espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-05-22 17:57:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

libctf, ld: diagnose corrupted CTF header cth_strlen

Browse Source 
The last section in a CTF dict is the string table, at an offset
represented by the cth_stroff header field.  Its length is recorded in
the next field, cth_strlen, and the two added together are taken as the
size of the CTF dict.  Upon opening a dict, we check that none of the
header offsets exceed this size, and we check when uncompressing a
compressed dict that the result of the uncompression is the same length:
but CTF dicts need not be compressed, and short ones are not.
Uncompressed dicts just use the ctf_size without checking it.  This
field is thankfully almost unused: it is mostly used when reserializing
a dict, which can't be done to dicts read off disk since they're
read-only.

However, when opening an uncompressed foreign-endian dict we have to
copy it out of the mmaped region it is stored in so we can endian-
swap it, and we use ctf_size when doing that.  When the cth_strlen is
corrupt, this can overrun.

Fix this by checking the ctf_size in all uncompressed cases, just as we
already do in the compressed case.  Add a new test.

This came to light because various corrupted-CTF raw-asm tests had an
incorrect cth_strlen: fix all of them so they produce the expected
error again.

libctf/
	PR libctf/28933
	* ctf-open.c (ctf_bufopen_internal): Always check uncompressed
	CTF dict sizes against the section size in case the cth_strlen is
	corrupt.

ld/
	PR libctf/28933
	* testsuite/ld-ctf/diag-strlen-invalid.*: New test,
	derived from diag-cttname-invalid.s.
	* testsuite/ld-ctf/diag-cttname-invalid.s: Fix incorrect cth_strlen.
	* testsuite/ld-ctf/diag-cttname-null.s: Likewise.
	* testsuite/ld-ctf/diag-cuname.s: Likewise.
	* testsuite/ld-ctf/diag-parlabel.s: Likewise.
	* testsuite/ld-ctf/diag-parname.s: Likewise.
This commit is contained in:
Nick Alcock
2022-03-18 00:49:11 +00:00
parent 203bfa2f6b
commit 84f5c557a4
8 changed files with 85 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
libctf/ctf-open.c
View File

@ -1517,26 +1517,39 @@ ctf_bufopen_internal (const ctf_sect_t *ctfsect, const ctf_sect_t *symsect,
goto bad;
}
}
else if (foreign_endian)
{
if ((fp->ctf_base = malloc (fp->ctf_size)) == NULL)
{
err = ECTF_ZALLOC;
goto bad;
}
fp->ctf_dynbase = fp->ctf_base;
memcpy (fp->ctf_base, ((unsigned char *) ctfsect->cts_data) + hdrsz,
fp->ctf_size);
fp->ctf_buf = fp->ctf_base;
}
else
{
/* We are just using the section passed in -- but its header may be an old
version. Point ctf_buf past the old header, and never touch it
again. */
fp->ctf_base = (unsigned char *) ctfsect->cts_data;
fp->ctf_dynbase = NULL;
fp->ctf_buf = fp->ctf_base + hdrsz;
if (_libctf_unlikely_ (ctfsect->cts_size < hdrsz + fp->ctf_size))
{
ctf_err_warn (NULL, 0, ECTF_CORRUPT,
_("%lu byte long CTF dictionary overruns %lu byte long CTF section"),
(unsigned long) ctfsect->cts_size,
(unsigned long) (hdrsz + fp->ctf_size));
err = ECTF_CORRUPT;
goto bad;
}
if (foreign_endian)
{
if ((fp->ctf_base = malloc (fp->ctf_size)) == NULL)
{
err = ECTF_ZALLOC;
goto bad;
}
fp->ctf_dynbase = fp->ctf_base;
memcpy (fp->ctf_base, ((unsigned char *) ctfsect->cts_data) + hdrsz,
fp->ctf_size);
fp->ctf_buf = fp->ctf_base;
}
else
{
/* We are just using the section passed in -- but its header may
be an old version. Point ctf_buf past the old header, and
never touch it again. */
fp->ctf_base = (unsigned char *) ctfsect->cts_data;
fp->ctf_dynbase = NULL;
fp->ctf_buf = fp->ctf_base + hdrsz;
}
}
/* Once we have uncompressed and validated the CTF data buffer, we can