debug/elf: use saferio.InBounds to prevent offset overflow

callthingsoff · callthingsoff · commit 656e01b4a445 · 2025-09-19T22:36:15.000+08:00
When applying relocations, a malformed ELF file can provide an offset that, when added to the relocation size, overflows. This wrapped-around value could then incorrectly pass the bounds check, leading to a panic when the slice is accessed with the original large offset. This change replaces the manual bounds and overflow checks in the applyRelocations* functions with calls to saferio.{InBounds32,InBounds64}. These helper functions centralize the logic for validating slice access, correctly handling both out-of-bounds and integer overflow conditions. This simplifies the relocation code and improves robustness when parsing untrusted ELF files. Fixes #75516 Change-Id: I3a1662398a981977d6cbacfa47c40707ddd87b37
diff --git a/src/debug/elf/file.go b/src/debug/elf/file.go
@@ -830,13 +830,13 @@ func (f *File) applyRelocationsAMD64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_X86_64_64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_X86_64_32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -872,7 +872,7 @@ func (f *File) applyRelocations386(dst []byte, rels []byte) error {
 		sym := &symbols[symNo-1]
 
 		if t == R_386_32 {
-			if rel.Off+4 >= uint32(len(dst)) {
+			if !saferio.InBounds32(dst, rel.Off, 4) {
 				continue
 			}
 			val := f.ByteOrder.Uint32(dst[rel.Off : rel.Off+4])
@@ -910,7 +910,7 @@ func (f *File) applyRelocationsARM(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_ARM_ABS32:
-			if rel.Off+4 >= uint32(len(dst)) {
+			if !saferio.InBounds32(dst, rel.Off, 4) {
 				continue
 			}
 			val := f.ByteOrder.Uint32(dst[rel.Off : rel.Off+4])
@@ -955,13 +955,13 @@ func (f *File) applyRelocationsARM64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_AARCH64_ABS64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_AARCH64_ABS32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1001,7 +1001,7 @@ func (f *File) applyRelocationsPPC(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_PPC_ADDR32:
-			if rela.Off+4 >= uint32(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds32(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1041,13 +1041,13 @@ func (f *File) applyRelocationsPPC64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_PPC64_ADDR64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_PPC64_ADDR32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1084,7 +1084,7 @@ func (f *File) applyRelocationsMIPS(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_MIPS_32:
-			if rel.Off+4 >= uint32(len(dst)) {
+			if !saferio.InBounds32(dst, rel.Off, 4) {
 				continue
 			}
 			val := f.ByteOrder.Uint32(dst[rel.Off : rel.Off+4])
@@ -1132,13 +1132,13 @@ func (f *File) applyRelocationsMIPS64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_MIPS_64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_MIPS_32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1180,13 +1180,13 @@ func (f *File) applyRelocationsLOONG64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_LARCH_64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_LARCH_32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1226,13 +1226,13 @@ func (f *File) applyRelocationsRISCV64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_RISCV_64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_RISCV_32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1272,13 +1272,13 @@ func (f *File) applyRelocationss390x(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_390_64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_390_32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
@@ -1318,13 +1318,13 @@ func (f *File) applyRelocationsSPARC64(dst []byte, rels []byte) error {
 
 		switch t {
 		case R_SPARC_64, R_SPARC_UA64:
-			if rela.Off+8 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 8) || rela.Addend < 0 {
 				continue
 			}
 			val64 := sym.Value + uint64(rela.Addend)
 			f.ByteOrder.PutUint64(dst[rela.Off:rela.Off+8], val64)
 		case R_SPARC_32, R_SPARC_UA32:
-			if rela.Off+4 >= uint64(len(dst)) || rela.Addend < 0 {
+			if !saferio.InBounds64(dst, rela.Off, 4) || rela.Addend < 0 {
 				continue
 			}
 			val32 := uint32(sym.Value) + uint32(rela.Addend)
diff --git a/src/internal/saferio/io.go b/src/internal/saferio/io.go
@@ -11,6 +11,7 @@ package saferio
 
 import (
 	"io"
+	"math"
 	"unsafe"
 )
 
@@ -130,3 +131,21 @@ func SliceCap[E any](c uint64) int {
 	size := uint64(unsafe.Sizeof(v))
 	return SliceCapWithSize(size, c)
 }
+
+// InBounds32 reports whether S[start : start+length] can be taken
+// without panicking.
+func InBounds32[S ~[]E, E any](slice S, start, length uint32) bool {
+	if start+length >= uint32(len(slice)) || math.MaxUint32-start < length {
+		return false
+	}
+	return true
+}
+
+// InBounds64 reports whether S[start : start+length] can be taken
+// without panicking.
+func InBounds64[S ~[]E, E any](slice S, start, length uint64) bool {
+	if start+length >= uint64(len(slice)) || math.MaxUint64-start < length {
+		return false
+	}
+	return true
+}
diff --git a/src/internal/saferio/io_test.go b/src/internal/saferio/io_test.go
@@ -7,6 +7,7 @@ package saferio
 import (
 	"bytes"
 	"io"
+	"math"
 	"testing"
 )
 
@@ -134,3 +135,59 @@ func TestSliceCap(t *testing.T) {
 		}
 	})
 }
+func TestInBounds32(t *testing.T) {
+	tests := []struct {
+		name   string
+		slice  []byte
+		start  uint32
+		length uint32
+		want   bool
+	}{
+		{"valid range", []byte{1, 2, 3, 4, 5}, 1, 3, true},
+		{"start+length equals len", []byte{1, 2, 3}, 0, 3, false},
+		{"start+length exceeds len", []byte{1, 2, 3}, 2, 2, false},
+		{"start at end", []byte{1, 2, 3}, 3, 0, false},
+		{"zero length", []byte{1, 2, 3}, 1, 0, true},
+		{"empty slice", []byte{}, 0, 0, false},
+		{"maxuint32 overflow", []byte{1, 2, 3}, math.MaxUint32, 1, false},
+		{"maxuint32 no overflow", []byte{1, 2, 3}, 0, math.MaxUint32, false},
+		{"maxuint32 edge", []byte{1, 2, 3}, math.MaxUint32 - 1, 1, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := InBounds32(tt.slice, tt.start, tt.length)
+			if got != tt.want {
+				t.Errorf("InBounds32(%v, %d, %d) = %v, want %v", tt.slice, tt.start, tt.length, got, tt.want)
+			}
+		})
+	}
+}
+func TestInBounds64(t *testing.T) {
+	tests := []struct {
+		name   string
+		slice  []byte
+		start  uint64
+		length uint64
+		want   bool
+	}{
+		{"valid range", []byte{1, 2, 3, 4, 5}, 1, 3, true},
+		{"start+length equals len", []byte{1, 2, 3}, 0, 3, false},
+		{"start+length exceeds len", []byte{1, 2, 3}, 2, 2, false},
+		{"start at end", []byte{1, 2, 3}, 3, 0, false},
+		{"zero length", []byte{1, 2, 3}, 1, 0, true},
+		{"empty slice", []byte{}, 0, 0, false},
+		{"maxuint64 overflow", []byte{1, 2, 3}, math.MaxUint64, 1, false},
+		{"maxuint64 no overflow", []byte{1, 2, 3}, 0, math.MaxUint64, false},
+		{"maxuint64 edge", []byte{1, 2, 3}, math.MaxUint64 - 1, 1, false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := InBounds64(tt.slice, tt.start, tt.length)
+			if got != tt.want {
+				t.Errorf("InBounds64(%v, %d, %d) = %v, want %v", tt.slice, tt.start, tt.length, got, tt.want)
+			}
+		})
+	}
+}
