diff options
| author | Nick Clifton <nickc@redhat.com> | 2014-11-21 21:44:04 +0000 |
|---|---|---|
| committer | Nick Clifton <nickc@redhat.com> | 2014-11-21 21:44:04 +0000 |
| commit | 0a9d414aa114b7b7e609cbcbc285f79031bbe608 (patch) | |
| tree | bca8497bf5147c53a4fd786ecf96c44a83906418 /bfd/ieee.c | |
| parent | 5974eba65b82912621ac68f2c0ff844efbd02b25 (diff) | |
Fixes for memory access violations exposed by fuzzinf various binaries.
PR binutils/17512
* dwarf.c (get_encoded_value): Check for an encoded size of 0.
(display_debug_lines_raw): Check for an invalid line range value.
(display_debug_frames): Check for corrupt augmentation data.
* coffgen.c (coff_get_normalized_symtab): Check for an excessive
number of auxillary entries.
* ieee.c (next_byte): Convert to a function. Return FALSE if the
next byte is beyond the end of the buffer.
(parse_int): Test the return value of next_byte.
(parse_expression): Convert to boolean. Return FALSE if the
parsing failed. Test the return value of next_byte.
(ieee_seek): Convert to a function. Return FALSE if the seek goes
beyond the end of the buffer.
(ieee_slurp_external_symbols): Test the return value of ieee_seek
and next_byte.
(ieee_slurp_sections): Convert to boolean. Return FALSE if the
operation failed. Test the return value of ieee_seek and
next_byte.
(ieee_archive_p): Test the return value of ieee_seek and
next_byte.
(do_one): Likewise.
(ieee_slurp_section_data): Likewise.
(ieee_object_p): Likewise. Store the size of the buffer in the
total_amt field in the header.
* libieee.h (common_header_type): Add amt field.
* mach-o.c (bfd_mach_o_canonicalize_one_reloc): Check that the
reloc's value is within range.
(bfd_mach_o_read_symtab_symbols): Nullify the symbols field if the
operation fails.
* pei-x86_64.c (pex64_xdata_print_uwd_codes): Replace abort with
an error message.
(pex64_dump_xdata): Check for buffer overflows.
* versados.c (process_otr): Check that the section exists before
taking its size.
(versados_object_p): Make sure that enough data was read for the
header to be checked.
* vms-alpha.c (vms_get_remaining_object_record): Change
read_so_far parameter to an unsigned int. Check that the amount
read is in range.
Diffstat (limited to 'bfd/ieee.c')
| -rw-r--r-- | bfd/ieee.c | 261 |
1 files changed, 176 insertions, 85 deletions
diff --git a/bfd/ieee.c b/bfd/ieee.c index 313834e7f7..70ce4c5cc0 100644 --- a/bfd/ieee.c +++ b/bfd/ieee.c @@ -170,9 +170,16 @@ ieee_write_id (bfd *abfd, const char *id) standard requires. */ #define this_byte(ieee) *((ieee)->input_p) -#define next_byte(ieee) ((ieee)->input_p++) #define this_byte_and_next(ieee) (*((ieee)->input_p++)) +static bfd_boolean +next_byte (common_header_type * ieee) +{ + ieee->input_p++; + + return ieee->input_p < ieee->last_byte; +} + static unsigned short read_2bytes (common_header_type *ieee) { @@ -348,15 +355,15 @@ parse_int (common_header_type *ieee, bfd_vma *value_ptr) if (value >= 0 && value <= 127) { *value_ptr = value; - next_byte (ieee); - return TRUE; + return next_byte (ieee); } else if (value >= 0x80 && value <= 0x88) { unsigned int count = value & 0xf; result = 0; - next_byte (ieee); + if (! next_byte (ieee)) + return FALSE; while (count) { result = (result << 8) | this_byte_and_next (ieee); @@ -496,7 +503,7 @@ static reloc_howto_type rel8_howto = static ieee_symbol_index_type NOSYMBOL = {0, 0}; -static void +static bfd_boolean parse_expression (ieee_data_type *ieee, bfd_vma *value, ieee_symbol_index_type *symbol, @@ -529,68 +536,83 @@ parse_expression (ieee_data_type *ieee, { int section_n; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; *pcrel = TRUE; section_n = must_parse_int (&(ieee->h)); (void) section_n; PUSH (NOSYMBOL, bfd_abs_section_ptr, 0); break; } + case ieee_variable_L_enum: /* L variable address of section N. */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0); break; + case ieee_variable_R_enum: /* R variable, logical address of section module. */ /* FIXME, this should be different to L. */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; PUSH (NOSYMBOL, ieee->section_table[must_parse_int (&(ieee->h))], 0); break; + case ieee_variable_S_enum: /* S variable, size in MAUS of section module. */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; PUSH (NOSYMBOL, 0, ieee->section_table[must_parse_int (&(ieee->h))]->size); break; + case ieee_variable_I_enum: /* Push the address of variable n. */ { ieee_symbol_index_type sy; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; sy.index = (int) must_parse_int (&(ieee->h)); sy.letter = 'I'; PUSH (sy, bfd_abs_section_ptr, 0); } break; + case ieee_variable_X_enum: /* Push the address of external variable n. */ { ieee_symbol_index_type sy; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; + sy.index = (int) (must_parse_int (&(ieee->h))); sy.letter = 'X'; PUSH (sy, bfd_und_section_ptr, 0); } break; + case ieee_function_minus_enum: { bfd_vma value1, value2; asection *section1, *section_dummy; ieee_symbol_index_type sy; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; POP (sy, section1, value1); POP (sy, section_dummy, value2); PUSH (sy, section1 ? section1 : section_dummy, value2 - value1); } break; + case ieee_function_plus_enum: { bfd_vma value1, value2; @@ -599,7 +621,8 @@ parse_expression (ieee_data_type *ieee, ieee_symbol_index_type sy1; ieee_symbol_index_type sy2; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; POP (sy1, section1, value1); POP (sy2, section2, value2); @@ -608,6 +631,7 @@ parse_expression (ieee_data_type *ieee, value1 + value2); } break; + default: { bfd_vma va; @@ -644,17 +668,9 @@ parse_expression (ieee_data_type *ieee, POP (*symbol, dummy, *value); if (section) *section = dummy; -} - -#define ieee_seek(ieee, offset) \ - do \ - { \ - ieee->h.input_p = ieee->h.first_byte + offset; \ - ieee->h.last_byte = (ieee->h.first_byte \ - + ieee_part_after (ieee, offset)); \ - } \ - while (0) + return TRUE; +} #define ieee_pos(ieee) \ (ieee->h.input_p - ieee->h.first_byte) @@ -676,6 +692,22 @@ ieee_part_after (ieee_data_type *ieee, file_ptr here) return after; } +static bfd_boolean +ieee_seek (ieee_data_type * ieee, file_ptr offset) +{ + /* PR 17512: file: 017-1157-0.004. */ + if (offset < 0 || (bfd_size_type) offset >= ieee->h.total_amt) + { + ieee->h.input_p = ieee->h.first_byte + ieee->h.total_amt; + ieee->h.last_byte = ieee->h.input_p; + return FALSE; + } + + ieee->h.input_p = ieee->h.first_byte + offset; + ieee->h.last_byte = (ieee->h.first_byte + ieee_part_after (ieee, offset)); + return TRUE; +} + static unsigned int last_index; static char last_type; /* Is the index for an X or a D. */ @@ -730,14 +762,16 @@ ieee_slurp_external_symbols (bfd *abfd) last_index = 0xffffff; ieee->symbol_table_full = TRUE; - ieee_seek (ieee, offset); + if (! ieee_seek (ieee, offset)) + return FALSE; while (loop) { switch (this_byte (&(ieee->h))) { case ieee_nn_record: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; symbol = get_symbol (abfd, ieee, symbol, &symbol_count, & prev_symbols_ptr, @@ -750,8 +784,10 @@ ieee_slurp_external_symbols (bfd *abfd) symbol->symbol.udata.p = NULL; symbol->symbol.flags = BSF_NO_FLAGS; break; + case ieee_external_symbol_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; symbol = get_symbol (abfd, ieee, symbol, &symbol_count, &prev_symbols_ptr, @@ -842,6 +878,7 @@ ieee_slurp_external_symbols (bfd *abfd) } } break; + case ieee_value_record_enum >> 8: { unsigned int symbol_name_index; @@ -849,17 +886,20 @@ ieee_slurp_external_symbols (bfd *abfd) bfd_boolean pcrel_ignore; unsigned int extra; - next_byte (&(ieee->h)); - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; + if (! next_byte (&(ieee->h))) + return FALSE; symbol_name_index = must_parse_int (&(ieee->h)); (void) symbol_name_index; - parse_expression (ieee, - &symbol->symbol.value, - &symbol_ignore, - &pcrel_ignore, - &extra, - &symbol->symbol.section); + if (! parse_expression (ieee, + &symbol->symbol.value, + &symbol_ignore, + &pcrel_ignore, + &extra, + &symbol->symbol.section)) + return FALSE; /* Fully linked IEEE-695 files tend to give every symbol an absolute value. Try to convert that back into a @@ -892,7 +932,9 @@ ieee_slurp_external_symbols (bfd *abfd) bfd_vma size; bfd_vma value; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; + /* Throw away the external reference index. */ (void) must_parse_int (&(ieee->h)); /* Fetch the default size if not resolved. */ @@ -907,7 +949,8 @@ ieee_slurp_external_symbols (bfd *abfd) break; case ieee_external_reference_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; symbol = get_symbol (abfd, ieee, symbol, &symbol_count, &prev_reference_ptr, @@ -1092,7 +1135,7 @@ get_section_entry (bfd *abfd, ieee_data_type *ieee, unsigned int sindex) return ieee->section_table[sindex]; } -static void +static bfd_boolean ieee_slurp_sections (bfd *abfd) { ieee_data_type *ieee = IEEE_DATA (abfd); @@ -1103,7 +1146,9 @@ ieee_slurp_sections (bfd *abfd) { bfd_byte section_type[3]; - ieee_seek (ieee, offset); + if (! ieee_seek (ieee, offset)) + return FALSE; + while (TRUE) { switch (this_byte (&(ieee->h))) @@ -1113,7 +1158,8 @@ ieee_slurp_sections (bfd *abfd) asection *section; unsigned int section_index; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section_index = must_parse_int (&(ieee->h)); section = get_section_entry (abfd, ieee, section_index); @@ -1132,22 +1178,26 @@ ieee_slurp_sections (bfd *abfd) { /* AS Absolute section attributes. */ case 0xD3: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section_type[2] = this_byte (&(ieee->h)); switch (section_type[2]) { case 0xD0: /* Normal code. */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section->flags |= SEC_CODE; break; case 0xC4: /* Normal data. */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section->flags |= SEC_DATA; break; case 0xD2: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; /* Normal rom data. */ section->flags |= SEC_ROM | SEC_DATA; break; @@ -1164,15 +1214,18 @@ ieee_slurp_sections (bfd *abfd) switch (section_type[1]) { case 0xD0: /* Normal code (CP). */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section->flags |= SEC_CODE; break; case 0xC4: /* Normal data (CD). */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section->flags |= SEC_DATA; break; case 0xD2: /* Normal rom data (CR). */ - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section->flags |= SEC_ROM | SEC_DATA; break; default: @@ -1201,7 +1254,8 @@ ieee_slurp_sections (bfd *abfd) bfd_vma