Created attachment 11419 [details] malicious input that trigger the overflow Integer-overflow bug in strip-new. Description: There is a interger-overflow bug in binutils/bfd/elf.c:7036 IS_CONTAINED_BY_LMA(). There should be a boundary checking for this function. Configure names: host='x86_64-pc-linux-gnu' target='x86_64-pc-linux-gnu', we also upload the config.status file in the attachment. Options: strip-new ./integer_overflow_input -o sss Input: file interger_overflow_input
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7 commit beab453223769279cc1cef68a1622ab8978641f7 Author: Nick Clifton <nickc@redhat.com> Date: Fri Nov 30 11:43:12 2018 +0000 Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments. PR 23932 * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section size. (rewrite_elf_program_header): If no sections are mapped into a segment return an error.
Hi Dongdong, Thanks for reporting this problem. I have checked in a patch to resolve the issue. It adds a check for a possible integer overflow, as you suggested, and it replaced a call to abort with a more reasonable error return. Cheers Nick
Hey Nick, This introduced a regression for me with moxie-elf-objcopy. To reproduce, I feed the assembler this: .section .text .global _start _start: ldi.l $r0, 0xab6789ab sta.l 0x0c0ffee0, $r0 sta.b 0xdead, $r0 ...like so $ moxie-elf-as t.s And the link it... $ moxie-elf-ld -o t.x a.out And then... $ moxie-elf-objdump -h t.x t.x: file format elf32-bigmoxie Sections: Idx Name Size VMA LMA File off Algn 0 .text 00000012 00001000 00001000 00000054 2**0 CONTENTS, ALLOC, LOAD, READONLY, CODE But I need to change the LMA to 0 for my processor verilog tests so.... $ moxie-elf-objcopy --change-section-lma .text-0x1000 t.x t0.x moxie-elf-objcopy: t.x: error in private header data: sorry, cannot handle this file In this section of elf.c, map->count is 0 in my case... /* PR 23932. A corrupt input file may contain sections that cannot be assigned to any segment - because for example they have a negative size - or segments that do not contain any sections. */ if (map->count == 0) { sorry: bfd_set_error (bfd_error_sorry); free (sections); return FALSE; }
Here's an example of where it is failing: https://travis-ci.org/atgreen/moxie-cores/builds/645732440
Created attachment 12265 [details] Proposed patch Hi Anthony, Hmm, OK, please could you try out this patch and let me know if the resuling objcopy'd binary is what you need. Cheers Nick
Thanks, Nick. I've tested this patch and it solves the problem. Please apply at your earliest convenience!
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9984857cfd9a85a5d1b99162f9838aba099d20a0 commit 9984857cfd9a85a5d1b99162f9838aba099d20a0 Author: Nick Clifton <nickc@redhat.com> Date: Fri Feb 7 12:55:05 2020 +0000 Stop the BFD library from complaining if a segment has no sections attached to it. PR 23932 * elf.c (rewrite_elf_program_header): Do not complain if no sections are mapped to a segment.
Patch applied.