[Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file

[Bug pch/105403] New: [Bug] Buffer overflow can happen when reading pchf_data from file

[liftdat at protonmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403

            Bug ID: 105403
           Summary: [Bug] Buffer overflow can happen when reading
                    pchf_data from file
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: pch
          Assignee: unassigned at gcc dot gnu.org
          Reporter: liftdat at protonmail dot com
  Target Milestone: ---

In the file libcpp/files.c, the function _cpp_read_file_entries has the
following code (link:
https://github.com/gcc-mirror/gcc/blob/9715f10c0651c9549b479b69d67be50ac4bd98a6/libcpp/files.cc#L2049):

bool
_cpp_read_file_entries (cpp_reader *pfile ATTRIBUTE_UNUSED, FILE *f)
{
  struct pchf_data d;

  if (fread (&d, sizeof (struct pchf_data) - sizeof (struct pchf_entry), 1, f)
       != 1)
    return false;

  pchf = XNEWVAR (struct pchf_data, sizeof (struct pchf_data)
                  + sizeof (struct pchf_entry) * (d.count - 1));
  memcpy (pchf, &d, sizeof (struct pchf_data) - sizeof (struct pchf_entry));
  if (fread (pchf->entries, sizeof (struct pchf_entry), d.count, f)
      != d.count)
    return false;
  return true;
}

The count field for the pchf_data d is read from the file f. Therefore, given a
crafted input, d.count can get a really large value, e.g., UINT64_MAX.

In this case, the computation of the allocation size will trigger an integer
overflow and give a small value for the size of the allocated buffer:
    sizeof (struct pchf_data) + sizeof (struct pchf_entry) * (d.count - 1)

This can lead to subsequent buffer overflow for the buffer pointed by pchf.

[Bug pch/105403] [Bug] Buffer overflow can happen when reading pchf_data from file

[geoffk at geoffk dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403

Geoff Keating <geoffk at geoffk dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |geoffk at geoffk dot org

--- Comment #1 from Geoff Keating <geoffk at geoffk dot org> ---
A PCH file is a trusted input, so this really shouldn’t happen, and there are
surely many other ways to trigger arbitrary code execution if you can craft
one.  However a sanity check would do no harm, this code is not performance
relevant.

[Bug pch/105403] [Bug] Buffer overflow can happen when reading pchf_data from file

[liftdat at protonmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105403

--- Comment #2 from liftdat at protonmail dot com ---
(In reply to Geoff Keating from comment #1)
> A PCH file is a trusted input, so this really shouldn’t happen, and there
> are surely many other ways to trigger arbitrary code execution if you can
> craft one.  However a sanity check would do no harm, this code is not
> performance relevant.

Hi, I think it could also be the case when we have a ridiculously large PCH
file, which means the file itself is legal but still contains a really large
count value.
In that extreme case, the input is still considered "trusted" but we still have
a problem.