From 7a0fb7be96e0ce79e1ae429bc1ba913e5244d537 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 3 Jan 2020 14:41:02 +0000 Subject: [PATCH] Fix potential illegal memory access failures in the BFD library by ensuring that the return value from bfd_malloc() is checked before it is used. PR 25308 * elf-properties.c (_bfd_elf_convert_gnu_properties): Check the return value from bfd_malloc. * elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise. (bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise. (elf32_arm_filter_cmse_symbols): Likewise. (elf32_arm_write_section): Likewise. * mach-o.c (bfd_mach_o_core_fetch_environment): Likewise. (bfd_mach_o_follow_dsym): Likewise. * pef.c (bfd_pef_print_loader_section): Likewise. (bfd_pef_scan_start_address): Likewise. (bfd_pef_parse_function_stubs): Likewise. (bfd_pef_parse_symbols): Likewise. --- bfd/ChangeLog | 16 ++++++++++++++++ bfd/elf-properties.c | 2 ++ bfd/elf32-arm.c | 11 ++++++----- bfd/mach-o.c | 7 +++++++ bfd/pef.c | 11 +++++++++++ 5 files changed, 42 insertions(+), 5 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 2b988667966..7fb5bcad595 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,19 @@ +2020-01-03 Nick Clifton + + PR 25308 + * elf-properties.c (_bfd_elf_convert_gnu_properties): Check the + return value from bfd_malloc. + * elf32-arm.c (bfd_elf32_arm_vfp11_fix_veneer_locations): Likewise. + (bfd_elf32_arm_stm32l4xx_fix_veneer_locations): Likewise. + (elf32_arm_filter_cmse_symbols): Likewise. + (elf32_arm_write_section): Likewise. + * mach-o.c (bfd_mach_o_core_fetch_environment): Likewise. + (bfd_mach_o_follow_dsym): Likewise. + * pef.c (bfd_pef_print_loader_section): Likewise. + (bfd_pef_scan_start_address): Likewise. + (bfd_pef_parse_function_stubs): Likewise. + (bfd_pef_parse_symbols): Likewise. + 2020-01-03 Sergei Trofimovich * elfnn-ia64.c (elfNN_ia64_merge_private_bfd_data): don't fail diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c index a42abc44dd5..76ddad60371 100644 --- a/bfd/elf-properties.c +++ b/bfd/elf-properties.c @@ -703,6 +703,8 @@ _bfd_elf_convert_gnu_properties (bfd *ibfd, asection *isec, if (size > bfd_section_size (isec)) { contents = (bfd_byte *) bfd_malloc (size); + if (contents == NULL) + return FALSE; free (*ptr); *ptr = contents; } diff --git a/bfd/elf32-arm.c b/bfd/elf32-arm.c index ae8a269426c..2bf355a3312 100644 --- a/bfd/elf32-arm.c +++ b/bfd/elf32-arm.c @@ -7148,7 +7148,6 @@ find_arm_glue (struct bfd_link_info *link_info, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name) + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1); - BFD_ASSERT (tmp_name); sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name); @@ -7323,7 +7322,6 @@ record_arm_to_thumb_glue (struct bfd_link_info * link_info, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (name) + strlen (ARM2THUMB_GLUE_ENTRY_NAME) + 1); - BFD_ASSERT (tmp_name); sprintf (tmp_name, ARM2THUMB_GLUE_ENTRY_NAME, name); @@ -7401,7 +7399,6 @@ record_arm_bx_glue (struct bfd_link_info * link_info, int reg) /* Add symbol for veneer. */ tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (ARM_BX_GLUE_ENTRY_NAME) + 1); - BFD_ASSERT (tmp_name); sprintf (tmp_name, ARM_BX_GLUE_ENTRY_NAME, reg); @@ -7493,7 +7490,6 @@ record_vfp11_erratum_veneer (struct bfd_link_info *link_info, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10); - BFD_ASSERT (tmp_name); sprintf (tmp_name, VFP11_ERRATUM_VENEER_ENTRY_NAME, @@ -7613,7 +7609,6 @@ record_stm32l4xx_erratum_veneer (struct bfd_link_info *link_info, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10); - BFD_ASSERT (tmp_name); sprintf (tmp_name, STM32L4XX_ERRATUM_VENEER_ENTRY_NAME, @@ -8644,6 +8639,7 @@ bfd_elf32_arm_vfp11_fix_veneer_locations (bfd *abfd, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (VFP11_ERRATUM_VENEER_ENTRY_NAME) + 10); + BFD_ASSERT (tmp_name); for (sec = abfd->sections; sec != NULL; sec = sec->next) { @@ -8731,6 +8727,7 @@ bfd_elf32_arm_stm32l4xx_fix_veneer_locations (bfd *abfd, tmp_name = (char *) bfd_malloc ((bfd_size_type) strlen (STM32L4XX_ERRATUM_VENEER_ENTRY_NAME) + 10); + BFD_ASSERT (tmp_name); for (sec = abfd->sections; sec != NULL; sec = sec->next) { @@ -18505,6 +18502,8 @@ elf32_arm_filter_cmse_symbols (bfd *abfd ATTRIBUTE_UNUSED, maxnamelen = 128; cmse_name = (char *) bfd_malloc (maxnamelen); + BFD_ASSERT (cmse_name); + for (src_count = 0; src_count < symcount; src_count++) { struct elf32_arm_link_hash_entry *cmse_hash; @@ -19700,6 +19699,8 @@ elf32_arm_write_section (bfd *output_bfd, unsigned int in_index, out_index; bfd_vma add_to_offsets = 0; + if (edited_contents == NULL) + return FALSE; for (in_index = 0, out_index = 0; in_index * 8 < input_size || edit_node;) { if (edit_node) diff --git a/bfd/mach-o.c b/bfd/mach-o.c index b494a776908..3b6fbb57888 100644 --- a/bfd/mach-o.c +++ b/bfd/mach-o.c @@ -5752,6 +5752,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd, unsigned char *buf = bfd_malloc (1024); unsigned long size = 1024; + if (buf == NULL) + return -1; for (;;) { bfd_size_type nread = 0; @@ -5797,6 +5799,8 @@ bfd_mach_o_core_fetch_environment (bfd *abfd, bottom = seg->fileoff + seg->filesize - offset; top = seg->fileoff + seg->filesize - 4; *rbuf = bfd_malloc (top - bottom); + if (*rbuf == NULL) + return -1; *rlen = top - bottom; memcpy (*rbuf, buf + size - *rlen, *rlen); @@ -5941,6 +5945,9 @@ bfd_mach_o_follow_dsym (bfd *abfd) dsym_filename = (char *)bfd_malloc (strlen (base_bfd->filename) + strlen (dsym_subdir) + 1 + strlen (base_basename) + 1); + if (dsym_filename == NULL) + return NULL; + sprintf (dsym_filename, "%s%s/%s", base_bfd->filename, dsym_subdir, base_basename); diff --git a/bfd/pef.c b/bfd/pef.c index d88fed71381..726b8d7493d 100644 --- a/bfd/pef.c +++ b/bfd/pef.c @@ -447,6 +447,8 @@ bfd_pef_print_loader_section (bfd *abfd, FILE *file) loaderlen = loadersec->size; loaderbuf = bfd_malloc (loaderlen); + if (loaderbuf == NULL) + return -1; if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0 || bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen @@ -478,6 +480,9 @@ bfd_pef_scan_start_address (bfd *abfd) loaderlen = loadersec->size; loaderbuf = bfd_malloc (loaderlen); + if (loaderbuf == NULL) + goto end; + if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0) goto error; if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen) @@ -753,6 +758,8 @@ bfd_pef_parse_function_stubs (bfd *abfd, (header.imported_library_count * sizeof (bfd_pef_imported_library)); imports = bfd_malloc (header.total_imported_symbol_count * sizeof (bfd_pef_imported_symbol)); + if (libraries == NULL || imports == NULL) + goto error; if (loaderlen < (56 + (header.imported_library_count * 24))) goto error; @@ -897,6 +904,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym) { codelen = codesec->size; codebuf = bfd_malloc (codelen); + if (codebuf == NULL) + goto end; if (bfd_seek (abfd, codesec->filepos, SEEK_SET) < 0) goto end; if (bfd_bread ((void *) codebuf, codelen, abfd) != codelen) @@ -908,6 +917,8 @@ bfd_pef_parse_symbols (bfd *abfd, asymbol **csym) { loaderlen = loadersec->size; loaderbuf = bfd_malloc (loaderlen); + if (loaderbuf == NULL) + goto end; if (bfd_seek (abfd, loadersec->filepos, SEEK_SET) < 0) goto end; if (bfd_bread ((void *) loaderbuf, loaderlen, abfd) != loaderlen) -- 2.30.2