From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by sourceware.org (Postfix) with ESMTPS id 278373865493 for ; Tue, 10 Oct 2023 11:46:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 278373865493 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-27ceb58f7e7so326295a91.0 for ; Tue, 10 Oct 2023 04:46:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696938413; x=1697543213; darn=sourceware.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=fLCDqQYrLadCrnt3zgvCiOLT/tEzw7zfBIAK3ZPIm78=; b=Xo8+HpEu9E1MupG1XD0seY0/JxjhRucltmOUvEtChPS7PqNWLRl5aRmN7BIqjDYxYZ 8ZkvuHoLFPQnb1ykQoJPnJDE52JcgNFnLC+cJp1QJqxYHaNl2OZX0lo0xUQXh4XLNma8 nxOtYrj7c0cPd+/ha9nm1zKq9D0dYK9FFJ+GWN2sMK6F8BpR0hAjS193/KPjcpxBGOmm OVokfski7ChD2S50hU17j3AX5pB+C9yYKjRbTRnXc2LIqUmFcOr9h936tzmdD+OmoeJj UIToYuFxcOR1XnAD6VBoL8/jcXZW4HXYuN+0Pye28kKiRtINruj2LpyHhoE6gW9UtO/G DlQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696938413; x=1697543213; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fLCDqQYrLadCrnt3zgvCiOLT/tEzw7zfBIAK3ZPIm78=; b=U+GO1fsiDayKJgmufQ29Ogc5NmyRST4SZQQKgOrGT7Vx6RSmlVyfVY7vCdWcUHXwn9 E1PchK4RquiTfMIw0zupm4QUsDBfJws05+jU2unZ/A+yFi1ijw7KmLHgR3UV111UmXnI pybIoCNMOfpVoYxpQikWkJgZcKHbUbZ+V5SwUv8iJ4Ro0HdartU7k7WCrDWJWHvq6dfD EYgjqn4zPhKHUdAg4efQmkSFWKNDYQAYZGzwW+nWpO/FdyNXfAO7WojNj3uSf6/4tzJs hsgwPfmY+RcddhqgpjedB51vj0C8aCXY8MIaxuzdlbKqUCnoWrUjQkK/9SNTUxG5F9XS 4wIg== X-Gm-Message-State: AOJu0Yyd+3uhVim5Dw69YF3i3u6/NaTjpq8ybaAzWVoLSV0hF+ra8YvL HpIJNf2VI6ikCsCLsfA5Ymk4DJN9YFM= X-Google-Smtp-Source: AGHT+IGoUxB+tiHOaBPJQA30RCni1HKDB3EqTICbPjdkzNkHPtIzFq2aF3yaaAkrfwbcLoOs4jMa4g== X-Received: by 2002:a17:90b:4c12:b0:274:8363:c679 with SMTP id na18-20020a17090b4c1200b002748363c679mr15108805pjb.19.1696938413437; Tue, 10 Oct 2023 04:46:53 -0700 (PDT) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:27d:3c0c:670b:6125]) by smtp.gmail.com with ESMTPSA id l12-20020a17090aec0c00b00268b439a0cbsm10010574pjy.23.2023.10.10.04.46.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 04:46:53 -0700 (PDT) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id B2F0E11426ED; Tue, 10 Oct 2023 22:16:50 +1030 (ACDT) Date: Tue, 10 Oct 2023 22:16:50 +1030 From: Alan Modra To: binutils@sourceware.org Subject: asan: buffer overflow in elf32_arm_get_synthetic_symtab Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-3033.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Guard against fuzzed files where .plt size isn't commensurate with plt relocations. * elf32-arm.c (elf32_arm_plt0_size): Add data_size param. Return -1 if data_size is too small. (elf32_arm_plt_size): Likewise. Delete temp var. Formatting. (elf32_arm_get_synthetic_symtab): Adjust to suit. diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c index f3ad270a6a0..18c30dbef86 100644 --- a/bfd/elf32-arm.c +++ b/bfd/elf32-arm.c @@ -19971,11 +19971,15 @@ read_code16 (const bfd *abfd, const bfd_byte *addr) or (bfd_vma) -1 if size can not be determined. */ static bfd_vma -elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr) +elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr, + bfd_size_type data_size) { bfd_vma first_word; bfd_vma plt0_size; + if (data_size < 4) + return (bfd_vma) -1; + first_word = read_code32 (abfd, addr); if (first_word == elf32_arm_plt0_entry[0]) @@ -19994,24 +19998,28 @@ elf32_arm_plt0_size (const bfd *abfd, const bfd_byte *addr) or (bfd_vma) -1 if size can not be determined. */ static bfd_vma -elf32_arm_plt_size (const bfd *abfd, const bfd_byte *start, bfd_vma offset) +elf32_arm_plt_size (const bfd *abfd, const bfd_byte *start, bfd_vma offset, + bfd_size_type data_size) { bfd_vma first_insn; bfd_vma plt_size = 0; - const bfd_byte *addr = start + offset; /* PLT entry size if fixed on Thumb-only platforms. */ if (read_code32 (abfd, start) == elf32_thumb2_plt0_entry[0]) - return 4 * ARRAY_SIZE (elf32_thumb2_plt_entry); + return 4 * ARRAY_SIZE (elf32_thumb2_plt_entry); /* Respect Thumb stub if necessary. */ - if (read_code16 (abfd, addr) == elf32_arm_plt_thumb_stub[0]) + if (offset + 2 > data_size) + return (bfd_vma) -1; + if (read_code16 (abfd, start + offset) == elf32_arm_plt_thumb_stub[0]) { plt_size += 2 * ARRAY_SIZE (elf32_arm_plt_thumb_stub); } /* Strip immediate from first add. */ - first_insn = read_code32 (abfd, addr + plt_size) & 0xffffff00; + if (offset + plt_size + 4 > data_size) + return (bfd_vma) -1; + first_insn = read_code32 (abfd, start + offset + plt_size) & 0xffffff00; #ifdef FOUR_WORD_PLT if (first_insn == elf32_arm_plt_entry[0]) @@ -20088,7 +20096,7 @@ elf32_arm_get_synthetic_symtab (bfd *abfd, size += sizeof ("+0x") - 1 + 8; } - offset = elf32_arm_plt0_size (abfd, data); + offset = elf32_arm_plt0_size (abfd, data, plt->size); if (offset == (bfd_vma) -1 || (s = *ret = (asymbol *) bfd_malloc (size)) == NULL) { @@ -20103,7 +20111,7 @@ elf32_arm_get_synthetic_symtab (bfd *abfd, { size_t len; - bfd_vma plt_size = elf32_arm_plt_size (abfd, data, offset); + bfd_vma plt_size = elf32_arm_plt_size (abfd, data, offset, plt->size); if (plt_size == (bfd_vma) -1) break; -- Alan Modra Australia Development Lab, IBM