Bug 23932 - integer overflow causes an endless loop
Summary: integer overflow causes an endless loop
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.30
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-29 03:13 UTC by Dongdong She
Modified: 2020-02-07 12:56 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments
malicious input that trigger the overflow (2.44 KB, application/x-core)
2018-11-29 03:13 UTC, Dongdong She
Details
Proposed patch (533 bytes, patch)
2020-02-06 17:06 UTC, Nick Clifton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dongdong She 2018-11-29 03:13:30 UTC
Created attachment 11419 [details]
malicious input that trigger the overflow

Integer-overflow bug in strip-new.
Description: There is a interger-overflow bug in binutils/bfd/elf.c:7036 IS_CONTAINED_BY_LMA(). There should be a boundary checking for this function.
Configure names: host='x86_64-pc-linux-gnu'  target='x86_64-pc-linux-gnu', we also upload the config.status file in the attachment.
Options: strip-new ./integer_overflow_input -o sss
Input: file interger_overflow_input
Comment 1 Sourceware Commits 2018-11-30 11:44:35 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=beab453223769279cc1cef68a1622ab8978641f7

commit beab453223769279cc1cef68a1622ab8978641f7
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Nov 30 11:43:12 2018 +0000

    Remove an abort in the bfd library and add a check for an integer overflow when mapping sections to segments.
    
    	PR 23932
    	* elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
    	size.
    	(rewrite_elf_program_header): If no sections are mapped into a
    	segment return an error.
Comment 2 Nick Clifton 2018-11-30 11:48:03 UTC
Hi Dongdong,

  Thanks for reporting this problem.

  I have checked in a patch to resolve the issue.  It adds a check for a 
  possible integer overflow, as you suggested, and it replaced a call to
  abort with a more reasonable error return.

Cheers
  Nick
Comment 3 Anthony Green 2020-02-04 01:54:18 UTC
Hey Nick,

  This introduced a regression for me with moxie-elf-objcopy.

  To reproduce, I feed the assembler this:

        .section .text
        .global _start
_start: 
        ldi.l   $r0, 0xab6789ab
        sta.l   0x0c0ffee0, $r0
        sta.b   0xdead, $r0

  ...like so

$ moxie-elf-as t.s

  And the link it...

$ moxie-elf-ld -o t.x a.out

And then...

$ moxie-elf-objdump -h t.x

t.x:     file format elf32-bigmoxie

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .text         00000012  00001000  00001000  00000054  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, CODE

But I need to change the LMA to 0 for my processor verilog tests so....

$ moxie-elf-objcopy --change-section-lma .text-0x1000 t.x t0.x
moxie-elf-objcopy: t.x: error in private header data: sorry, cannot handle this file


In this section of elf.c, map->count is 0 in my case...

          /* PR 23932.  A corrupt input file may contain sections that cannot                                                                     
             be assigned to any segment - because for example they have a                                                                         
             negative size - or segments that do not contain any sections.  */                                                                    
                                                                                                                                                  
          if (map->count == 0)                                                                                                                    
            {                                                                                                                                     
            sorry:                                                                                                                                
              bfd_set_error (bfd_error_sorry);                                                                                                    
              free (sections);                                                                                                                    
              return FALSE;                                                                                                                       
            }
Comment 4 Anthony Green 2020-02-04 02:03:46 UTC
Here's an example of where it is failing: 

https://travis-ci.org/atgreen/moxie-cores/builds/645732440
Comment 5 Nick Clifton 2020-02-06 17:06:30 UTC
Created attachment 12265 [details]
Proposed patch

Hi Anthony,

  Hmm, OK, please could you try out this patch and let me know if the resuling
  objcopy'd binary is what you need.

Cheers
  Nick
Comment 6 Anthony Green 2020-02-06 18:17:44 UTC
Thanks, Nick.  I've tested this patch and it solves the problem.   Please apply at your earliest convenience!
Comment 7 Sourceware Commits 2020-02-07 12:56:21 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9984857cfd9a85a5d1b99162f9838aba099d20a0

commit 9984857cfd9a85a5d1b99162f9838aba099d20a0
Author: Nick Clifton <nickc@redhat.com>
Date:   Fri Feb 7 12:55:05 2020 +0000

    Stop the BFD library from complaining if a segment has no sections attached to it.
    
    	PR 23932
    	* elf.c (rewrite_elf_program_header): Do not complain if no
    	sections are mapped to a segment.
Comment 8 Nick Clifton 2020-02-07 12:56:59 UTC
Patch applied.