diff options
| author | Alan Modra <amodra@gmail.com> | 2019-03-12 16:19:25 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2019-03-12 23:54:09 +1030 |
| commit | 7a6e0d89bb018cef0d8d13c497d8f340aa2a0fc8 (patch) | |
| tree | 651ca43c71bbdac13aba4be8a5a106e23ac494e5 /binutils | |
| parent | 0919bfe915906382611011f123b5ae68a0bafbb2 (diff) | |
| download | gdb-7a6e0d89bb018cef0d8d13c497d8f340aa2a0fc8.zip gdb-7a6e0d89bb018cef0d8d13c497d8f340aa2a0fc8.tar.gz gdb-7a6e0d89bb018cef0d8d13c497d8f340aa2a0fc8.tar.bz2 | |
Don't use bfd_get_file_size in objdump
Compressed debug sections can have uncompressed sizes that exceed the
original file size, so we can't use bfd_get_file_size. objdump also
used bfd_get_file_size to limit reloc section size, but I believe the
underlying bug causing the PR22508 out of bounds buffer access was
that we had an integer overflow when calculating the reloc buffer
size. I've fixed that instead in most of the backends, som and
vms-alpha being the exceptions. SOM and vmd-alpha have rather more
serious bugs in their slurp_relocs routines that would need fixing
first if we want to fuss about making them safe against fuzzed object
files.
The patch also fixes a number of other potential overflows by using
the bfd_alloc2/malloc2/zalloc2 memory allocation functions.
bfd/
* coffcode.h (buy_and_read): Delete unnecessary forward decl. Add
nmemb parameter. Use bfd_alloc2.
(coff_slurp_line_table): Use bfd_alloc2. Update buy_and_read calls.
Delete assertion.
(coff_slurp_symbol_table): Use bfd_alloc2 and bfd_zalloc2.
(coff_slurp_reloc_table): Use bfd_alloc2. Update buy_and_read calls.
* coffgen.c (coff_get_reloc_upper_bound): Ensure size calculation
doesn't overflow.
* elf.c (bfd_section_from_shdr): Use bfd_zalloc2. Style fix.
(assign_section_numbers): Style fix.
(swap_out_syms): Use bfd_malloc2.
(_bfd_elf_get_reloc_upper_bound): Ensure size calculation doesn't
overflow.
(_bfd_elf_make_empty_symbol): Style fix.
(elfobj_grok_stapsdt_note_1): Formatting.
* elfcode.h (elf_object_p): Use bfd_alloc2.
(elf_write_relocs, elf_write_shdrs_and_ehdr): Likewise.
(elf_slurp_symbol_table): Use bfd_zalloc2.
(elf_slurp_reloc_table): Use bfd_alloc2.
(_bfd_elf_bfd_from_remote_memory): Use bfd_malloc2.
* elf64-sparc (elf64_sparc_get_reloc_upper_bound): Ensure
size calculation doesn't overflow.
(elf64_sparc_get_dynamic_reloc_upper_bound): Likewise.
* mach-o.c (bfd_mach_o_get_reloc_upper_bound): Likewise.
* pdp11.c (get_reloc_upper_bound): Copy aoutx.h version.
binutils/
* objdump.c (load_specific_debug_section): Don't compare section
size against file size.
(dump_relocs_in_section): Don't compare reloc size against file size.
Print "failed to read relocs" on bfd_get_reloc_upper_bound error.
Diffstat (limited to 'binutils')
| -rw-r--r-- | binutils/ChangeLog | 7 | ||||
| -rw-r--r-- | binutils/objdump.c | 37 |
2 files changed, 16 insertions, 28 deletions
diff --git a/binutils/ChangeLog b/binutils/ChangeLog index 605a7b3..d62f94a 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,10 @@ +2019-03-12 Alan Modra <amodra@gmail.com> + + * objdump.c (load_specific_debug_section): Don't compare section + size against file size. + (dump_relocs_in_section): Don't compare reloc size against file size. + Print "failed to read relocs" on bfd_get_reloc_upper_bound error. + 2019-03-05 Nick Clifton <nickc@redhat.com> PR 24295 diff --git a/binutils/objdump.c b/binutils/objdump.c index ab091c1..3ef2716 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -2695,7 +2695,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, section->user_data = sec; section->size = bfd_get_section_size (sec); amt = section->size + 1; - if (amt == 0 || amt > bfd_get_file_size (abfd)) + if (amt == 0) { section->start = NULL; free_debug_section (debug); @@ -3640,47 +3640,28 @@ dump_relocs_in_section (bfd *abfd, || ((section->flags & SEC_RELOC) == 0)) return; - relsize = bfd_get_reloc_upper_bound (abfd, section); - if (relsize < 0) - bfd_fatal (bfd_get_filename (abfd)); - printf ("RELOCATION RECORDS FOR [%s]:", sanitize_string (section->name)); + relsize = bfd_get_reloc_upper_bound (abfd, section); if (relsize == 0) { printf (" (none)\n\n"); return; } - if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 - && (/* Check that the size of the relocs is reasonable. Note that some - file formats, eg aout, can have relocs whose internal size is - larger than their external size, thus we check the size divided - by four against the file size. See PR 23931 for an example of - this. */ - ((ufile_ptr) (relsize / 4) > bfd_get_file_size (abfd)) - /* Also check the section's reloc count since if this is negative - (or very large) the computation in bfd_get_reloc_upper_bound - may have resulted in returning a small, positive integer. - See PR 22508 for a reproducer. - - Note - we check against file size rather than section size as - it is possible for there to be more relocs that apply to a - section than there are bytes in that section. */ - || (section->reloc_count > bfd_get_file_size (abfd)))) + if (relsize < 0) + relcount = relsize; + else { - printf (" (too many: %#x relocs)\n", section->reloc_count); - bfd_set_error (bfd_error_file_truncated); - bfd_fatal (bfd_get_filename (abfd)); + relpp = (arelent **) xmalloc (relsize); + relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); } - relpp = (arelent **) xmalloc (relsize); - relcount = bfd_canonicalize_reloc (abfd, section, relpp, syms); - if (relcount < 0) { printf ("\n"); - non_fatal (_("failed to read relocs in: %s"), sanitize_string (bfd_get_filename (abfd))); + non_fatal (_("failed to read relocs in: %s"), + sanitize_string (bfd_get_filename (abfd))); bfd_fatal (_("error message was")); } else if (relcount == 0) |