From patchwork Wed Dec 25 22:55:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alan Modra X-Patchwork-Id: 103686 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 6047E3858D28 for ; Wed, 25 Dec 2024 22:56:22 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 6047E3858D28 Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=JcKzx6lR X-Original-To: binutils@sourceware.org Delivered-To: binutils@sourceware.org Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by sourceware.org (Postfix) with ESMTPS id 57E613858D20 for ; Wed, 25 Dec 2024 22:55:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 57E613858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 57E613858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::632 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1735167339; cv=none; b=Zr1+4igb26Pm+vdc0jP7SdpiWL3CtbBdSh4Mdvep59xf/SAUIVtPqxi68B75GVnjfoflb8ooHrXne+BOU/XCfxB2ZVDmN1xfCRhdNCbYNqclP/Z8w/uSzHMz3EpHgX/I/3teLABNIryu8+ooRNMiER78GEI0/JUSkIc1r5x87fo= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1735167339; c=relaxed/simple; bh=HgOd8LKZZwrMeOSFLCWSen3ScBx3qKRPT+kQ5NKbokQ=; h=DKIM-Signature:Date:From:To:Subject:Message-ID:MIME-Version; b=lWlfqwuPJwUppQkhrE0QhL//9/sbsRtQz8b7ECqWg0JNXFxEuyw1cGcqKGihQuNPw/q1E1YEZCsCE2L9nQuK1KrpnXIdsHUrbc4KaULfs121Z7drnxEPaX0AJhfRJ/MJgTm5r9pewCT2J8w4OZxNu2pGTDx0bpbNm8l82cXXqqI= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 57E613858D20 Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-2162c0f6a39so75135465ad.0 for ; Wed, 25 Dec 2024 14:55:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735167338; x=1735772138; darn=sourceware.org; h=content-disposition:mime-version:message-id:subject:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=le4ohdg9yx11+1/EOW3fedpjfXR5EHjW9phUiFpgMfY=; b=JcKzx6lR4rTNotEjoNHbUgRuC42Xre3HTFJQRl+sq1LY2p4oiQPWf8/YigQ7digExf ugbfTMiTPLWUwPBk6gldActfcnH/9/wJftQgCdSFEPbvj8i8muRLaJDDzwSr2vgsrl6J SohpCA5QvSOeVk0jdwaZMFYS+/+e/b9+ARJoJhZnYyGr15MYoP6e+3u4C0bh4DRS94Kr 4S1P5vDeLnW2zdKNb9Do5FXSc2oohDVE5P5fO756KAYnXLzzQkkQ35vYmPy85Db7vHCx 37nGl1Vf4OetOZUePs8OQ+VnNAMpOHOobmPXAkE0r6kPuQ2QqU/SL/qyZsJ710/48ffk +6TA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735167338; x=1735772138; h=content-disposition:mime-version:message-id:subject:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=le4ohdg9yx11+1/EOW3fedpjfXR5EHjW9phUiFpgMfY=; b=rIBCg3tHxlefKu1UaZcn7iIL40m38Mm62mynACzVkPgY3QE3uHkriKLuKGX32g5cNv J9CmX/JZjSMZ8iKh8/vYockUuupS+3yPoFmiyAYdwXPfLFnNfVlWp9ekclNhI2taQRg+ CzIT5TTSP+T80eCF3s3RZFZ7Zbi8HIhpeWtTyx1bAtHhM7bL4RMCQ0WGfF9tSiE0vZIk 8IGs3Y2TCcf9SUurEWZl2w2xpNT2wxnQWhyNNtu5uBcmrosiOM16KYrNDkN9cZwyr9I8 JtLjz29GOm3BK6k5Udej+kh/4sPwMtiWh/xC8Pq4bk3B7vhDVE5fBX2Gy5CQtIqghqgs dqrQ== X-Gm-Message-State: AOJu0Yy/gRpbXUHmiS2DronvGYwuF5gPtUIM4DYFZUJ1CyqNyXK3WBIC bG+gLtOk8g+uIxIVhxIJGH2MJMHgITf6Ow9lxTcfZjLzSPKJzwxEBQ0NXw== X-Gm-Gg: ASbGncsHat4AcIYPKSUyehhfjRrEkm657TPJhZLjk6QVjKjGYdgpyzxfcVDxh/xRIaT 4/KpXYCFDm7hSe38B9E7j9BttmKH2lfVzh5v7GB3tJX/+AzNw3zsKg0sBW5n2Afxr5zpeMLCgFc