From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: asan: buffer overflow in elf32_arm_get_synthetic_symtab
Date: Tue, 10 Oct 2023 22:16:50 +1030 [thread overview]
Message-ID: <ZSU5qkk9v6Mb+JRZ@squeak.grove.modra.org> (raw)
Guard against fuzzed files where .plt size isn't commensurate with
plt relocations.
* elf32-arm.c (elf32_arm_plt0_size): Add data_size param.
Return -1 if data_size is too small.
(elf32_arm_plt_size): Likewise. Delete temp var. Formatting.
(elf32_arm_get_synthetic_symtab): Adjust to suit.
diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c
index f3ad270a6a0..18c30dbef86 100644
--- a/bfd/elf32-arm.c
+++ b/bfd/elf32-arm.c
@@ -19971,11 +19971,15 @@ read_code16 (const bfd *abfd, const bfd_byte *addr)
or (bfd_vma) -1 if size can not be determined. */
static bfd_vma
-elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr)
+elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr,
+ bfd_size_type data_size)
{
bfd_vma first_word;
bfd_vma plt0_size;
+ if (data_size < 4)
+ return (bfd_vma) -1;
+
first_word = read_code32 (abfd, addr);
if (first_word == elf32_arm_plt0_entry[0])
@@ -19994,24 +19998,28 @@ elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr)
or (bfd_vma) -1 if size can not be determined. */
static bfd_vma
-elf32_arm_plt_size (const bfd *abfd, const bfd_byte *start, bfd_vma offset)
+elf32_arm_plt_size (const bfd *abfd, const bfd_byte *start, bfd_vma offset,
+ bfd_size_type data_size)
{
bfd_vma first_insn;
bfd_vma plt_size = 0;
- const bfd_byte *addr = start + offset;
/* PLT entry size if fixed on Thumb-only platforms. */
if (read_code32 (abfd, start) == elf32_thumb2_plt0_entry[0])
- return 4 * ARRAY_SIZE (elf32_thumb2_plt_entry);
+ return 4 * ARRAY_SIZE (elf32_thumb2_plt_entry);
/* Respect Thumb stub if necessary. */
- if (read_code16 (abfd, addr) == elf32_arm_plt_thumb_stub[0])
+ if (offset + 2 > data_size)
+ return (bfd_vma) -1;
+ if (read_code16 (abfd, start + offset) == elf32_arm_plt_thumb_stub[0])
{
plt_size += 2 * ARRAY_SIZE (elf32_arm_plt_thumb_stub);
}
/* Strip immediate from first add. */
- first_insn = read_code32 (abfd, addr + plt_size) & 0xffffff00;
+ if (offset + plt_size + 4 > data_size)
+ return (bfd_vma) -1;
+ first_insn = read_code32 (abfd, start + offset + plt_size) & 0xffffff00;
#ifdef FOUR_WORD_PLT
if (first_insn == elf32_arm_plt_entry[0])
@@ -20088,7 +20096,7 @@ elf32_arm_get_synthetic_symtab (bfd *abfd,
size += sizeof ("+0x") - 1 + 8;
}
- offset = elf32_arm_plt0_size (abfd, data);
+ offset = elf32_arm_plt0_size (abfd, data, plt->size);
if (offset == (bfd_vma) -1
|| (s = *ret = (asymbol *) bfd_malloc (size)) == NULL)
{
@@ -20103,7 +20111,7 @@ elf32_arm_get_synthetic_symtab (bfd *abfd,
{
size_t len;
- bfd_vma plt_size = elf32_arm_plt_size (abfd, data, offset);
+ bfd_vma plt_size = elf32_arm_plt_size (abfd, data, offset, plt->size);
if (plt_size == (bfd_vma) -1)
break;
--
Alan Modra
Australia Development Lab, IBM
reply other threads:[~2023-10-10 11:46 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZSU5qkk9v6Mb+JRZ@squeak.grove.modra.org \
--to=amodra@gmail.com \
--cc=binutils@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).