This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb/users/hjl/linux/master] Fix memory access violations exposed by running the srconv tool on fuzzed binaries.
- From: H.J.Lu <hjl at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 11 Jan 2015 16:21:44 -0000
- Subject: [binutils-gdb/users/hjl/linux/master] Fix memory access violations exposed by running the srconv tool on fuzzed binaries.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c88f5b8e495889f5d281a17bd56340d9a0e4cff6
commit c88f5b8e495889f5d281a17bd56340d9a0e4cff6
Author: Nick Clifton <nickc@redhat.com>
Date: Wed Jan 7 16:41:25 2015 +0000
Fix memory access violations exposed by running the srconv tool on fuzzed binaries.
PR binutils/17512
* objdump.c (display_any_bfd): Add a depth limit to nested archive
display in order to avoid infinite loops.
* srconv.c: Replace calls to abort with calls to fatal with an
error message.
Diff:
---
binutils/ChangeLog | 8 ++++++++
binutils/objdump.c | 9 ++++++++-
binutils/srconv.c | 28 +++++++++++++++-------------
3 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 338be86..31a6696 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2015-01-07 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17512
+ * objdump.c (display_any_bfd): Add a depth limit to nested archive
+ display in order to avoid infinite loops.
+ * srconv.c: Replace calls to abort with calls to fatal with an
+ error message.
+
2015-01-06 Nick Clifton <nickc@redhat.com>
PR binutils/17512
diff --git a/binutils/objdump.c b/binutils/objdump.c
index a8c7d05..22e5ad6 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -3406,9 +3406,16 @@ display_any_bfd (bfd *file, int level)
{
bfd *arfile = NULL;
bfd *last_arfile = NULL;
-
+
if (level == 0)
printf (_("In archive %s:\n"), bfd_get_filename (file));
+ else if (level > 100)
+ {
+ /* Prevent corrupted files from spinning us into an
+ infinite loop. 100 is an arbitrary heuristic. */
+ non_fatal (_("Archive nesting is too deep"));
+ return;
+ }
else
printf (_("In nested archive %s:\n"), bfd_get_filename (file));
diff --git a/binutils/srconv.c b/binutils/srconv.c
index d2e0cdb..c19c0ed 100644
--- a/binutils/srconv.c
+++ b/binutils/srconv.c
@@ -167,7 +167,8 @@ checksum (FILE *ffile, unsigned char *ptr, int size, int ccode)
last = !(ccode & 0xff00);
if (size & 0x7)
- abort ();
+ fatal (_("Checksum failure"));
+
ptr[0] = ccode | (last ? 0x80 : 0);
ptr[1] = bytes + 1;
@@ -178,7 +179,7 @@ checksum (FILE *ffile, unsigned char *ptr, int size, int ccode)
ptr[bytes] = ~sum;
if (fwrite (ptr, bytes + 1, 1, ffile) != 1)
/* FIXME: Return error status. */
- abort ();
+ fatal (_("Failed to write checksum"));
}
@@ -218,7 +219,7 @@ writeINT (int n, unsigned char *ptr, int *idx, int size, FILE *ffile)
ptr[byte + 3] = n >> 0;
break;
default:
- abort ();
+ fatal (_("Unsupported integer write size: %d"), size);
}
*idx += size * 8;
}
@@ -304,7 +305,7 @@ wr_tr (void)
if (fwrite (b, sizeof (b), 1, file) != 1)
/* FIXME: Return error status. */
- abort ();
+ fatal (_("Failed to write TR block"));
}
static void
@@ -395,7 +396,8 @@ wr_hd (struct coff_ofile *p)
toolname = "C_H8/300S";
break;
default:
- abort();
+ fatal (_("Unrecognized H8300 sub-architecture: %ld"),
+ bfd_get_mach (abfd));
}
rnames = rname_h8300;
break;
@@ -412,7 +414,7 @@ wr_hd (struct coff_ofile *p)
rnames = rname_sh;
break;
default:
- abort ();
+ fatal (_("Unsupported architecture: %d"), bfd_get_arch (abfd));
}
if (! (bfd_get_file_flags(abfd) & EXEC_P))
@@ -866,7 +868,7 @@ walk_tree_type_1 (struct coff_sfile *sfile, struct coff_symbol *symbol,
break;
default:
- abort ();
+ fatal (_("Unrecognised type: %d"), type->type);
}
}
@@ -995,7 +997,7 @@ walk_tree_symbol (struct coff_sfile *sfile, struct coff_section *section ATTRIBU
return;
default:
- abort ();
+ fatal (_("Unrecognised coff symbol type: %d"), symbol->type->type);
}
if (symbol->where->where == coff_where_member_of_struct)
@@ -1057,7 +1059,7 @@ walk_tree_symbol (struct coff_sfile *sfile, struct coff_section *section ATTRIBU
break;
default:
- abort ();
+ fatal (_("Unrecognised coff symbol visibility: %d"), symbol->visible->type);
}
dsy.dlength = symbol->type->size;
@@ -1083,7 +1085,7 @@ walk_tree_symbol (struct coff_sfile *sfile, struct coff_section *section ATTRIBU
break;
default:
- abort ();
+ fatal (_("Unrecognised coff symbol location: %d"), symbol->where->where);
}
switch (symbol->where->where)
@@ -1128,7 +1130,7 @@ walk_tree_symbol (struct coff_sfile *sfile, struct coff_section *section ATTRIBU
break;
default:
- abort ();
+ fatal (_("Unrecognised coff symbol location: %d"), symbol->where->where);
}
if (symbol->where->where == coff_where_register)
@@ -1157,7 +1159,7 @@ walk_tree_symbol (struct coff_sfile *sfile, struct coff_section *section ATTRIBU
break;
default:
- abort ();
+ fatal (_("Unrecognised coff symbol visibility: %d"), symbol->visible->type);
}
dsy.sfn = 0;
@@ -1460,7 +1462,7 @@ wr_cs (void)
if (fwrite (b, sizeof (b), 1, file) != 1)
/* FIXME: Return error status. */
- abort ();
+ fatal (_("Failed to write CS struct"));
}
/* Write out the SC records for a unit. Create an SC