https://sourceware.org/bugzilla/show_bug.cgi?id=28933
Bug ID: 28933
Summary: buffer overflow on powerpc-linux
Product: binutils
Version: 2.39 (HEAD)
Status: NEW
Severity: normal
Priority: P2
Component: libctf
Assignee: unassigned at sourceware dot org
Reporter: amodra at gmail dot com
Target Milestone: ---
Running the testsuite with asan enabled, or under valgrind shows buffer
overflows.
valgrind ./ld-new -z norelro -L/home/alan/src/binutils-gdb/ld/testsuite/ld-ctf
-shared -o tmpdir/dump tmpdir/diag-cttname-invalid.o
...
==4167619== Invalid read of size 2
==4167619== at 0x484CAAF: memmove (vg_replace_strmem.c:1289)
==4167619== by 0x21DEA2: memcpy (string_fortified.h:29)
==4167619== by 0x21DEA2: ctf_bufopen_internal.part.0 (ctf-open.c:1528)
==4167619== by 0x226CFE: ctf_arc_bufopen (ctf-archive.c:444)
==4167619== by 0x225D0D: ctf_bfdopen_ctfsect (ctf-open-bfd.c:216)
==4167619== by 0x225FED: ctf_bfdopen (ctf-open-bfd.c:77)
==4167619== by 0x14FEA2: ldlang_open_ctf (ldlang.c:3753)
==4167619== by 0x14FEA2: lang_process (ldlang.c:8211)
==4167619== by 0x13C967: main (ldmain.c:497)
==4167619== Address 0x4ab513a is 170 bytes inside a block of size 171 alloc'd
==4167619== at 0x4842839: malloc (vg_replace_malloc.c:380)
==4167619== by 0x17993A: bfd_malloc (libbfd.c:289)
==4167619== by 0x20F627: bfd_get_full_section_contents (compress.c:279)
==4167619== by 0x225FB1: ctf_bfdopen (ctf-open-bfd.c:64)
==4167619== by 0x14FEA2: ldlang_open_ctf (ldlang.c:3753)
==4167619== by 0x14FEA2: lang_process (ldlang.c:8211)
==4167619== by 0x13C967: main (ldmain.c:497)
...
At the bad memcpy, gdb shows
(gdb) p fp->ctf_size
$3 = 130
(gdb) p *ctfsect
$4 = {cts_name = 0x555556a16c00 <_CTF_SECTION> ".ctf", cts_data =
0x60f000000220, cts_size = 171, cts_entsize = 1}
(gdb) p hdrsz
$5 = 52
(gdb)
and indeed 130 > 171 - 52
--
You are receiving this mail because:
You are on the CC list for the bug.
