diff options
| author | Alan Modra <amodra@gmail.com> | 2024-11-30 16:41:14 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2024-12-01 16:43:15 +1030 |
| commit | 8ab91a033555c5faae1bcd615800670b91673731 (patch) | |
| tree | e01d09f233d88223dfedc7403a0e8ea0b4906066 /bfd/trad-core.c | |
| parent | 227146c286e894a8886965a7576a70a451058ae5 (diff) | |
| download | binutils-8ab91a033555c5faae1bcd615800670b91673731.zip binutils-8ab91a033555c5faae1bcd615800670b91673731.tar.gz binutils-8ab91a033555c5faae1bcd615800670b91673731.tar.bz2 | |
Re: PR32399, buffer overflow printing core_file_failing_command
Fix more potential buffer overflows, and correct trad-code.c and
cisco-core.c where they should be using bfd_{z}alloc rather than
bfd_{z}malloc. To stop buffer overflows with fuzzed objects that
don't have a terminator on the core_file_failing_command string, this
patch allocates an extra byte at the end of the entire header buffer
rather than poking a NUL at the end of the name array (u_comm[] or
similar) because (a) it's better to not overwrite the file data, and
(b) it is possible that some core files make use of fields in struct
user beyond the end of u_comm to extend the command name. The patch
also changes some unnecessary uses of bfd_zalloc to bfd_alloc.
There's not much point in clearing memeory that will shortly be
completely overwritten.
PR 32399
* aix5ppc-core.c (xcoff64_core_p): Allocate an extra byte to
ensure the core_file_failing_command string is terminated.
* netbsd-core.c (netbsd_core_file_p): Likewise.
* ptrace-core.c (ptrace_unix_core_file_p): Likewise.
* rs6000-core.c (rs6000coff_core_p): Likewise.
* trad-core.c (trad_unix_core_file_p): Likewise, and bfd_alloc
tdata rather than bfd_zmalloc.
* cisco-core.c (cisco_core_file_validate): bfd_zalloc tdata.
Diffstat (limited to 'bfd/trad-core.c')
| -rw-r--r-- | bfd/trad-core.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/bfd/trad-core.c b/bfd/trad-core.c index 012bc4b..06b6bda 100644 --- a/bfd/trad-core.c +++ b/bfd/trad-core.c @@ -65,7 +65,6 @@ trad_unix_core_file_p (bfd *abfd) int val; struct user u; struct trad_core_struct *rawptr; - size_t amt; flagword flags; #ifdef TRAD_CORE_USER_OFFSET @@ -132,8 +131,7 @@ trad_unix_core_file_p (bfd *abfd) /* Allocate both the upage and the struct core_data at once, so a single free() will free them both. */ - amt = sizeof (struct trad_core_struct); - rawptr = (struct trad_core_struct *) bfd_zmalloc (amt); + rawptr = bfd_alloc (abfd, sizeof (*rawptr) + 1); if (rawptr == NULL) return 0; @@ -141,6 +139,10 @@ trad_unix_core_file_p (bfd *abfd) rawptr->u = u; /*Copy the uarea into the tdata part of the bfd */ + /* Ensure core_file_failing_command string is terminated. This is + just to stop buffer overflows on fuzzed files. */ + ((char *) rawptr)[sizeof (*rawptr)] = 0; + /* Create the sections. */ flags = SEC_ALLOC + SEC_LOAD + SEC_HAS_CONTENTS; |