This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] Fixes for memory access violations triggered by running readelf on fuzzed binaries.

From: Nick Clifton <nickc at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 10 Feb 2015 17:14:08 -0000
Subject: [binutils-gdb] Fixes for memory access violations triggered by running readelf on fuzzed binaries.

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03a91817f163986f10cb843f58e2f2cd9186e4f0

commit 03a91817f163986f10cb843f58e2f2cd9186e4f0
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Feb 10 17:13:31 2015 +0000

    Fixes for memory access violations triggered by running readelf on fuzzed binaries.
    
    	PR binutils/17531
    	* dwarf.c (process_debug_info): Zero the debug information array
    	since correct initialisation cannot be relied upon.
    	(process_cu_tu_index): Improve range checks.

Diff:
---
 binutils/ChangeLog |  5 +++++
 binutils/dwarf.c   | 11 +++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 93cab73..4befee3 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -17,6 +17,11 @@
 	li_prologue_length.
 	(eh_addr_size): Update prototype.
 
+	PR binutils/17531
+	* dwarf.c (process_debug_info): Zero the debug information array
+	since correct initialisation cannot be relied upon.
+	(process_cu_tu_index): Improve range checks.
+
 2015-02-09  Mark Wielaard  <mjw@redhat.com>
 
 	* dwarf.c (read_and_display_attr_value): Handle DW_LANG_Fortran03
diff --git a/binutils/dwarf.c b/binutils/dwarf.c
index 9daf315..426dca5 100644
--- a/binutils/dwarf.c
+++ b/binutils/dwarf.c
@@ -2304,6 +2304,13 @@ process_debug_info (struct dwarf_section *section,
 	  alloc_num_debug_info_entries = num_debug_info_entries = 0;
 	  return 0;
 	}
+      /* PR 17531: file: 92ca3797.
+	 We cannot rely upon the debug_information array being initialised
+	 before it is used.  A corrupt file could easily contain references
+	 to a unit for which information has not been made available.  So
+	 we ensure that the array is zeroed here.  */
+      memset (debug_information, 0, num_units * sizeof * debug_information);
+	 
       alloc_num_debug_info_entries = num_units;
     }
 
@@ -6913,7 +6920,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
   ppool = pindex + nslots * 4;
 
   /* PR 17531: file: 45d69832.  */
-  if (pindex < phash || ppool < phdr)
+  if (pindex < phash || ppool < phdr || (pindex == phash && nslots != 0))
     {
       warn (_("Section %s is too small for %d slots\n"),
 	    section->name, nslots);
@@ -6930,7 +6937,7 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
       printf (_("  Number of slots:         %d\n\n"), nslots);
     }
 
-  if (ppool > limit)
+  if (ppool > limit || ppool < phdr)
     {
       warn (_("Section %s too small for %d hash table entries\n"),
 	    section->name, nslots);

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]