This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb/users/hjl/linux/master] Fix memory access violations triggered by running sysdump on fuzzed binaries.

From: H.J.Lu <hjl at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 11 Jan 2015 16:22:41 -0000
Subject: [binutils-gdb/users/hjl/linux/master] Fix memory access violations triggered by running sysdump on fuzzed binaries.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=848cde35d61874521ad6c88a50f983d5ee7d2307

commit 848cde35d61874521ad6c88a50f983d5ee7d2307
Author: Nick Clifton <nickc@redhat.com>
Date:   Thu Jan 8 13:52:42 2015 +0000

    Fix memory access violations triggered by running sysdump on fuzzed binaries.
    
    	PR binutils/17512
    	* sysdump.c (getINT): Fail if reading off the end of the buffer.
    	Replace call to abort with a call to fatal.
    	(getCHARS): Prevetn reading off the end of the buffer.

Diff:
---
 binutils/ChangeLog |  4 ++++
 binutils/sysdump.c | 14 ++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index cfad0f7..d6c3070 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,6 +1,10 @@
 2015-01-08  Nick Clifton  <nickc@redhat.com>
 
 	PR binutils/17512
+	* sysdump.c (getINT): Fail if reading off the end of the buffer.
+	Replace call to abort with a call to fatal.
+	(getCHARS): Prevetn reading off the end of the buffer.
+
 	* nlmconv.c (i386_mangle_relocs): Skip relocs without an
 	associated symbol.
 	(powerpc_mangle_relocs): Skip unrecognised relocs.  Check address
diff --git a/binutils/sysdump.c b/binutils/sysdump.c
index 37dd162..ac350e1 100644
--- a/binutils/sysdump.c
+++ b/binutils/sysdump.c
@@ -66,6 +66,9 @@ getCHARS (unsigned char *ptr, int *idx, int size, int max)
 
   if (b == 0)
     {
+      /* PR 17512: file: 13caced2.  */
+      if (oc >= max)
+	return _("*corrupt*");
       /* Got to work out the length of the string from self.  */
       b = ptr[oc++];
       (*idx) += 8;
@@ -166,7 +169,12 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
   int byte = *idx / 8;
 
   if (byte >= max)
-    return 0;
+    {
+      /* PR 17512: file: id:000001,src:000002,op:flip1,pos:45.  */
+      /* Prevent infinite loops re-reading beyond the end of the buffer.  */
+      fatal (_("ICE: getINT: Out of buffer space"));
+      return 0;
+    }
 
   if (size == -2)
     size = addrsize;
@@ -188,7 +196,7 @@ getINT (unsigned char *ptr, int *idx, int size, int max)
       n = (ptr[byte + 0] << 24) + (ptr[byte + 1] << 16) + (ptr[byte + 2] << 8) + (ptr[byte + 3]);
       break;
     default:
-      abort ();
+      fatal (_("Unsupported read size: %d"), size);
     }
 
   *idx += size * 8;
@@ -615,6 +623,8 @@ module (void)
   do
     {
       c = getc (file);
+      if (c == EOF)
+	break;
       ungetc (c, file);
 
       c &= 0x7f;

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]