This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb/users/hjl/linux/master] Fix memory access violations triggered by running sysdump on fuzzed binaries.
- From: H.J.Lu <hjl at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 11 Jan 2015 16:22:41 -0000
- Subject: [binutils-gdb/users/hjl/linux/master] Fix memory access violations triggered by running sysdump on fuzzed binaries.
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=848cde35d61874521ad6c88a50f983d5ee7d2307
commit 848cde35d61874521ad6c88a50f983d5ee7d2307
Author: Nick Clifton <nickc@redhat.com>
Date: Thu Jan 8 13:52:42 2015 +0000
Fix memory access violations triggered by running sysdump on fuzzed binaries.
PR binutils/17512
* sysdump.c (getINT): Fail if reading off the end of the buffer.
Replace call to abort with a call to fatal.
(getCHARS): Prevetn reading off the end of the buffer.
Diff:
---
binutils/ChangeLog | 4 ++++
binutils/sysdump.c | 14 ++++++++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index cfad0f7..d6c3070 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,6 +1,10 @@
2015-01-08 Nick Clifton <nickc@redhat.com>
PR binutils/17512
+ * sysdump.c (getINT): Fail if reading off the end of the buffer.
+ Replace call to abort with a call to fatal.
+ (getCHARS): Prevetn reading off the end of the buffer.
+
* nlmconv.c (i386_mangle_relocs): Skip relocs without an
associated symbol.
(powerpc_mangle_relocs): Skip unrecognised relocs. Check address
diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 37dd162..ac350e1 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)
if (b == 0)
{
+ /* PR 17512: file: 13caced2. */
+ if (oc >= max)
+ return _("*corrupt*");
/* Got to work out the length of the string from self. */
b = ptr[oc++];
(*idx) += 8;
@@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
int byte = *idx / 8;
if (byte >= max)
- return 0;
+ {
+ /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45. */
+ /* Prevent infinite loops re-reading beyond the end of the buffer. */
+ fatal (_("ICE: getINT: Out of buffer space"));
+ return 0;
+ }
if (size == -2)
size = addrsize;
@@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
break;
default:
- abort ();
+ fatal (_("Unsupported read size: %d"), size);
}
*idx += size * 8;
@@ -615,6 +623,8 @@ module (void)
do
{
c = getc (file);
+ if (c == EOF)
+ break;
ungetc (c, file);
c &= 0x7f;