* bus error with fuzzed archive element
@ 2024-05-04 10:56 Alan Modra
0 siblings, 0 replies; only message in thread
From: Alan Modra @ 2024-05-04 10:56 UTC (permalink / raw)
To: binutils
* libbfd.c (bfd_mmap_local): Sanity check rsize against actual
file offset and size, not an archive element offset and size.
diff --git a/bfd/libbfd.c b/bfd/libbfd.c
index 747b69ec2c6..53868471001 100644
--- a/bfd/libbfd.c
+++ b/bfd/libbfd.c
@@ -1072,7 +1072,18 @@ static void *
bfd_mmap_local (bfd *abfd, size_t rsize, int prot, void **map_addr,
size_t *map_size)
{
- ufile_ptr filesize = bfd_get_file_size (abfd);
+ /* We mmap on the underlying file. In an archive it might be nice
+ to limit RSIZE to the element size, but that can be fuzzed and
+ the offset returned by bfd_tell is relative to the start of the
+ element. Therefore to reliably stop access beyond the end of a
+ file (and resulting bus errors) we must work with the underlying
+ file offset and size, and trust that callers will limit access to
+ within an archive element. */
+ while (abfd->my_archive != NULL
+ && !bfd_is_thin_archive (abfd->my_archive))
+ abfd = abfd->my_archive;
+
+ ufile_ptr filesize = bfd_get_size (abfd);
ufile_ptr offset = bfd_tell (abfd);
if (filesize < offset || filesize - offset < rsize)
{
--
Alan Modra
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-05-04 10:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-04 10:56 bus error with fuzzed archive element Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).