diff options
| author | Keith Seitz <keiths@redhat.com> | 2014-12-11 09:39:24 -0800 |
|---|---|---|
| committer | Keith Seitz <keiths@redhat.com> | 2014-12-11 09:39:24 -0800 |
| commit | 8acbedd60e1045bf8d37b29ddd25c2c8b6a302a9 (patch) | |
| tree | b516494013526189e636fc8a4eb306a0c6af029e /bfd/elf.c | |
| parent | 540feddfde2c93f242e6f54be5feb641f263c5f3 (diff) | |
| download | gdb-8acbedd60e1045bf8d37b29ddd25c2c8b6a302a9.zip gdb-8acbedd60e1045bf8d37b29ddd25c2c8b6a302a9.tar.gz gdb-8acbedd60e1045bf8d37b29ddd25c2c8b6a302a9.tar.bz2 | |
This commit causes hundreds of core file regressions in gdb:
commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26
Author: Nick Clifton <nickc@redhat.com>
Date: Tue Dec 9 12:42:18 2014 +0000
More fixes for memory access violations triggered by fuzzed binaries.
[snip]
* elf.c (elf_parse_notes): Check that the namedata is long enough
for the string comparison that is about to be performed.
(elf_read_notes): Zero-terminate the note buffer.
This change to elf_parse_notes is the culprit:
+ for (i = ARRAY_SIZE (grokers); i--;)
+ if (in.namesz >= sizeof grokers[i].string - 1
+ && strncmp (in.namedata, grokers[i].string,
+ sizeof (grokers[i].string) - 1) == 0)
Note how this applies sizeof to grokers[i].string...
bfd/ChangeLog
* elf.c (elf_parse_notes): Define convenience macro
GROKER_ELEMENT to add elements to 'grokers'.
Use grokers.len instead of sizeof in string comparisons.
Diffstat (limited to 'bfd/elf.c')
| -rw-r--r-- | bfd/elf.c | 31 |
1 files changed, 18 insertions, 13 deletions
@@ -9706,30 +9706,35 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset) case bfd_core: { +#define GROKER_ELEMENT(S,F) {S, sizeof (S) - 1, F} struct { const char * string; + size_t len; bfd_boolean (* func)(bfd *, Elf_Internal_Note *); } grokers[] = { - { "", elfcore_grok_note }, - { "NetBSD-CORE", elfcore_grok_netbsd_note }, - { "OpenBSD", elfcore_grok_openbsd_note }, - { "QNX", elfcore_grok_nto_note }, - { "SPU/", elfcore_grok_spu_note } + GROKER_ELEMENT ("", elfcore_grok_note), + GROKER_ELEMENT ("NetBSD-CORE", elfcore_grok_netbsd_note), + GROKER_ELEMENT ( "OpenBSD", elfcore_grok_openbsd_note), + GROKER_ELEMENT ("QNX", elfcore_grok_nto_note), + GROKER_ELEMENT ("SPU/", elfcore_grok_spu_note) }; +#undef GROKER_ELEMENT int i; for (i = ARRAY_SIZE (grokers); i--;) - if (in.namesz >= sizeof grokers[i].string - 1 - && strncmp (in.namedata, grokers[i].string, - sizeof (grokers[i].string) - 1) == 0) - { - if (! grokers[i].func (abfd, & in)) - return FALSE; - break; - } + { + if (in.namesz >= grokers[i].len + && strncmp (in.namedata, grokers[i].string, + grokers[i].len) == 0) + { + if (! grokers[i].func (abfd, & in)) + return FALSE; + break; + } + } break; } |