Bug 29495 - rewrite_elf_program_header looping
Summary: rewrite_elf_program_header looping
Status: RESOLVED FIXED
Alias: None
Product: binutils
Classification: Unclassified
Component: binutils (show other bugs)
Version: 2.40
: P2 normal
Target Milestone: 2.40
Assignee: Alan Modra
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-15 11:34 UTC by Shuang Po
Modified: 2022-08-16 08:56 UTC (History)
0 users

See Also:
Host:
Target:
Build:
Last reconfirmed: 2022-08-16 00:00:00

Attachments
testcases for strip-new (3.23 KB, application/x-zip-compressed)
2022-08-15 11:34 UTC, Shuang Po 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Shuang Po 2022-08-15 11:34:48 UTC 
Created attachment 14282 [details]
testcases for strip-new

Hello,

I detected some new memory leak and dead loop problems through fuzz testing, which I think may be a vulnerability.

The configuration of binutils is:

$  ./configure --disable-shared && make -j

and compiled with gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0

I use the program strip-new in "~/binutils-gdb/binutils/strip-new" in master branch[https://github.com/bminor/binutils-gdb/tree/master] with parameter "-o tmp ./testcase", and after waiting 20 minutes, the program neither giving any outputs nor terminating. What is more, the program strip-new occupied all the memory.

The testcase that trigger such results are in the attachment. If there is anything I am unclear about or need to discuss further, please feel free to contact me~

Looking forward to your reply!

Thanks & Best Regards
Comment 1 Sourceware Commits 2022-08-16 08:51:33 UTC 
The master branch has been updated by Alan Modra <amodra@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=45d92439aebd0386ef8af76e1796d08cfe457e1d

commit 45d92439aebd0386ef8af76e1796d08cfe457e1d
Author: Alan Modra <amodra@gmail.com>
Date:   Tue Aug 16 17:02:24 2022 +0930

    PR29495, rewrite_elf_program_header looping
    
    This patch, in order of significance:
    1) Replaces some macros with inline functions.
    2) Those inline functions catch and avoid arithmetic overflows when
       comparing addresses.
    3) When assigning sections to segments (IS_SECTION_IN_INPUT_SEGMENT)
       use bed->want_p_paddr_set_to_zero to decide whether lma vs p_paddr
       or vma vs p_vaddr should be tested.  When remapping, use the same
       test, and use is_note rather than the more restrictive
       IS_COREFILE_NOTE.
    
    It's important that the later tests not be more restrictive.  If they
    are it can lead to the situation triggered by the testcases, where a
    section seemingly didn't fit and thus needed a new mapping.  It didn't
    fit the new mapping either, and this repeated until memory exhausted.
    
            PR 29495
            * elf.c (SEGMENT_END, SECTION_SIZE, IS_CONTAINED_BY_VMA): Delete.
            (IS_CONTAINED_BY_LMA, IS_NOTE, IS_COREFILE_NOTE): Delete.
            (segment_size, segment_end, section_size): New inline function.
            (is_contained_by, is_note): Likewise.
            (rewrite_elf_program_header): Use new functions.
Comment 2 Alan Modra 2022-08-16 08:56:13 UTC 
Fixed for 2.40