This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb/binutils-2_26-branch] PR19323 memory allocation greater than 4G

From: Alan Modra <amodra at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 10 Dec 2015 13:50:56 -0000
Subject: [binutils-gdb/binutils-2_26-branch] PR19323 memory allocation greater than 4G

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aa8b89e8ae35f71a94a1eaee0da939396d2f61d4

commit aa8b89e8ae35f71a94a1eaee0da939396d2f61d4
Author: Alan Modra <amodra@gmail.com>
Date:   Mon Dec 7 13:41:36 2015 +1030

    PR19323 memory allocation greater than 4G
    
    On 32-bit targets, memory requested for program/section headers on a
    fuzzed binary can wrap to 0.  A bfd_alloc of zero bytes actually
    returns a one byte allocation rather than a NULL pointer.  This then
    leads to buffer overflows.
    
    Making this check unconditional triggers an extremely annoying gcc-5
    warning.
    
    	PR 19323
    	* elfcode.h (elf_object_p): Check for ridiculous e_shnum and
    	e_phnum values.

Diff:
---
 bfd/ChangeLog |  5 +++++
 bfd/elfcode.h | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 131435a..0dc691d 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -2,6 +2,11 @@
 
 	Apply from master.
 	2015-12-07  Alan Modra  <amodra@gmail.com>
+	PR 19323
+	* elfcode.h (elf_object_p): Check for ridiculous e_shnum and
+	e_phnum values.
+
+	2015-12-07  Alan Modra  <amodra@gmail.com>
 	* reloc.c (BFD_RELOC_PPC64_ENTRY): New.
 	* elf64-ppc.c (reloc_howto_type ppc64_elf_howto_raw): Add
 	entry for R_PPC64_ENTRY.
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 26af1d1..915c8d5 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -676,6 +676,10 @@ elf_object_p (bfd *abfd)
       Elf_Internal_Shdr *shdrp;
       unsigned int num_sec;
 
+#ifndef BFD64
+      if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
+	goto got_wrong_format_error;
+#endif
       amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
       i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
       if (!i_shdrp)
@@ -766,7 +770,11 @@ elf_object_p (bfd *abfd)
       Elf_Internal_Phdr *i_phdr;
       unsigned int i;
 
-      amt = i_ehdrp->e_phnum * sizeof (Elf_Internal_Phdr);
+#ifndef BFD64
+      if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+	goto got_wrong_format_error;
+#endif
+      amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
       if (elf_tdata (abfd)->phdr == NULL)
 	goto got_no_match;

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]