bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug libctf/28933] buffer overflow on powerpc-linux


From: cvs-commit at gcc dot gnu.org
Subject: [Bug libctf/28933] buffer overflow on powerpc-linux
Date: Thu, 24 Mar 2022 13:56:22 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=28933

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot 
gnu.org> ---
The binutils-2_38-branch branch has been updated by Nick Alcock
<nix@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=975b5540232ffe37c6c2ce37fa2b480c2d6cc0ab

commit 975b5540232ffe37c6c2ce37fa2b480c2d6cc0ab
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Fri Mar 18 00:49:11 2022 +0000

    libctf, ld: diagnose corrupted CTF header cth_strlen

    The last section in a CTF dict is the string table, at an offset
    represented by the cth_stroff header field.  Its length is recorded in
    the next field, cth_strlen, and the two added together are taken as the
    size of the CTF dict.  Upon opening a dict, we check that none of the
    header offsets exceed this size, and we check when uncompressing a
    compressed dict that the result of the uncompression is the same length:
    but CTF dicts need not be compressed, and short ones are not.
    Uncompressed dicts just use the ctf_size without checking it.  This
    field is thankfully almost unused: it is mostly used when reserializing
    a dict, which can't be done to dicts read off disk since they're
    read-only.

    However, when opening an uncompressed foreign-endian dict we have to
    copy it out of the mmaped region it is stored in so we can endian-
    swap it, and we use ctf_size when doing that.  When the cth_strlen is
    corrupt, this can overrun.

    Fix this by checking the ctf_size in all uncompressed cases, just as we
    already do in the compressed case.  Add a new test.

    This came to light because various corrupted-CTF raw-asm tests had an
    incorrect cth_strlen: fix all of them so they produce the expected
    error again.

    libctf/
            PR libctf/28933
            * ctf-open.c (ctf_bufopen_internal): Always check uncompressed
            CTF dict sizes against the section size in case the cth_strlen is
            corrupt.

    ld/
            PR libctf/28933
            * testsuite/ld-ctf/diag-strlen-invalid.*: New test,
            derived from diag-cttname-invalid.s.
            * testsuite/ld-ctf/diag-cttname-invalid.s: Fix incorrect
cth_strlen.
            * testsuite/ld-ctf/diag-cttname-null.s: Likewise.
            * testsuite/ld-ctf/diag-cuname.s: Likewise.
            * testsuite/ld-ctf/diag-parlabel.s: Likewise.
            * testsuite/ld-ctf/diag-parname.s: Likewise.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]