From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from kwanyin.sergiodj.net (kwanyin.sergiodj.net [158.69.185.54]) by sourceware.org (Postfix) with ESMTPS id 969C5395382A for ; Sun, 15 Mar 2020 20:54:43 +0000 (GMT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [binutils-gdb] Large memory allocation reading fuzzed 64-bit archive From: gdb-buildbot@sergiodj.net To: gdb-testers@sourceware.org Message-Id: <6f8f95b4c4785e053f96b473039e244473a85ee5@gdb-build> Date: Sun, 15 Mar 2020 16:54:42 -0400 X-Spam-Status: No, score=-25.0 required=5.0 tests=GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb-testers@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb-testers mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 20:54:45 -0000 *** TEST RESULTS FOR COMMIT 6f8f95b4c4785e053f96b473039e244473a85ee5 *** commit 6f8f95b4c4785e053f96b473039e244473a85ee5 Author: Alan Modra AuthorDate: Thu Mar 5 09:42:41 2020 +1030 Commit: Alan Modra CommitDate: Thu Mar 5 11:15:55 2020 +1030 Large memory allocation reading fuzzed 64-bit archive This patch adds a sanity check for the size of an armap. * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size against file size before allocating memory. Use bfd_alloc rather than bfd_zalloc for carsym/strings memory. diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 821978cf6a..9f1a9424ae 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-03-05 Alan Modra + + * archive64.c (_bfd_archive_64_bit_slurp_armap): Check parsed_size + against file size before allocating memory. Use bfd_alloc rather + than bfd_zalloc for carsym/strings memory. + 2020-03-04 Alan Modra * elf.c (elf_fake_sections): Ensure sh_addralign is such that diff --git a/bfd/archive64.c b/bfd/archive64.c index d4b0c3cf0c..5e1443932c 100644 --- a/bfd/archive64.c +++ b/bfd/archive64.c @@ -47,6 +47,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_byte *raw_armap = NULL; carsym *carsyms; bfd_size_type amt; + ufile_ptr filesize; ardata->symdefs = NULL; @@ -76,6 +77,13 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) parsed_size = mapdata->parsed_size; free (mapdata); + filesize = bfd_get_file_size (abfd); + if (filesize != 0 && parsed_size > filesize) + { + bfd_set_error (bfd_error_malformed_archive); + return FALSE; + } + if (bfd_bread (int_buf, 8, abfd) != 8) { if (bfd_get_error () != bfd_error_system_call) @@ -102,7 +110,7 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) bfd_set_error (bfd_error_malformed_archive); return FALSE; } - ardata->symdefs = (struct carsym *) bfd_zalloc (abfd, amt); + ardata->symdefs = (struct carsym *) bfd_alloc (abfd, amt); if (ardata->symdefs == NULL) return FALSE; carsyms = ardata->symdefs;