From: Go Compiler Team <pkg-golang-devel@lists.alioth.debian.org>
Date: Fri, 21 Jan 2022 18:45:18 +0000 (+0000)
Subject: CVE-2021-41771
X-Git-Tag: archive/raspbian/1.7.4-2+rpi1+deb9u4^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=c44a27d269c65dd26b8d769d5eff95d41d733796;p=golang-1.7.git

CVE-2021-41771

Origin: https://github.com/golang/go/commit/d19c5bdb24e093a2d5097b7623284eb02726cede
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2022-01-21

From d19c5bdb24e093a2d5097b7623284eb02726cede Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Thu, 14 Oct 2021 13:02:01 -0700
Subject: [PATCH] [release-branch.go1.16] debug/macho: fail on invalid dynamic
 symbol table command
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fail out when loading a file that contains a dynamic symbol table
command that indicates a larger number of symbols than exist in the
loaded symbol table.

Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for
reporting this issue.

Updates #48990
Fixes #48991
Fixes CVE-2021-41771

Change-Id: Ic3d6e6529241afcc959544b326b21b663262bad5
Reviewed-on: https://go-review.googlesource.com/c/go/+/355990
Reviewed-by: Julie Qiu <julie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Emmanuel Odeke <emmanuel@orijtech.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Katie Hockman <katie@golang.org>
(cherry picked from commit 61536ec03063b4951163bd09609c86d82631fa27)
Reviewed-on: https://go-review.googlesource.com/c/go/+/359454
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

Gbp-Pq: Name CVE-2021-41771.patch
---

diff --git a/src/debug/macho/file.go b/src/debug/macho/file.go
index 223346f..c78ca94 100644
--- a/src/debug/macho/file.go
+++ b/src/debug/macho/file.go
@@ -299,6 +299,15 @@ func NewFile(r io.ReaderAt) (*File, error) {
 			if err := binary.Read(b, bo, &hdr); err != nil {
 				return nil, err
 			}
+			if hdr.Iundefsym > uint32(len(f.Symtab.Syms)) {
+				return nil, &FormatError{offset, fmt.Sprintf(
+					"undefined symbols index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+					hdr.Iundefsym, len(f.Symtab.Syms)), nil}
+			} else if hdr.Iundefsym+hdr.Nundefsym > uint32(len(f.Symtab.Syms)) {
+				return nil, &FormatError{offset, fmt.Sprintf(
+					"number of undefined symbols after index in dynamic symbol table command is greater than symbol table length (%d > %d)",
+					hdr.Iundefsym+hdr.Nundefsym, len(f.Symtab.Syms)), nil}
+			}
 			dat := make([]byte, hdr.Nindirectsyms*4)
 			if _, err := r.ReadAt(dat, int64(hdr.Indirectsymoff)); err != nil {
 				return nil, err
diff --git a/src/debug/macho/file_test.go b/src/debug/macho/file_test.go
index 9ff6c5d..8f6b9a3 100644
--- a/src/debug/macho/file_test.go
+++ b/src/debug/macho/file_test.go
@@ -208,3 +208,10 @@ func TestOpenFatFailure(t *testing.T) {
 		t.Errorf("OpenFat %s: got %v, want nil", filename, ff)
 	}
 }
+
+func TestOpenBadDysymCmd(t *testing.T) {
+	_, err := Open("testdata/gcc-amd64-darwin-exec-with-bad-dysym")
+	if err == nil {
+		t.Fatal("openObscured did not fail when opening a file with an invalid dynamic symbol table command")
+	}
+}