OOM in setup_group
We alloc, seek and read using section sizes in object files. Fuzzed objects can have silly sizes, but that's OK if the system supports memory over-commit. The read fails because we hit EOF and that usually results in a graceful exit. But if we memset before the read then the invalid size results in attempting to write to a huge number of memory pages, and an eventual Out Of Memory after probably swapping like crazy. So don't memset. There really isn't a need to clear the section contents anyway. All bytes are written with a good object file by the read and following loop converting section index in target order to ELF section header pointer, and the only untidy bytes are the 4 bytes past the group flags when pointers are 8 bytes. Those don't matter but the patch clears them for anyone poking around in a debugger. On error paths it's as good to free section contents as it is to clear them. Noticed when looking at PR4110 fourth test case. PR 4110 * elf.c (setup_group): Don't clear entire section contents, just the padding after group flags. Release alloc'd memory after a seek or read failure.
This commit is contained in:
parent
de08f22743
commit
327301a460
|
@ -1,3 +1,10 @@
|
|||
2020-01-31 Alan Modra <amodra@gmail.com>
|
||||
|
||||
PR 4110
|
||||
* elf.c (setup_group): Don't clear entire section contents,
|
||||
just the padding after group flags. Release alloc'd memory
|
||||
after a seek or read failure.
|
||||
|
||||
2020-01-16 Jon Turney <jon.turney@dronecode.org.uk>
|
||||
|
||||
* peXXigen.c (pe_is_repro): New function.
|
||||
|
|
|
@ -676,8 +676,6 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
|
|||
continue;
|
||||
}
|
||||
|
||||
memset (shdr->contents, 0, amt);
|
||||
|
||||
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|
||||
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
|
||||
!= shdr->sh_size))
|
||||
|
@ -692,7 +690,8 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
|
|||
/* PR 17510: If the group contents are even
|
||||
partially corrupt, do not allow any of the
|
||||
contents to be used. */
|
||||
memset (shdr->contents, 0, amt);
|
||||
bfd_release (abfd, shdr->contents);
|
||||
shdr->contents = NULL;
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -712,6 +711,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
|
|||
idx = H_GET_32 (abfd, src);
|
||||
if (src == shdr->contents)
|
||||
{
|
||||
dest->shdr = NULL;
|
||||
dest->flags = idx;
|
||||
if (shdr->bfd_section != NULL && (idx & GRP_COMDAT))
|
||||
shdr->bfd_section->flags
|
||||
|
|
Loading…
Reference in New Issue