aarch64 core: use of uninitialised value

Commit d0ff5ca959df adding PT_AARCH64_MEMTAG_MTE support, creates
a section that stores "p_memsz" from the program header in "rawsize"
and "p_filesz" in "size".  p_memsz is the memory range, usually 32
times p_filesz.  This can be a problem when bfd reads the section, for
example to display it with objdump -s, as the usual (linker) meaning
for input section "rawsize" is the original size on disk.  Memory is
allocated to read the larger of "size" and "rawsize".  So 32 times the
memory is allocated than what is really needed.

With fuzzed input "rawsize" can be smaller than "size" since the
header values are not sanity checked.  This results in section
contents with only the first "rawsize" bytes read from disk, the rest
being uninitialised.  Of course fuzzed input can also have very large
"rawsize" which might result in OOM.

One way of fixing this is to move the p_memsz value somewhere else
(output_offset would work, I think).  Another might be to qualify use
of rawsize by is_linker_input, but I haven't checked over all the bfd
code using rawsize.  And then there is this approach:

	* bfd.c (bfd_get_section_limit_octets),
	(bfd_get_section_alloc_size): Ignore rawsize in bfd_core.
	* bfd-in32.h: Regenerate.

diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h
index 4d157611217bc124d2fdbc25898a56a036e82802..7f91c11ce0d1c2b5347af37ea5f90beb12816df7 100644 (file)
--- a/bfd/bfd-in2.h
+++ b/bfd/bfd-in2.h
@@ -2496,7 +2496,8 @@ bfd_set_asymbol_name (asymbol *sy, const char *name)
 static inline bfd_size_type
 bfd_get_section_limit_octets (const bfd *abfd, const asection *sec)
 {
-  if (abfd->direction != write_direction && sec->rawsize != 0)
+  if (abfd->format != bfd_core && abfd->direction != write_direction
+      && sec->rawsize != 0)
     return sec->rawsize;
   return sec->size;
 }
@@ -2515,7 +2516,8 @@ bfd_get_section_limit (const bfd *abfd, const asection *sec)
 static inline bfd_size_type
 bfd_get_section_alloc_size (const bfd *abfd, const asection *sec)
 {
-  if (abfd->direction != write_direction && sec->rawsize > sec->size)
+  if (abfd->format != bfd_core && abfd->direction != write_direction
+      && sec->rawsize > sec->size)
     return sec->rawsize;
   return sec->size;
 }

diff --git a/bfd/bfd.c b/bfd/bfd.c
index 31c70890ad986a0051f429ca6190acbbff7c9bf1..cbeaeb6f269cecf430dcba6b614dc1be33a07b55 100644 (file)
--- a/bfd/bfd.c
+++ b/bfd/bfd.c
@@ -624,7 +624,8 @@ EXTERNAL
 .static inline bfd_size_type
 .bfd_get_section_limit_octets (const bfd *abfd, const asection *sec)
 .{
-.  if (abfd->direction != write_direction && sec->rawsize != 0)
+.  if (abfd->format != bfd_core && abfd->direction != write_direction
+.      && sec->rawsize != 0)
 .    return sec->rawsize;
 .  return sec->size;
 .}
@@ -643,7 +644,8 @@ EXTERNAL
 .static inline bfd_size_type
 .bfd_get_section_alloc_size (const bfd *abfd, const asection *sec)
 .{
-.  if (abfd->direction != write_direction && sec->rawsize > sec->size)
+.  if (abfd->format != bfd_core && abfd->direction != write_direction
+.      && sec->rawsize > sec->size)
 .    return sec->rawsize;
 .  return sec->size;
 .}