From 4be1e8dbb3f8da8058ed93dfc222ee6dffb02e60 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Tue, 25 May 2021 13:36:20 +0930 Subject: asan: _bfd_elf_parse_attributes heap buffer overflow I exposed a problem with the change in commit 574ec1084d to the outer loop of _bfd_elf_parse_attributes. "p_end - p >= 4" is better than "p < p_end - 4" as far as pointer UB is concerned if the size of the attritbute section is say, 3 bytes. However you do need to ensure p never exceeds p_end, and that length remaining is kept consistent with the pointer. * elf-attrs.c (elf_attr_strdup): New function. (_bfd_elf_attr_strdup): Use it here. (elf_add_obj_attr_string): New function, extracted from.. (bfd_elf_add_obj_attr_string): ..here. (elf_add_obj_attr_int_string): New function, extracted from.. (bfd_elf_add_obj_attr_int_string): ..here. (_bfd_elf_parse_attributes): Don't allocate an extra byte for a string terminator. Instead ensure parsing doesn't go past end of sub-section. Use size_t variables for lengths. --- bfd/ChangeLog | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'bfd/ChangeLog') diff --git a/bfd/ChangeLog b/bfd/ChangeLog index a240941..516b816 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,15 @@ +2021-05-25 Alan Modra + + * elf-attrs.c (elf_attr_strdup): New function. + (_bfd_elf_attr_strdup): Use it here. + (elf_add_obj_attr_string): New function, extracted from.. + (bfd_elf_add_obj_attr_string): ..here. + (elf_add_obj_attr_int_string): New function, extracted from.. + (bfd_elf_add_obj_attr_int_string): ..here. + (_bfd_elf_parse_attributes): Don't allocate an extra byte for a + string terminator. Instead ensure parsing doesn't go past + end of sub-section. Use size_t variables for lengths. + 2021-05-22 Alan Modra * libbfd.c (_bfd_safe_read_leb128): Remove length_return parameter. -- cgit v1.1