value; asection *section; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section_index = must_parse_int (&ieee->h); section = get_section_entry (abfd, ieee, section_index); if (section_index > ieee->section_count) @@ -1251,15 +1305,17 @@ ieee_slurp_sections (bfd *abfd) (void) must_parse_int (&(ieee->h)); break; default: - return; + return TRUE; } } break; default: - return; + return TRUE; } } } + + return TRUE; } /* Make a section for the debugging information, if any. We don't try @@ -1323,7 +1379,8 @@ ieee_archive_p (bfd *abfd) if (this_byte (&(ieee->h)) != Module_Beginning) goto got_wrong_format_error; - next_byte (&(ieee->h)); + (void) next_byte (&(ieee->h)); + library = read_id (&(ieee->h)); if (strcmp (library, "LIBRARY") != 0) goto got_wrong_format_error; @@ -1334,7 +1391,7 @@ ieee_archive_p (bfd *abfd) ieee->element_count = 0; ieee->element_index = 0; - next_byte (&(ieee->h)); /* Drop the ad part. */ + (void) next_byte (&(ieee->h)); /* Drop the ad part. */ must_parse_int (&(ieee->h)); /* And the two dummy numbers. */ must_parse_int (&(ieee->h)); @@ -1407,8 +1464,9 @@ ieee_archive_p (bfd *abfd) ieee->h.first_byte = buffer; ieee->h.input_p = buffer; - next_byte (&(ieee->h)); /* Drop F8. */ - next_byte (&(ieee->h)); /* Drop 14. */ + (void) next_byte (&(ieee->h)); /* Drop F8. */ + if (! next_byte (&(ieee->h))) /* Drop 14. */ + goto error_return; must_parse_int (&(ieee->h)); /* Drop size of block. */ if (must_parse_int (&(ieee->h)) != 0) @@ -1467,7 +1525,8 @@ do_one (ieee_data_type *ieee, unsigned int number_of_maus; unsigned int i; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; number_of_maus = must_parse_int (&(ieee->h)); for (i = 0; i < number_of_maus; i++) @@ -1482,7 +1541,8 @@ do_one (ieee_data_type *ieee, { bfd_boolean loop = TRUE; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; while (loop) { switch (this_byte (&(ieee->h))) @@ -1505,13 +1565,16 @@ do_one (ieee_data_type *ieee, *(current_map->reloc_tail_ptr) = r; current_map->reloc_tail_ptr = &r->next; r->next = (ieee_reloc_type *) NULL; - next_byte (&(ieee->h)); -/* abort();*/ + if (! next_byte (&(ieee->h))) + return FALSE; + r->relent.sym_ptr_ptr = 0; - parse_expression (ieee, - &r->relent.addend, - &r->symbol, - &pcrel, &extra, §ion); + if (! parse_expression (ieee, + &r->relent.addend, + &r->symbol, + &pcrel, &extra, §ion)) + return FALSE; + r->relent.address = current_map->pc; s->flags |= SEC_RELOC; s->owner->flags |= HAS_RELOC; @@ -1521,7 +1584,8 @@ do_one (ieee_data_type *ieee, if (this_byte (&(ieee->h)) == (int) ieee_comma) { - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; /* Fetch number of bytes to pad. */ extra = must_parse_int (&(ieee->h)); }; @@ -1529,13 +1593,16 @@ do_one (ieee_data_type *ieee, switch (this_byte (&(ieee->h))) { case ieee_function_signed_close_b_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; break; case ieee_function_unsigned_close_b_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; break; case ieee_function_either_close_b_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; break; default: break; @@ -1634,7 +1701,8 @@ do_one (ieee_data_type *ieee, for (i = 0; i < this_size; i++) { location_ptr[current_map->pc++] = this_byte (&(ieee->h)); - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; } } else @@ -1667,7 +1735,9 @@ ieee_slurp_section_data (bfd *abfd) if (ieee->read_data) return TRUE; ieee->read_data = TRUE; - ieee_seek (ieee, ieee->w.r.data_part); + + if (! ieee_seek (ieee, ieee->w.r.data_part)) + return