Pool section entries for DWP version 1

Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 Fuzzers have found a weakness in the code stashing pool section entries. With random nonsensical values in the index entries (rather than each index pointing to its own set distinct from other sets), it's possible to overflow the space allocated, losing the NULL terminator. Without a terminator, find_section_in_set can run off the end of the shndx_pool buffer. Fix this by scanning the pool directly. binutils/ * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. (end_cu_tu_entry): Likewise. (process_cu_tu_index): Fill shndx_pool by directly scanning pool, rather than indirectly from index entries.
2025-06-23 19:50:13 +08:00 · 2022-10-30 19:08:51 +10:30
parent 60095ba3b8
commit 28750e3b96
1 changed files with 41 additions and 49 deletions
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx)
 static void
 add_shndx_to_cu_tu_entry (unsigned int shndx)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
  shndx_pool [shndx_pool_used++] = shndx;
 }

 static void
 end_cu_tu_entry (void)
 {
-  if (shndx_pool_used >= shndx_pool_size)
-    {
-      error (_("Internal error: out of space in the shndx pool.\n"));
-      return;
-    }
  shndx_pool [shndx_pool_used++] = 0;
 }

@ -10772,14 +10762,23 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
    }

  if (version == 1)
-    {
-      if (!do_display)
-	prealloc_cu_tu_list ((limit - ppool) / 4);
-      for (i = 0; i < nslots; i++)
    {
      unsigned char *shndx_list;
      unsigned int shndx;

+      if (!do_display)
+	{
+	  prealloc_cu_tu_list ((limit - ppool) / 4);
+	  for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4)
+	    {
+	      shndx = byte_get (shndx_list, 4);
+	      add_shndx_to_cu_tu_entry (shndx);
+	    }
+	  end_cu_tu_entry ();
+	}
+      else
+	for (i = 0; i < nslots; i++)
+	  {
 	    SAFE_BYTE_GET (signature, phash, 8, limit);
 	    if (signature != 0)
 	      {
@ -10792,7 +10791,6 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 		    return 0;
 		  }

-	      if (do_display)
 		printf (_("  [%3d] Signature:  %#" PRIx64 "  Sections: "),
 			i, signature);
 		for (;;)
@ -10806,16 +10804,10 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
 		    SAFE_BYTE_GET (shndx, shndx_list, 4, limit);
 		    if (shndx == 0)
 		      break;
-		  if (do_display)
 		    printf (" %d", shndx);
-		  else
-		    add_shndx_to_cu_tu_entry (shndx);
 		    shndx_list += 4;
 		  }
-	      if (do_display)
 		printf ("\n");
-	      else
-		end_cu_tu_entry ();
 	      }
 	    phash += 8;
 	    pindex += 4;