From patchwork Mon Sep 22 07:24:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "H.J. Lu" <hjl.tools@gmail.com>
X-Patchwork-Id: 120604
Return-Path: <binutils-bounces~patchwork=sourceware.org@sourceware.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id DA9343858412
	for <patchwork@sourceware.org>; Mon, 22 Sep 2025 07:25:44 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DA9343858412
Authentication-Results: sourceware.org;
	dkim=pass (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=E5M8rUeo
X-Original-To: binutils@sourceware.org
Delivered-To: binutils@sourceware.org
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com
 [IPv6:2607:f8b0:4864:20::b2d])
 by sourceware.org (Postfix) with ESMTPS id 5E5A33858D38
 for <binutils@sourceware.org>; Mon, 22 Sep 2025 07:25:04 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5E5A33858D38
Authentication-Results: sourceware.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 5E5A33858D38
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=2607:f8b0:4864:20::b2d
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1758525904; cv=none;
 b=Hm1rvpaqZ+TEsXThzzqasBy5Z906EnRdbD5L1dRnzbj1CeU7llsnYtsZuiO2PxN79qwJHgkAzRMmguN6jpfwxcFf+yYTGRDeTeV88CjzYsgA+MMacQcm06YMVb+nF3tzqcfndKBBYbfmrCPrVVQ7csxvPy7Gdr7X+zrMQtM5mzc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1758525904; c=relaxed/simple;
 bh=Ywlw85FJ+7yNHph6h89PbDpddnOyVv9O8qML2O1eViI=;
 h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
 b=lxiog7lHqkVZXmtEDHvZV/+z7ZMnskCW2W6ODHte0wlaBa8ERqBzOVuWdQ5EVRBI1ejhOgmpjOss9nVHa/k6UL1hf8v9wZh1G/BsPQ2ARlkoxH+9G/14EFsbDVOx1hWN/TZLnzQNBVuPNtezJYA3qsbHNOvLldCka5M/mqDTM6M=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5E5A33858D38
Received: by mail-yb1-xb2d.google.com with SMTP id
 3f1490d57ef6-ea473582bcaso5129467276.1
 for <binutils@sourceware.org>; Mon, 22 Sep 2025 00:25:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1758525903; x=1759130703; darn=sourceware.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=RRwCVW+ZvvGJrVqQCZQXesyaLy458cxQqN51OphS7Fo=;
 b=E5M8rUeoUxrM7wF+/BQSV/gN6J3o6cVIZ0pO8G08QCVRQiH5bJSWwyH6aHcRIFKK+p
 Rbn3s5mHn2fs0pwCqrOXzZ06E6bVpHX1DO8Ec5wod2rrBF4v6MroMm/n+wgA0Yf8lljJ
 GiOHWsI6fSo9y1WTbGPBWj87Jh049SDguQq2Pu4mSjANBn4Zu8GOhgEtqkUpEB8d9Wtv
 7x+DGSiGH32JjeQz3IN2fn7bvEr2qhDIyNTkI/4ZAAQFSwebc2YkH/6gOnXdQPTVlRWA
 dqfXj4/dobIF4HV4Ceg3yXtjD3A5RiCAFFJV4hLmNbBB+50YwB57RdflCDxo9W9X+dbz
 TLWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1758525903; x=1759130703;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=RRwCVW+ZvvGJrVqQCZQXesyaLy458cxQqN51OphS7Fo=;
 b=avafgN66bTSH3lRqu0SE1ftITvrFaavZbY5XdRJceOGlLKwqE/LLlpNVr7Hp7XK0sJ
 X9zXVeoFxEMWFVAtlo9R0tOXk8+2VZxQr1wYioaCsexvf9Z0xfAnbx/1whba8YxynV/t
 8eKs58AcZTHM4bkjNc58X9HN+2Oz2WF+Wnc3y0EoZc/6bMsTTLJgyfcd7ZWeU+9cdk5S
 pHH1ldNrJgrzngEYbkWP20XFg2rHuJpYJczzqBhhvFJH0m2PatjsP0TIetr4OIwKr5Y4
 ZlNqtcdsQ3Ctuw9UtB7YTWtt13T7hU96AtghPT/bvIZH+97nYNawrRc2Hhfg0gscFtYZ
 VZJw==
X-Gm-Message-State: AOJu0Yyaosmsbx+6Okm9gqgK7hvknEzz4QSfBmrvJudapDAYtaKyLREW
 3jfE3H+I5K2b404OtwYs/EPR394y6s99Np+GhBe/87iC1WkPMU27JsvGyvT4/u4beVTlraeC8Yl
 K2n0rqS10izP/52GCCQesfZEZ/ZWocA8Qp6vnfOM=
X-Gm-Gg: ASbGncufS+ucX67nD7r8JYGmD2HgplQa7EQTb7lSl0g1XbRo9vuvQKux2b2cXU1b1PT
 TV+CGZSKSuEPGIFAaLWMqo1pTLaDJpc4d7Yz6as2BP9HBchMxz99hyCcfXET3kYwFMSxnJlny8g
 LR3ho5Au0fiR68FsSmN2u72Fwk0ZwacZNkvi/NbMQ8+Y1lUVWnNeL6zlXovj4M7AMkcjWnpU+Gw
 gVeY8VR
X-Google-Smtp-Source: 
 AGHT+IE2RuF4d48xs3OtIQiPeVmLtMCV0/Aap6ruFQj0AaMy21lmV31aiD7kqsBM9w0WssYyZlk90bigKZ9JTJNVgrY=
X-Received: by 2002:a53:b044:0:b0:5fc:e0ba:8a95 with SMTP id
 956f58d0204a3-63477584694mr7323352d50.5.1758525903232; Mon, 22 Sep 2025
 00:25:03 -0700 (PDT)
MIME-Version: 1.0
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Mon, 22 Sep 2025 15:24:26 +0800
X-Gm-Features: AS18NWB3a2NfkzpBJLqkor2DP2Cten8oN0N_V0lwGI9fS1QvztUjY-LneXKUA5o
Message-ID: 
 <CAMe9rOrMMCAFL9SHWjCxs03TJNrh2CYpFEMp7gqy-qZYw1oHVA@mail.gmail.com>
Subject: [PATCH] elf: Don't read beyond .eh_frame section size
To: Binutils <binutils@sourceware.org>, Alan Modra <amodra@gmail.com>,
 Nick Clifton <nickc@redhat.com>, Jan Beulich <JBeulich@suse.com>
X-Spam-Status: No, score=-3012.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
Errors-To: binutils-bounces~patchwork=sourceware.org@sourceware.org

