public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file
@ 2022-04-27 7:10 liftdat at protonmail dot com
2022-04-27 10:37 ` [Bug pch/105403] " geoffk at geoffk dot org
2022-04-28 7:08 ` liftdat at protonmail dot com
0 siblings, 2 replies; 3+ messages in thread
From: liftdat at protonmail dot com @ 2022-04-27 7:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403
Bug ID: 105403
Summary: [Bug] Buffer overflow can happen when reading
pchf_data from file
Product: gcc
Version: 11.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: pch
Assignee: unassigned at gcc dot gnu.org
Reporter: liftdat at protonmail dot com
Target Milestone: ---
In the file libcpp/files.c, the function _cpp_read_file_entries has the
following code (link:
https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/libcpp/files.cc#L2049):
bool
_cpp_read_file_entries (cpp_reader *pfile ATTRIBUTE_UNUSED, FILE *f)
{
struct pchf_data d;
if (fread (&d, sizeof (struct pchf_data) - sizeof (struct pchf_entry), 1, f)
!= 1)
return false;
pchf = XNEWVAR (struct pchf_data, sizeof (struct pchf_data)
+ sizeof (struct pchf_entry) * (d.count - 1));
memcpy (pchf, &d, sizeof (struct pchf_data) - sizeof (struct pchf_entry));
if (fread (pchf->entries, sizeof (struct pchf_entry), d.count, f)
!= d.count)
return false;
return true;
}
The count field for the pchf_data d is read from the file f. Therefore, given a
crafted input, d.count can get a really large value, e.g., UINT64_MAX.
In this case, the computation of the allocation size will trigger an integer
overflow and give a small value for the size of the allocated buffer:
sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1)
This can lead to subsequent buffer overflow for the buffer pointed by pchf.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug pch/105403] [Bug] Buffer overflow can happen when reading pchf_data from file
2022-04-27 7:10 [Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file liftdat at protonmail dot com
@ 2022-04-27 10:37 ` geoffk at geoffk dot org
2022-04-28 7:08 ` liftdat at protonmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: geoffk at geoffk dot org @ 2022-04-27 10:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403
Geoff Keating <geoffk at geoffk dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |geoffk at geoffk dot org
--- Comment #1 from Geoff Keating <geoffk at geoffk dot org> ---
A PCH file is a trusted input, so this really shouldn’t happen, and there are
surely many other ways to trigger arbitrary code execution if you can craft
one. However a sanity check would do no harm, this code is not performance
relevant.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug pch/105403] [Bug] Buffer overflow can happen when reading pchf_data from file
2022-04-27 7:10 [Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file liftdat at protonmail dot com
2022-04-27 10:37 ` [Bug pch/105403] " geoffk at geoffk dot org
@ 2022-04-28 7:08 ` liftdat at protonmail dot com
1 sibling, 0 replies; 3+ messages in thread
From: liftdat at protonmail dot com @ 2022-04-28 7:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403
--- Comment #2 from liftdat at protonmail dot com ---
(In reply to Geoff Keating from comment #1)
> A PCH file is a trusted input, so this really shouldn’t happen, and there
> are surely many other ways to trigger arbitrary code execution if you can
> craft one. However a sanity check would do no harm, this code is not
> performance relevant.
Hi, I think it could also be the case when we have a ridiculously large PCH
file, which means the file itself is legal but still contains a really large
count value.
In that extreme case, the input is still considered "trusted" but we still have
a problem.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-04-28 7:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-27 7:10 [Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file liftdat at protonmail dot com
2022-04-27 10:37 ` [Bug pch/105403] " geoffk at geoffk dot org
2022-04-28 7:08 ` liftdat at protonmail dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).