[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug ld/24055] New: _bfd_xcoff_swap_aux_in smashes the stack

From: wolfgang.thaller at gmx dot net
Subject: [Bug ld/24055] New: _bfd_xcoff_swap_aux_in smashes the stack
Date: Wed, 02 Jan 2019 17:43:53 +0000


            Bug ID: 24055
           Summary: _bfd_xcoff_swap_aux_in smashes the stack
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: wolfgang.thaller at gmx dot net
  Target Milestone: ---

Created attachment 11506
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11506&action=edit
Patch to avoid a buffer overflow.

Affected: 32-bit XCOFF (PowerPC32 AIX) and maybe some other COFF platforms.

Most call sites pass a pointer to a single stack-allocated union
internal_auxent as the last parameter to swap_aux_in.

The function _bfd_xcoff_swap_aux_in in coff-rs6000.c, when encountering a
C_FILE with multiple aux entries, attempts to copy numaux entries at once using
a memcpy, thus smashing the stack.

There appear to be a few more instances of the swap_aux_in code;
coffswap.h/coff_swap_aux_in and coffcode.h/coff_bigobj_swap_aux_in also copy
multiple entries in the C_FILE case.

By contrast, coff64-rs6000.c/_bfd_xcoff64_swap_aux_in and
peXXigen.c/_bfd_XXi_swap_aux_in only copy a single aux entry.

The attached patch makes the coff-rs6000.c version match the coff64-rs6000.c
It fixes segfaults for me, but is only tested in the context of my hobby
project, a cross compiler to ancient 1990s PowerMacs

You are receiving this mail because:
You are on the CC list for the bug.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]