CVE-2021-41771

Origin: https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Thu, 14 Oct 2021 13:02:01 -0700
Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
 symbol table command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fail out when loading a file that contains a dynamic symbol table
command that indicates a larger number of symbols than exist in the
loaded symbol table.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
reporting this issue.

Updates #48990
Fixes #48991
Fixes CVE-2021-41771

Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Gbp-Pq: Name CVE-2021-41771.patch

diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go
index 16708e5247fdfec4155779785a934528d5c1a08c..f1e48209e66ae285962d62d05c433e7889683926 100644 (file)
--- a/src/debug/macho/file.go
+++ b/src/debug/macho/file.go
@@ -345,6 +345,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
                        if err := binary.Read(b, bo, &hdr); err != nil {
                                return nil, err
                        }
+                       if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
+                               return nil, &FormatError{offset, fmt.Sprintf(
+                                       "undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+                                       hdr.Iundefsym, len(f.Symtab.Syms)), nil}
+                       } else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
+                               return nil, &FormatError{offset, fmt.Sprintf(
+                                       "number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+                                       hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
+                       }
                        dat := make([]byte, hdr.Nindirectsyms*4)
                        if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
                                return nil, err

diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go
index 003c14e69b1dcfaa06626dab5d2496d86fa0f42b..d55823a2bfe5ca054c16526e8b86b1c9441c52ca 100644 (file)
--- a/src/debug/macho/file_test.go
+++ b/src/debug/macho/file_test.go
@@ -377,3 +377,10 @@ func TestTypeString(t *testing.T) {
                t.Errorf("got %v, want %v", TypeExec.GoString(), "macho.Exec")
        }
 }
+
+func TestOpenBadDysymCmd(t *testing.T) {
+       _, err := Open("testdata/gcc-amd64-darwin-exec-with-bad-dysym")
+       if err == nil {
+               t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
+       }
+}