FALSE; /* Allocate enough space for all the section contents. */ for (s = abfd->sections; s != (asection *) NULL; s = s->next) @@ -1693,7 +1763,8 @@ ieee_slurp_section_data (bfd *abfd) return TRUE; case ieee_set_current_section_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; section_number = must_parse_int (&(ieee->h)); s = ieee->section_table[section_number]; s->flags |= SEC_LOAD | SEC_HAS_CONTENTS; @@ -1706,7 +1777,8 @@ ieee_slurp_section_data (bfd *abfd) break; case ieee_e2_first_byte_enum: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; switch (this_byte (&(ieee->h))) { case ieee_set_current_pc_enum & 0xff: @@ -1716,21 +1788,28 @@ ieee_slurp_section_data (bfd *abfd) unsigned int extra; bfd_boolean pcrel; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; must_parse_int (&(ieee->h)); /* Throw away section #. */ - parse_expression (ieee, &value, - &symbol, - &pcrel, &extra, - 0); + if (! parse_expression (ieee, &value, + &symbol, + &pcrel, &extra, + 0)) + return FALSE; + current_map->pc = value; BFD_ASSERT ((unsigned) (value - s->vma) <= s->size); } break; case ieee_value_starting_address_enum & 0xff: - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; if (this_byte (&(ieee->h)) == ieee_function_either_open_b_enum) - next_byte (&(ieee->h)); + { + if (! next_byte (&(ieee->h))) + return FALSE; + } abfd->start_address = must_parse_int (&(ieee->h)); /* We've got to the end of the data now - */ return TRUE; @@ -1748,7 +1827,8 @@ ieee_slurp_section_data (bfd *abfd) unsigned int iterations; unsigned char *start; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; iterations = must_parse_int (&(ieee->h)); start = ieee->h.input_p; if (start[0] == (int) ieee_load_constant_bytes_enum @@ -1759,9 +1839,10 @@ ieee_slurp_section_data (bfd *abfd) location_ptr[current_map->pc++] = start[2]; iterations--; } - next_byte (&(ieee->h)); - next_byte (&(ieee->h)); - next_byte (&(ieee->h)); + (void) next_byte (&(ieee->h)); + (void) next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + return FALSE; } else { @@ -1806,6 +1887,7 @@ ieee_object_p (bfd *abfd) goto got_wrong_format; ieee->h.input_p = buffer; + ieee->h.total_amt = sizeof (buffer); if (this_byte_and_next (&(ieee->h)) != Module_Beginning) goto got_wrong_format; @@ -1901,7 +1983,8 @@ ieee_object_p (bfd *abfd) if (this_byte (&(ieee->h)) != (int) ieee_address_descriptor_enum) goto fail; - next_byte (&(ieee->h)); + if (! next_byte (&(ieee->h))) + goto fail; if (! parse_int (&(ieee->h), &ieee->ad.number_of_bits_mau)) goto fail; @@ -1912,7 +1995,10 @@ ieee_object_p (bfd *abfd) /* If there is a byte order info, take it. */ if (this_byte (&(ieee->h)) == (int) ieee_variable_L_enum || this_byte (&(ieee->h)) == (int) ieee_variable_M_enum) - next_byte (&(ieee->h)); + { + if (! next_byte (&(ieee->h))) + goto fail; + } for (part = 0; part < N_W_VARIABLES; part++) { @@ -1943,12 +2029,17 @@ ieee_object_p (bfd *abfd) goto fail; if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0) goto fail; + /* FIXME: Check return value. I'm not sure whether it needs to read the entire buffer or not. */ - bfd_bread ((void *) (IEEE_DATA (abfd)->h.first_byte), - (bfd_size_type) ieee->w.r.me_record + 1, abfd); + amt = bfd_bread ((void *) (IEEE_DATA (abfd)->h.first_byte), + (bfd_size_type) ieee->w.r.me_record + 1, abfd); + if (amt <= 0) + goto fail; - ieee_slurp_sections (abfd); + IEEE_DATA (abfd)->h.total_amt = amt; + if (ieee_slurp_sections (abfd)) + goto fail; if (! ieee_slurp_debug (abfd)) goto fail; |