From patchwork Sat Mar 8 11:22:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Modra X-Patchwork-Id: 107545 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DD7FE3858C50 for ; Sat, 8 Mar 2025 11:23:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DD7FE3858C50 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=b5Z6yMrR X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by sourceware.org (Postfix) with ESMTPS id B123A3858D1E for ; Sat, 8 Mar 2025 11:23:01 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B123A3858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B123A3858D1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::635 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741432981; cv=none; b=GPWWKVzGpjw5wS/61QfF2GU3ocVmNTkhK9REV7NjLOvNnNJHwyqHXKer66FBv1VHTos+RxxDpe1umnIHvNP1FfzyeXLi21c8U+yR8X5/raDr/j+RI34zmns5DAAiLjnk6YpA6XcArhLztwdpTQIirXyTrTU+b6lNrbigKcOz1ng= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1741432981; c=relaxed/simple; bh=MKTGbM0bH1ZaPjQybC0XEFehNpl6hphOzO94nwVaTjQ=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=F4t4xcaOHo+oaJWQNbaLZM7526AvCj8GpzU0HaeWL1BGcMr4NvOv3qTsWPEn6YQXQBB8TwPYTdlwAWdx2DYvrSCbunStD/NkUVlVwXWOajPsuCuBi8AEP3QC9ESz0BvHy47sSbYNJZci/+JUKuQ4Nxk8VXss4ZjC8sHND85aBi4= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B123A3858D1E Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-22398e09e39so49940535ad.3 for ; Sat, 08 Mar 2025 03:23:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741432980; x=1742037780; darn=sourceware.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=n4LyOeb7IyUqed1O4edR2W4Wtl7yIoVU75ztZeY80rw=; b=b5Z6yMrRkLxq5eoOdQBH0n/dCyroGLcFqMj3wm3sdM80IiFlD/DCyZPpOCFKdWRemD 0sOz8402QF392obhaekkaQZTcO2FodDLUEsYnUsyjurKNWeAzQ8SfrXd9l+pI8OAWQa2 MOrKMoHPgYRTpZgxp2NMuMKk1wdTlSwKWAzjbUCFXz3B+T0202ysTDkuUuNfI8qKMQCg 9ziih4SGZGkJIzseDJ4Nz93Yy7EWCdGZtsyiQjqUJ1klyzM57fd5iXsk7WC8ZJFGAKTs gnAi5sTB/iUR1Mzg1omV/AmA04elHF00W7/a4xBiqyjdSFZxw9Edy2R1ACc7xcdV2D5r LxtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741432980; x=1742037780; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=n4LyOeb7IyUqed1O4edR2W4Wtl7yIoVU75ztZeY80rw=; b=Ud5Mt5LX2z3Lspj84g7iKIoeVMXD5YKISI55i4WJUPScHW9+eMsjQkHCy+YgRtZwqK 0KMcjOYZMGR6Z0QMYPa0FqFp7qVrsEK4UOhs+dsW+Ipl6xTCMxOSAXM5EYVLkhrVaaCs 3SsNcC/7ZGWZ6w/WRsiFaJt2vykGqNzOV8+TIWrpzkQ9txsycRU4vuDL3/wiyGTyyCjI dD3gV1S2BfPAueqYQ2nTAowEWCr8DY0OJggHWB+qBqtTwKLHhIXbjzZYH5oz3krjf4cr L5oAollUvNpCl14qAip3PsVI/bH/IvmiDMByxg9x5dUSyq2FTIEIHLs9eQnZNCtKukF6 qqEw== X-Gm-Message-State: AOJu0Yyb++RRkmlxX3Fm5+3Y1iAMTyzKikWQU3MGjGquNs39As60oUDq c1iatEEApX9918YgG94xgihoYURll+ZtIxiHBqflDl/dsypwAmAOUYYjXA== X-Gm-Gg: ASbGncuVFFIBq6m319wswNRy/Tk10DTK9qK/QzPBsYdoztrmvX3E/MCAxQ1pWLhPxrp 6WRPoXBy1u43eQqHXnIhwz34UI4CHEYMBDJWJTH8R7Z84EDMvyUdoA3dpaHdxQYc2cxs0pbFm6a +UpLAOyd1EfK9VSqNZAQkkylUb9YWOGIAO29LG424lg2LiZXErBHK4Jw+CPXVGLpQ0HFBgRO5PV 7Ypfn534fSfgUzurG/YH05o+E5AXDgisZ+x55cwQiageiYUOdTpJrHExGdnlxAptlJkLaGxw1Jd zlEpadjywH3QicsO9AeZoFGcHBSlOTad7HwRUY/BKkBb+6s3LNYTUDbWMw== X-Google-Smtp-Source: AGHT+IE25Zn4qf/OKMOwaMFVjKUz/6/FyQ1PwciYTyCQd/5VnlCQP6eXGwOqL6RC4NrHJIPrQFwXrA== X-Received: by 2002:a17:902:f60c:b0:224:826:277f with SMTP id d9443c01a7336-22428c07319mr112154105ad.33.1741432980407; Sat, 08 Mar 2025 03:23:00 -0800 (PST) Received: from squeak.grove.modra.org ([2406:3400:51d:8cc0:4d08:cebd:d73f:b794]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-22410aa448dsm44994565ad.210.2025.03.08.03.22.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 08 Mar 2025 03:23:00 -0800 (PST) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id 6A28E1140639; Sat, 8 Mar 2025 21:52:57 +1030 (ACDT) Date: Sat, 8 Mar 2025 21:52:57 +1030 From: Alan Modra To: binutils@sourceware.org Subject: bfd_elf_parse_attr_section_v1 buffer overflow Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Spam-Status: No, score=-3031.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: binutils-bounces~patchwork=sourceware.org@sourceware.org This function has a misleading parameter "contents", which usually means an entire section contents is passed. However in this case the actual sections contents plus one is passed, leading to miscalculating the end of the buffer. * elf-attrs.c (bfd_elf_parse_attr_section_v1): Delete hdr and contents param. Add p and p_end as params. (_bfd_elf_parse_attributes): Adjust to suit. diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c index a6a72369afd..e80575b9a55 100644 --- a/bfd/elf-attrs.c +++ b/bfd/elf-attrs.c @@ -490,12 +490,8 @@ _bfd_elf_obj_attrs_arg_type (bfd *abfd, int vendor, unsigned int tag) } static void -bfd_elf_parse_attr_section_v1 (bfd *abfd, - Elf_Internal_Shdr * hdr, - bfd_byte *contents) +bfd_elf_parse_attr_section_v1 (bfd *abfd, bfd_byte *p, bfd_byte *p_end) { - bfd_byte *p = contents; - bfd_byte *p_end = p + hdr->sh_size; const char *std_sec = get_elf_backend_data (abfd)->obj_attrs_vendor; while (p_end - p >= 4) @@ -651,9 +647,9 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) ++cursor; - bfd_elf_parse_attr_section_v1 (abfd, hdr, cursor); + bfd_elf_parse_attr_section_v1 (abfd, cursor, data + hdr->sh_size); -free_data: + free_data: free (data); }