From 8acbedd60e1045bf8d37b29ddd25c2c8b6a302a9 Mon Sep 17 00:00:00 2001 From: Keith Seitz Date: Thu, 11 Dec 2014 09:39:24 -0800 Subject: This commit causes hundreds of core file regressions in gdb: commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 Author: Nick Clifton Date: Tue Dec 9 12:42:18 2014 +0000 More fixes for memory access violations triggered by fuzzed binaries. [snip] * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. This change to elf_parse_notes is the culprit: + for (i = ARRAY_SIZE (grokers); i--;) + if (in.namesz >= sizeof grokers[i].string - 1 + && strncmp (in.namedata, grokers[i].string, + sizeof (grokers[i].string) - 1) == 0) Note how this applies sizeof to grokers[i].string... bfd/ChangeLog * elf.c (elf_parse_notes): Define convenience macro GROKER_ELEMENT to add elements to 'grokers'. Use grokers.len instead of sizeof in string comparisons. --- bfd/elf.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) (limited to 'bfd/elf.c') diff --git a/bfd/elf.c b/bfd/elf.c index f7c1b9e..c8238ba 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -9706,30 +9706,35 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset) case bfd_core: { +#define GROKER_ELEMENT(S,F) {S, sizeof (S) - 1, F} struct { const char * string; + size_t len; bfd_boolean (* func)(bfd *, Elf_Internal_Note *); } grokers[] = { - { "", elfcore_grok_note }, - { "NetBSD-CORE", elfcore_grok_netbsd_note }, - { "OpenBSD", elfcore_grok_openbsd_note }, - { "QNX", elfcore_grok_nto_note }, - { "SPU/", elfcore_grok_spu_note } + GROKER_ELEMENT ("", elfcore_grok_note), + GROKER_ELEMENT ("NetBSD-CORE", elfcore_grok_netbsd_note), + GROKER_ELEMENT ( "OpenBSD", elfcore_grok_openbsd_note), + GROKER_ELEMENT ("QNX", elfcore_grok_nto_note), + GROKER_ELEMENT ("SPU/", elfcore_grok_spu_note) }; +#undef GROKER_ELEMENT int i; for (i = ARRAY_SIZE (grokers); i--;) - if (in.namesz >= sizeof grokers[i].string - 1 - && strncmp (in.namedata, grokers[i].string, - sizeof (grokers[i].string) - 1) == 0) - { - if (! grokers[i].func (abfd, & in)) - return FALSE; - break; - } + { + if (in.namesz >= grokers[i].len + && strncmp (in.namedata, grokers[i].string, + grokers[i].len) == 0) + { + if (! grokers[i].func (abfd, & in)) + return FALSE; + break; + } + } break; } -- cgit v1.1