[binutils-gdb] OOM in setup_group
Alan Modra
amodra@sourceware.org
Fri Jan 31 00:31:00 GMT 2020
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=327301a4604da40da264c554daa8c1e97aa2fbe2
commit 327301a4604da40da264c554daa8c1e97aa2fbe2
Author: Alan Modra <amodra@gmail.com>
Date: Fri Jan 31 00:53:59 2020 +1030
OOM in setup_group
We alloc, seek and read using section sizes in object files. Fuzzed
objects can have silly sizes, but that's OK if the system supports
memory over-commit. The read fails because we hit EOF and that
usually results in a graceful exit.
But if we memset before the read then the invalid size results in
attempting to write to a huge number of memory pages, and an eventual
Out Of Memory after probably swapping like crazy. So don't memset.
There really isn't a need to clear the section contents anyway. All
bytes are written with a good object file by the read and following
loop converting section index in target order to ELF section header
pointer, and the only untidy bytes are the 4 bytes past the group
flags when pointers are 8 bytes. Those don't matter but the patch
clears them for anyone poking around in a debugger. On error paths
it's as good to free section contents as it is to clear them.
Noticed when looking at PR4110 fourth test case.
PR 4110
* elf.c (setup_group): Don't clear entire section contents,
just the padding after group flags. Release alloc'd memory
after a seek or read failure.
Diff:
---
bfd/ChangeLog | 7 +++++++
bfd/elf.c | 6 +++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 30766c1..0061b6f 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2020-01-31 Alan Modra <amodra@gmail.com>
+
+ PR 4110
+ * elf.c (setup_group): Don't clear entire section contents,
+ just the padding after group flags. Release alloc'd memory
+ after a seek or read failure.
+
2020-01-16 Jon Turney <jon.turney@dronecode.org.uk>
* peXXigen.c (pe_is_repro): New function.
diff --git a/bfd/elf.c b/bfd/elf.c
index a8d98a6..5e6b9a0 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -676,8 +676,6 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
continue;
}
- memset (shdr->contents, 0, amt);
-
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
@@ -692,7 +690,8 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
/* PR 17510: If the group contents are even
partially corrupt, do not allow any of the
contents to be used. */
- memset (shdr->contents, 0, amt);
+ bfd_release (abfd, shdr->contents);
+ shdr->contents = NULL;
continue;
}
@@ -712,6 +711,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
idx = H_GET_32 (abfd, src);
if (src == shdr->contents)
{
+ dest->shdr = NULL;
dest->flags = idx;
if (shdr->bfd_section != NULL && (idx & GRP_COMDAT))
shdr->bfd_section->flags
More information about the Binutils-cvs
mailing list