From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) by sourceware.org (Postfix) with ESMTPS id 869B6385840C for ; Wed, 30 Aug 2023 01:03:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 869B6385840C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-68a3082c771so277802b3a.0 for ; Tue, 29 Aug 2023 18:03:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693357397; x=1693962197; darn=sourceware.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=sZXn8X6cFrw8I3yvugQK1zzVk+z1N8K25O3Uss+RMGk=; b=QphO8Amke+svhdKQVPKDRuFO9oQf7G/HtJpqJnYI4HimNntZ0gNAk6ifNUWDmN7Ibr LNwkj1pTGC/ntONOLuGAyoKavkJAJPov1Lr0gXHOP0NG8d8EXQfTn3x/kYRr7H4u/7HN 6axag50vPhXqnC2tBsUkR+Pk6TMzvBd8Y5k1IucoFqzv9IjR3qkMGiDu4XQz19MkYEKL Odfn1gFhmL/r7jwZwqvwUw4EWqwmMA/QYhzuaI4cZnn0aK6QAk8LC9Ld3hvwx+s57H0i pBcsmeg0566jdfg6Ga+8IOHjN5uPK+B73bAi6Mhz0MTMCxdjZHFuWQ6DGE0f900cJIWx dD3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693357397; x=1693962197; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sZXn8X6cFrw8I3yvugQK1zzVk+z1N8K25O3Uss+RMGk=; b=JoziDy+ea+O1H4JDiqZjI1Z8cUGA9xMTBUxT0nzwqqI3TPkK7EaiwBIeDVn4q8vp6M T1MQMnHvJDN16dcs8C/IQr2ei2AeM+/l6n3ZH3OhXMndqGqSIkalHOQYAXyapa6P31qT e25TsQ9cHdr5YyhRFe3tHNexZisYR6kRs/R+b7lhM9CP0LreucMsI8rRmWe3l3a/kXtW Ya8XDM5AezxF03OVCqg76ReeRK+HsWzRxpRHiRt7jmaN0SPj5+hghauFZbDtcjauFn3h RR/Rgmsg1UFhoebYDXOCtad+iadDVJxI8+zTDnp6eov9xfBJJJLWV4in49ZgcgJiOW3n trtA== X-Gm-Message-State: AOJu0Ywqmbv7oGPZLTc2wdfbVLKTWVVHnOlciGNpZuTinzp4q/qvRnsK 9TrPdPrAoHCmIidLqGF5lkY= X-Google-Smtp-Source: AGHT+IG/GtLGACOndrWxmkYSr9Rke5HGtgvcT+p+rlisY5SKNvm/6HER5g5hID2qgk22Rywmc6YdrQ== X-Received: by 2002:a05:6a00:a0b:b0:68b:e29c:b69 with SMTP id p11-20020a056a000a0b00b0068be29c0b69mr1128010pfh.9.1693357397388; Tue, 29 Aug 2023 18:03:17 -0700 (PDT) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id z24-20020aa791d8000000b006749c22d079sm9002999pfa.167.2023.08.29.18.03.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Aug 2023 18:03:16 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id EE95811423A1; Wed, 30 Aug 2023 10:33:13 +0930 (ACST) Date: Wed, 30 Aug 2023 10:33:13 +0930 From: Alan Modra To: Jeff Law Cc: binutils@sourceware.org Subject: Re: som: buffer overflow writing strings Message-ID: References: <9fa664a4-beb1-c5bf-74f5-3c3088101412@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9fa664a4-beb1-c5bf-74f5-3c3088101412@gmail.com> X-Spam-Status: No, score=-3028.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Tue, Aug 29, 2023 at 12:32:20PM -0600, Jeff Law wrote: > > > On 8/25/23 00:33, Alan Modra via Binutils wrote: > > Code in som_write_symbol_strings neglected to allow for padding, which > > can result in a buffer overflow. It also used xrealloc, which we're > > not supposed to use in libbfd because libbfd isn't supposed to call > > exit. Also a realloc is perhaps not a good idea when none of the > > buffer contents are needed, so replace with free, bfd_malloc. There > > were three copies of the string handling code, so rather than fix them > > all I've extracted them to a function. This necessitated making one > > of the fields in struct som_symbol unsigned. > > > > * som.c (add_string): New function. > > (som_write_space_strings, som_write_symbol_strings): Use it. > > * som.h (som_symbol_type ): Make unsigned. > Thanks for fixing this. Amazing how this problem slipped through as long as > it did. Of course SOM died ~20+ years ago, so that may explain how the bug > has survived so long. I suspect the bug could only be tickled by fuzzed object files. Most of the bugs reported by projects like oss-fuzz against old binutils code are like that. ie. fixing them doesn't really improve anything for users, except for people who are silly enough to run any of the binutils as root outside of a sandbox, on random executables they might have downloaded from evil-hacker-site. > One could certainly argue about how useful being able to write object files > for a dead format on a dead architecture is. I wouldn't lose any sleep if > SOM quietly went away. Yeah, but this sort of fix isn't difficult at all. On the other hand, I refuse to look at fuzzed input for the assembler any more. -- Alan Modra Australia Development Lab, IBM