Lwzx30wccyJaOFepGPVlE7wsdokKXjxf39Qay3NZsPjDFQ4Edl5ChhAHBgdkRuu4WHb7N3YYjUu AoHZ1UotuVen72kTaq1A4d/ZDsEQ1OGjo0Fo0HEa3ABf+7kfAG6d/KL3SQWA92YA6dAXhvxwwA/ iYGleBxv/iavc8EuhoZzUReHIIc= X-Google-Smtp-Source: AGHT+IFt6iw6rrWG0j0YxKuGCy29ZFZa56xMqJyECnt+q0NfrSaNkSyYSkc38jYavO2xMHaTY6t80A== X-Received: by 2002:a05:6a21:3382:b0:1e1:9e9f:ae4 with SMTP id adf61e73a8af0-1e5e1e87c5bmr25954760637.13.1735167338055; Wed, 25 Dec 2024 14:55:38 -0800 (PST) Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72aad8dacffsm12076768b3a.120.2024.12.25.14.55.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Dec 2024 14:55:37 -0800 (PST) Received: by squeak.grove.modra.org (Postfix, from userid 1000) id DE63811406A7; Thu, 26 Dec 2024 09:25:34 +1030 (ACDT) Date: Thu, 26 Dec 2024 09:25:34 +1030 From: Alan Modra To: binutils@sourceware.org Subject: buffer overflow in gas/app.c Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Spam-Status: No, score=-3032.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: binutils@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Binutils mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: binutils-bounces~patchwork=sourceware.org@sourceware.org This testcase (simplified from oss-fuzz): .irp x x x " .end # .endr manages to access lex[EOF]. xxx: Warning: end of file in string; '"' inserted xxx:1: Warning: missing closing `"' gas/app.c:844:16: runtime error: index -1 out of bounds for type 'char [256] Following that there is a buffer overflow. Stop this happening, and in other similar places, by checking for EOF. diff --git a/gas/app.c b/gas/app.c index 8dc69ff4ce0..20b41209f94 100644 --- a/gas/app.c +++ b/gas/app.c @@ -820,7 +820,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen, /* We need to watch out for .end directives: We should in particular not issue diagnostics for anything after an active one. */ - if (end_state == NULL) + if (ch == EOF) + end_state = NULL; + else if (end_state == NULL) { if ((state == 0 || state == 1) && (ch == '.' @@ -858,7 +860,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen, #if defined TC_ARM && defined OBJ_ELF /* We need to watch out for .symver directives. See the comment later in this function. */ - if (symver_state == NULL) + if (ch == EOF) + symver_state = NULL; + else if (symver_state == NULL) { if ((state == 0 || state == 1) && strchr (tc_comment_chars, '@') != NULL @@ -891,7 +895,9 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen, MRI mode or not. Unfortunately, since m68k MRI mode affects the scrubber, that means that we need a special purpose recognizer here. */ - if (mri_state == NULL) + if (ch == EOF) + mri_state = NULL; + else if (mri_state == NULL) { if ((state == 0 || state == 1) && ch == mri_pseudo[0]) @@ -927,7 +933,7 @@ do_scrub_chars (size_t (*get) (char *, size_t), char *tostart, size_t tolen, } else { - /* We've read the entire pseudo-op. mips_last_ch is + /* We've read the entire pseudo-op. mri_last_ch is either '0' or '1' indicating whether to enter or leave MRI mode. */ do_scrub_begin (mri_last_ch == '1');