From 8ab91a033555c5faae1bcd615800670b91673731 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sat, 30 Nov 2024 16:41:14 +1030 Subject: Re: PR32399, buffer overflow printing core_file_failing_command Fix more potential buffer overflows, and correct trad-code.c and cisco-core.c where they should be using bfd_{z}alloc rather than bfd_{z}malloc. To stop buffer overflows with fuzzed objects that don't have a terminator on the core_file_failing_command string, this patch allocates an extra byte at the end of the entire header buffer rather than poking a NUL at the end of the name array (u_comm[] or similar) because (a) it's better to not overwrite the file data, and (b) it is possible that some core files make use of fields in struct user beyond the end of u_comm to extend the command name. The patch also changes some unnecessary uses of bfd_zalloc to bfd_alloc. There's not much point in clearing memeory that will shortly be completely overwritten. PR 32399 * aix5ppc-core.c (xcoff64_core_p): Allocate an extra byte to ensure the core_file_failing_command string is terminated. * netbsd-core.c (netbsd_core_file_p): Likewise. * ptrace-core.c (ptrace_unix_core_file_p): Likewise. * rs6000-core.c (rs6000coff_core_p): Likewise. * trad-core.c (trad_unix_core_file_p): Likewise, and bfd_alloc tdata rather than bfd_zmalloc. * cisco-core.c (cisco_core_file_validate): bfd_zalloc tdata. --- bfd/cisco-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'bfd/cisco-core.c') diff --git a/bfd/cisco-core.c b/bfd/cisco-core.c index 75b1115..1bbb441 100644 --- a/bfd/cisco-core.c +++ b/bfd/cisco-core.c @@ -154,7 +154,7 @@ cisco_core_file_validate (bfd *abfd, int crash_info_loc) /* OK, we believe you. You're a core file. */ amt = sizeof (struct cisco_core_struct); - abfd->tdata.cisco_core_data = (struct cisco_core_struct *) bfd_zmalloc (amt); + abfd->tdata.cisco_core_data = bfd_zalloc (abfd, amt); if (abfd->tdata.cisco_core_data == NULL) return NULL; -- cgit v1.1