bug-binutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug libctf/29983] 2.36+ type confusion in outdated-input warning causes


From: cvs-commit at gcc dot gnu.org
Subject: [Bug libctf/29983] 2.36+ type confusion in outdated-input warning causes out-of-bounds access and possible overwrite
Date: Thu, 12 Jan 2023 15:39:30 +0000

https://sourceware.org/bugzilla/show_bug.cgi?id=29983

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot 
gnu.org> ---
The binutils-2_40-branch branch has been updated by Nick Alcock
<nix@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=999e7ed7a2bfd3a65468b383222d441a8071d8e4

commit 999e7ed7a2bfd3a65468b383222d441a8071d8e4
Author: Nick Alcock <nick.alcock@oracle.com>
Date:   Mon Jan 9 13:43:09 2023 +0000

    libctf: ctf-link outdated input check faulty

    This check has a pair of faults which, combined, can lead to memory
    corruption.  Firstly, it assumes that the values of the ctf_link_inputs
    hash are ctf_dict_t's: they are not, they are ctf_link_input_t's, a much
    shorter structure.  So the flags check which is the core of this is
    faulty (but happens, by chance, to give the right output on most
    architectures, since usually we happen to get a 0 here, so the test that
    checks this usually passes).  Worse, the warning that is emitted when
    the test fails is added to the wrong dict -- it's added to the input
    dict, whose warning list is never consumed, rendering the whole check
    useless.  But the dict it adds to is still the wrong type, so we end up
    overwriting something deep in memory (or, much more likely,
    dereferencing a garbage pointer and crashing).

    Fixing both reveals another problem: the link input is an *archive*
    consisting of multiple members, so we have to consider whether to check
    all of them for the outdated-func-info thing we are checking here.
    However, no compiler exists that emits a mixture of members with this
    flag on and members with it off, and the linker always reserializes (and
    upgrades) such things when it sees them: so all members in a given
    archive must have the same value of the flag, so we only need to check
    one member per input archive.

    libctf/
            PR libctf/29983
            * ctf-link.c (ctf_link_warn_outdated_inputs): Get the types of
            members of ctf_link_inputs right, fixing a possible spurious
            tesst failure / wild pointer deref / overwrite.  Emit the
            warning message into the right dict.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]