Bug 29495 - rewrite_elf_program_header looping
Summary: rewrite_elf_program_header looping
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40 (HEAD)
: P2 normal
Target Milestone: 2.40
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-15 11:34 UTC by Shuang Po
Modified: 2022-08-16 08:56 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-08-16 00:00:00


Attachments
testcases for strip-new (3.23 KB, application/x-zip-compressed)
2022-08-15 11:34 UTC, Shuang Po
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shuang Po 2022-08-15 11:34:48 UTC
Created attachment 14282 [details]
testcases for strip-new

Hello,

I detected some new memory leak and dead loop problems through fuzz testing, which I think may be a vulnerability.

The configuration of binutils is:

$  ./configure --disable-shared && make -j

and compiled with gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

I use the program strip-new in "~/binutils-gdb/binutils/strip-new" in master branch[https://github.com/bminor/binutils-gdb/tree/master] with parameter "-o tmp ./testcase", and after waiting 20 minutes, the program neither giving any outputs nor terminating. What is more, the program strip-new occupied all the memory.

The testcase that trigger such results are in the attachment. If there is anything I am unclear about or need to discuss further, please feel free to contact me~

Looking forward to your reply!

Thanks & Best Regards
Comment 1 cvs-commit@gcc.gnu.org 2022-08-16 08:51:33 UTC
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45d92439aebd0386ef8af76e1796d08cfe457e1d

commit 45d92439aebd0386ef8af76e1796d08cfe457e1d
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Aug 16 17:02:24 2022 +0930

    PR29495, rewrite_elf_program_header looping
    
    This patch, in order of significance:
    1) Replaces some macros with inline functions.
    2) Those inline functions catch and avoid arithmetic overflows when
       comparing addresses.
    3) When assigning sections to segments (IS_SECTION_IN_INPUT_SEGMENT)
       use bed->want_p_paddr_set_to_zero to decide whether lma vs p_paddr
       or vma vs p_vaddr should be tested.  When remapping, use the same
       test, and use is_note rather than the more restrictive
       IS_COREFILE_NOTE.
    
    It's important that the later tests not be more restrictive.  If they
    are it can lead to the situation triggered by the testcases, where a
    section seemingly didn't fit and thus needed a new mapping.  It didn't
    fit the new mapping either, and this repeated until memory exhausted.
    
            PR 29495
            * elf.c (SEGMENT_END, SECTION_SIZE, IS_CONTAINED_BY_VMA): Delete.
            (IS_CONTAINED_BY_LMA, IS_NOTE, IS_COREFILE_NOTE): Delete.
            (segment_size, segment_end, section_size): New inline function.
            (is_contained_by, is_note): Likewise.
            (rewrite_elf_program_header): Use new functions.
Comment 2 Alan Modra 2022-08-16 08:56:13 UTC
Fixed for 2.40