per_xvec_warn mechanism; Some other target might be a better match. This patch tidies pe_bfd_object_p with the above in mind, and restricts the PE optional header SectionAlignment and FileAlignment fields somewhat. I chose to warn on nonsense values rather than refusing to match. Refusing to match would be OK too. PR 29653 * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Don't emit error about invalid NumberOfRvaAndSizes here. Limit loop copying data directory to IMAGE_NUMBEROF_DIRECTORY_ENTRIES. * peicode.h (pe_bfd_object_p): Don't clear and test bfd_error around bfd_coff_swap_aouthdr_in. Warn on invalid SectionAlignment, FileAlignment and NumberOfRvaAndSizes. Don't return NULL on invalid NumberOfRvaAndSizes. diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c index a7b85713023..e74ed3968a2 100644 --- a/bfd/peXXigen.c +++ b/bfd/peXXigen.c @@ -517,45 +517,26 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, a->LoaderFlags = H_GET_32 (abfd, src->LoaderFlags); a->NumberOfRvaAndSizes = H_GET_32 (abfd, src->NumberOfRvaAndSizes); - { - unsigned idx; - - /* PR 17512: Corrupt PE binaries can cause seg-faults. */ - if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) - { - /* xgettext:c-format */ - _bfd_error_handler - (_("%pB: aout header specifies an invalid number of" - " data-directory entries: %u"), abfd, a->NumberOfRvaAndSizes); - bfd_set_error (bfd_error_bad_value); - - /* Paranoia: If the number is corrupt, then assume that the - actual entries themselves might be corrupt as well. */ - a->NumberOfRvaAndSizes = 0; - } - - for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) - { - /* If data directory is empty, rva also should be 0. */ - int size = - H_GET_32 (abfd, src->DataDirectory[idx][1]); - - a->DataDirectory[idx].Size = size; + /* PR 17512: Don't blindly trust NumberOfRvaAndSizes. */ + unsigned idx; + for (idx = 0; + idx < a->NumberOfRvaAndSizes && idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES; + idx++) + { + /* If data directory is empty, rva also should be 0. */ + int size = H_GET_32 (abfd, src->DataDirectory[idx][1]); + int vma = size ? H_GET_32 (abfd, src->DataDirectory[idx][0]) : 0; - if (size) - a->DataDirectory[idx].VirtualAddress = - H_GET_32 (abfd, src->DataDirectory[idx][0]); - else - a->DataDirectory[idx].VirtualAddress = 0; - } + a->DataDirectory[idx].Size = size; + a->DataDirectory[idx].VirtualAddress = vma; + } - while (idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES) - { - a->DataDirectory[idx].Size = 0; - a->DataDirectory[idx].VirtualAddress = 0; - idx ++; - } - } + while (idx < IMAGE_NUMBEROF_DIRECTORY_ENTRIES) + { + a->DataDirectory[idx].Size = 0; + a->DataDirectory[idx].VirtualAddress = 0; + idx++; + } if (aouthdr_int->entry) { diff --git a/bfd/peicode.h b/bfd/peicode.h index 54a159f0962..3888dd47cc6 100644 --- a/bfd/peicode.h +++ b/bfd/peicode.h @@ -1519,19 +1519,41 @@ pe_bfd_object_p (bfd * abfd) if (amt > opt_hdr_size) memset (opthdr + opt_hdr_size, 0, amt - opt_hdr_size); - bfd_set_error (bfd_error_no_error); - bfd_coff_swap_aouthdr_in (abfd, opthdr, & internal_a); - if (bfd_get_error () != bfd_error_no_error) - return NULL; - } + bfd_coff_swap_aouthdr_in (abfd, opthdr, &internal_a); + + struct internal_extra_pe_aouthdr *a = &internal_a.pe; + if ((a->SectionAlignment & -a->SectionAlignment) != a->SectionAlignment + || a->SectionAlignment >= 0x80000000) + { + const char **warn = _bfd_per_xvec_warn (abfd->xvec); + *warn = _("%pB: adjusting invalid SectionAlignment"); + a->SectionAlignment &= -a->SectionAlignment; + if (a->SectionAlignment >= 0x80000000) + a->SectionAlignment = 0x40000000; + } + + if ((a->FileAlignment & -a->FileAlignment) != a->FileAlignment + || a->FileAlignment > a->SectionAlignment) + { + const char **warn = _bfd_per_xvec_warn (abfd->xvec); + *warn = _("%pB: adjusting invalid FileAlignment"); + a->FileAlignment &= -a->FileAlignment; + if (a->FileAlignment > a->SectionAlignment) + a->FileAlignment = a->SectionAlignment; + } + if (a->NumberOfRvaAndSizes > IMAGE_NUMBEROF_DIRECTORY_ENTRIES) + { + const char **warn = _bfd_per_xvec_warn (abfd->xvec); + *warn = _("%pB: invalid NumberOfRvaAndSizes"); + } + } result = coff_real_object_p (abfd, internal_f.f_nscns, &internal_f, (opt_hdr_size != 0 ? &internal_a : (struct internal_aouthdr *) NULL)); - if (result) { /* Now the whole header has been processed, see if there is a build-id */ -- Alan Modra Australia Development Lab, IBM