Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Avoid arithmetic overflow and panics #302

Merged
merged 6 commits into from
Feb 14, 2022
Merged

fix: Avoid arithmetic overflow and panics #302

merged 6 commits into from
Feb 14, 2022

Conversation

Swatinem
Copy link
Contributor

@Swatinem Swatinem commented Feb 4, 2022

The first comes from a real and valid fat file that is ~6G, the other overflow was found while fuzzing.

m4b
m4b reviewed Feb 4, 2022
View reviewed changes
src/mach/exports.rs Outdated
@@ -274,10 +274,16 @@ impl<'a> ExportTrie<'a> {
/// Create a new, lazy, zero-copy export trie from the `DyldInfo` `command`
pub fn new(bytes: &'a [u8], command: &load_command::DyldInfoCommand) -> Self {
let start = command.export_off as usize;
let end = (command.export_size + command.export_off) as usize;
let end = start.saturating_add(command.export_size as usize);
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this silently truncates maybe should do checked add and warn when it’s too large ? I assume this would only ever happen on a 32-bit system reading the 6GB binary ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some log::warn for this and the FatArch case.
This here I found via fuzzing, though the FatArch was indeed a valid file.

m4b
m4b approved these changes Feb 14, 2022
View reviewed changes
Copy link
Owner

@m4b m4b left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, the 16 const nit is not super important

src/mach/load_command.rs

// check the length
if thread_state_bytes.len() < thread_state_byte_length {
if bytes.len() < 16 + thread_state_byte_length {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i know you didn't introduce 16 but it might be nice to turn this into a const since it's used again below and will be puzzling to future reviewers

@m4b m4b merged commit 52a563b into m4b:master Feb 14, 2022
@m4b
Copy link
Owner

m4b commented Feb 14, 2022

thank you for adding the tests!

@Swatinem Swatinem deleted the fix/overflow branch March 1, 2022 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m4b m4b m4b approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Swatinem @m4b