[release-branch.go1.16] debug/macho: fail on invalid dynamic symbol table command

Fail out when loading a file that contains a dynamic symbol table command that indicates a larger number of symbols than exist in the loaded symbol table. Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this issue. Updates #48990 Fixes #48991 Fixes CVE-2021-41771 Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5 Reviewed-on: https://go-review.googlesource.com/c/go/+/355990 Reviewed-by: Julie Qiu <julie@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Trust: Katie Hockman <katie@golang.org> (cherry picked from commit 61536ec030) Reviewed-on: https://go-review.googlesource.com/c/go/+/359454 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
2021-10-14 13:02:01 -07:00 · 2021-10-14 13:02:01 -07:00 · d19c5bdb24
parent 900443349b
commit d19c5bdb24
3 changed files with 17 additions and 0 deletions
--- a/src/debug/macho/file.go
+++ b/src/debug/macho/file.go
@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
 			if err := binary.Read(b, bo, &hdr); err != nil {
 				return nil, err
 			}
+			if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
+				return nil, &FormatError{offset, fmt.Sprintf(
+					"undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+					hdr.Iundefsym, len(f.Symtab.Syms)), nil}
+			} else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
+				return nil, &FormatError{offset, fmt.Sprintf(
+					"number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+					hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
+			}
 			dat := make([]byte, hdr.Nindirectsyms*4)
 			if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
 				return nil, err
--- a/src/debug/macho/file_test.go
+++ b/src/debug/macho/file_test.go
@ -416,3 +416,10 @@ func TestTypeString(t *testing.T) {
 		t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec")
 	}
 }
+
+func TestOpenBadDysymCmd(t *testing.T) {
+	_, err := openObscured("testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64")
+	if err == nil {
+		t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
+	}
+}
--- a/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64
+++ b/src/debug/macho/testdata/gcc-amd64-darwin-exec-with-bad-dysym.base64