PR ld/33464
* elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
.eh_frame section size.

From bf164f839365ccf894dfdb0a5dd365bbcb9de730 Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Mon, 22 Sep 2025 15:20:34 +0800
Subject: [PATCH] elf: Don't read beyond .eh_frame section size

	PR ld/33464
	* elf-eh-frame.c (_bfd_elf_parse_eh_frame): Don't read beyond
	.eh_frame section size.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
---
 bfd/elf-eh-frame.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/bfd/elf-eh-frame.c b/bfd/elf-eh-frame.c
index dc0d2e097f5..30bb313489c 100644
--- a/bfd/elf-eh-frame.c
+++ b/bfd/elf-eh-frame.c
@@ -737,6 +737,7 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
       if (hdr_id == 0)
 	{
 	  unsigned int initial_insn_length;
+	  char *null_byte;
 
 	  /* CIE  */
 	  this_inf->cie = 1;
@@ -753,10 +754,13 @@ _bfd_elf_parse_eh_frame (bfd *abfd, struct bfd_link_info *info,
 	  REQUIRE (cie->version == 1
 		   || cie->version == 3
 		   || cie->version == 4);
-	  REQUIRE (strlen ((char *) buf) < sizeof (cie->augmentation));
+	  null_byte = memchr ((char *) buf, 0, end - buf);
+	  REQUIRE (null_byte != NULL);
+	  REQUIRE ((size_t) (null_byte - (char *) buf)
+		   < sizeof (cie->augmentation));
 
 	  strcpy (cie->augmentation, (char *) buf);
-	  buf = (bfd_byte *) strchr ((char *) buf, '\0') + 1;
+	  buf = (bfd_byte *) null_byte + 1;
 	  this_inf->u.cie.aug_str_len = buf - start - 1;
 	  ENSURE_NO_RELOCS (buf);
 	  if (buf[0] == 'e' && buf[1] == 'h')
-- 
2.51.0