85 lines
14 KiB
Diff
85 lines
14 KiB
Diff
|
|
From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
|
|||
|
|
From: Roland Shoemaker <roland@golang.org>
|
|||
|
|
Date: Thu, 14 Oct 2021 13:02:01 -0700
|
|||
|
|
Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
|
|||
|
|
symbol table command
|
|||
|
|
MIME-Version: 1.0
|
|||
|
|
Content-Type: text/plain; charset=UTF-8
|
|||
|
|
Content-Transfer-Encoding: 8bit
|
|||
|
|
|
|||
|
|
Fail out when loading a file that contains a dynamic symbol table
|
|||
|
|
command that indicates a larger number of symbols than exist in the
|
|||
|
|
loaded symbol table.
|
|||
|
|
|
|||
|
|
Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
|
|||
|
|
reporting this issue.
|
|||
|
|
|
|||
|
|
Updates #48990
|
|||
|
|
Fixes #48991
|
|||
|
|
Fixes CVE-2021-41771
|
|||
|
|
|
|||
|
|
Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
|
|||
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
|
|||
|
|
Reviewed-by: Julie Qiu <julie@golang.org>
|
|||
|
|
Reviewed-by: Katie Hockman <katie@golang.org>
|
|||
|
|
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
|
|||
|
|
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
|||
|
|
TryBot-Result: Go Bot <gobot@golang.org>
|
|||
|
|
Trust: Katie Hockman <katie@golang.org>
|
|||
|
|
(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
|
|||
|
|
Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
|
|||
|
|
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
|||
|
|
---
|
|||
|
|
src/debug/macho/file.go | 9 +++++++++
|
|||
|
|
src/debug/macho/file_test.go | 7 +++++++
|
|||
|
|
.../testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 | 1 +
|
|||
|
|
3 files changed, 17 insertions(+)
|
|||
|
|
create mode 100644 src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
|
|||
|
|
|
|||
|
|
diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go
|
|||
|
|
index 085b0c8219..73cfce3c76 100644
|
|||
|
|
--- a/src/debug/macho/file.go
|
|||
|
|
+++ b/src/debug/macho/file.go
|
|||
|
|
@@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
|
|||
|
|
if err := binary.Read(b, bo, &hdr); err != nil {
|
|||
|
|
return nil, err
|
|||
|
|
}
|
|||
|
|
+ if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
|
|||
|
|
+ return nil, &FormatError{offset, fmt.Sprintf(
|
|||
|
|
+ "undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
|
|||
|
|
+ hdr.Iundefsym, len(f.Symtab.Syms)), nil}
|
|||
|
|
+ } else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
|
|||
|
|
+ return nil, &FormatError{offset, fmt.Sprintf(
|
|||
|
|
+ "number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
|
|||
|
|
+ hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
|
|||
|
|
+ }
|
|||
|
|
dat := make([]byte, hdr.Nindirectsyms*4)
|
|||
|
|
if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
|
|||
|
|
return nil, err
|
|||
|
|
diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go
|
|||
|
|
index 03915c86e2..9beeb80dd2 100644
|
|||
|
|
--- a/src/debug/macho/file_test.go
|
|||
|
|
+++ b/src/debug/macho/file_test.go
|
|||
|
|
@@ -416,3 +416,10 @@ func TestTypeString(t *testing.T) {
|
|||
|
|
t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec")
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
+
|
|||
|
|
+func TestOpenBadDysymCmd(t *testing.T) {
|
|||
|
|
+ _, err := openObscured("testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64")
|
|||
|
|
+ if err == nil {
|
|||
|
|
+ t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
|
|||
|
|
+ }
|
|||
|
|
+}
|
|||
|
|
diff --git a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64 b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
|
|||
|
|
new file mode 100644
|
|||
|
|
index 0000000000..8e0436639c
|
|||
|
|
--- /dev/null
|
|||
|
|
+++ b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
|
|||
|
|
@@ -0,0 +1 @@
|
|||
|
|
+z/rt/gcAAAEDAACAAgAAAAsAAABoBQAAhQAAAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA2AEAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAcAAAAFAAAABQAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAABQPAAABAAAAbQAAAAAAAAAUDwAAAgAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3ltYm9sX3N0dWIxAABfX1RFWFQAAAAAAAAAAAAAgQ8AAAEAAAAMAAAAAAAAAIEPAAAAAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAACQDwAAAQAAABgAAAAAAAAAkA8AAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAKgPAAABAAAADQAAAAAAAACoDwAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAF9fZWhfZnJhbWUAAAAAAABfX1RFWFQAAAAAAAAAAAAAuA8AAAEAAABIAAAAAAAAALgPAAADAAAAAAAAAAAAAAALAABgAAAAAAAAAAAAAAAAGQAAADgBAABfX0RBVEEAAAAAAAAAAAAAABAAAAEAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAAHAAAAAwAAAAMAAAAAAAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAEAAAAQAAABwAAAAAAAAAABAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2R5bGQAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAAACAQAAABAAAAOAAAAAAAAAAgEAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fbGFfc3ltYm9sX3B0cgBfX0RBVEEAAAAAAAAAAAAAWBAAAAEAAAAQAAAAAAAAAFgQAAACAAAAAAAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAGQAAAEgAAABfX0xJTktFRElUAAAAAAAAACAAAAEAAAAAEAAAAAAAAAAgAAAAAAAAQAEAAAAAAAAHAAAAAQAAAAAAAAAAAAAAAgAAABgAAAAAIAAACwAAAMAgAACAAAAACwAAAFAAAAAAAAAAAgAAAAIAAAAHAAAACQAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwIAAABAAAAAAAAAAAAAAAAAAAAAAAAAAOAAAAIAAAAAwAAAAvdXNyL2xpYi9keWxkAAAAAAAAABsAAAAYAAAAOyS4cg5FdtQoqu6JsMEhXQUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQPAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAOAAAABgAAAACAAAAAAABAAAAAQAvdXNyL2xpYi9saWJnY2Nfcy4xLmR5bGliAAAAAAAAAAwAAAA4AAAAGAAAAAIAAAAEAW8AAAABAC91c3IvbGliL2xpYlN5c3RlbS5CLmR5bGliAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|||
|
|
\ No newline at end of file
|
|||
|
|
--
|
|||
|
|
2.21.0 (Apple Git-122)
|
|||
|
|
|