espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-06-23 19:50:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Pool section entries for DWP version 1

Browse Source 
Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3

Fuzzers have found a weakness in the code stashing pool section
entries.  With random nonsensical values in the index entries (rather
than each index pointing to its own set distinct from other sets),
it's possible to overflow the space allocated, losing the NULL
terminator.  Without a terminator, find_section_in_set can run off the
end of the shndx_pool buffer.  Fix this by scanning the pool directly.

binutils/
	* dwarf.c (add_shndx_to_cu_tu_entry): Delete range check.
	(end_cu_tu_entry): Likewise.
	(process_cu_tu_index): Fill shndx_pool by directly scanning
	pool, rather than indirectly from index entries.
This commit is contained in:
Alan Modra
2022-10-30 19:08:51 +10:30
parent 60095ba3b8
commit 28750e3b96
1 changed files with 41 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
binutils/dwarf.c
View File

@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
static void static void
add_shndx_to_cu_tu_entry (unsigned int shndx) add_shndx_to_cu_tu_entry (unsigned int shndx)
{ {
if (shndx_pool_used >= shndx_pool_size)
{
error (_("Internal error: out of space in the shndx pool.\n"));
return;
}
shndx_pool [shndx_pool_used++] = shndx; shndx_pool [shndx_pool_used++] = shndx;
} }
static void static void
end_cu_tu_entry (void) end_cu_tu_entry (void)
{ {
if (shndx_pool_used >= shndx_pool_size)
{
error (_("Internal error: out of space in the shndx pool.\n"));
return;
}
shndx_pool [shndx_pool_used++] = 0; shndx_pool [shndx_pool_used++] = 0;
} }
@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
if (version == 1) if (version == 1)
{ {
unsigned char *shndx_list;
unsigned int shndx;
if (!do_display) if (!do_display)
prealloc_cu_tu_list ((limit - ppool) / 4);
for (i = 0; i < nslots; i++)
{ {
unsigned char *shndx_list; prealloc_cu_tu_list ((limit - ppool) / 4);
unsigned int shndx; for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
SAFE_BYTE_GET (signature, phash, 8, limit);
if (signature != 0)
{ {
SAFE_BYTE_GET (j, pindex, 4, limit); shndx = byte_get (shndx_list, 4);
shndx_list = ppool + j * 4; add_shndx_to_cu_tu_entry (shndx);
/* PR 17531: file: 705e010d. */ }
if (shndx_list < ppool) end_cu_tu_entry ();
{ }
warn (_("Section index pool located before start of section\n")); else
return 0; for (i = 0; i < nslots; i++)
} {
SAFE_BYTE_GET (signature, phash, 8, limit);
if (signature != 0)
{
SAFE_BYTE_GET (j, pindex, 4, limit);
shndx_list = ppool + j * 4;
/* PR 17531: file: 705e010d. */
if (shndx_list < ppool)
{
warn (_("Section index pool located before start of section\n"));
return 0;
}
if (do_display)
printf (_(" [%3d] Signature: %#" PRIx64 " Sections: "), printf (_(" [%3d] Signature: %#" PRIx64 " Sections: "),
i, signature); i, signature);
for (;;) for (;;)
{ {
if (shndx_list >= limit) if (shndx_list >= limit)
{ {
warn (_("Section %s too small for shndx pool\n"), warn (_("Section %s too small for shndx pool\n"),
section->name); section->name);
return 0; return 0;
} }
SAFE_BYTE_GET (shndx, shndx_list, 4, limit); SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
if (shndx == 0) if (shndx == 0)
break; break;
if (do_display)
printf (" %d", shndx); printf (" %d", shndx);
else shndx_list += 4;
add_shndx_to_cu_tu_entry (shndx); }
shndx_list += 4;
}
if (do_display)
printf ("\n"); printf ("\n");
else }
end_cu_tu_entry (); phash += 8;
} pindex += 4;
phash += 8; }
pindex += 4;
}
} }
else if (version == 2) else if (version == 2)
{ {