From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 101799 invoked by alias); 27 Feb 2020 06:34:21 -0000 Mailing-List: contact binutils-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sourceware.org Received: (qmail 101791 invoked by uid 89); 27 Feb 2020 06:34:21 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-23.2 required=5.0 tests=AWL,BAYES_00,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham version=3.3.1 spammy= X-HELO: mail-pf1-f173.google.com Received: from mail-pf1-f173.google.com (HELO mail-pf1-f173.google.com) (209.85.210.173) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 27 Feb 2020 06:34:19 +0000 Received: by mail-pf1-f173.google.com with SMTP id l7so669794pff.6 for ; Wed, 26 Feb 2020 22:34:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=32Ns2G6a15JZrnuwy9v0hnyqP2JjGPm6yBc14Nyp19A=; b=G0sAUqJp7hjhaHvKysBXLAMu9tEF23n4XhCye5wSFt5o39fxk5yIMbeg8G7Q2nND45 BXJVQaZ5cZ2RK7hdTC9DQ+wEgFDPQRjvMrVx7YPyuP47ryO9KpsOTX4pjHZet5K4TpcP hrJ9d1P5DGNuPj9aK7lgS4zoNE5ELmcnCAEfjSfwXpCplDgAgySHoQLfRZi2geqwMJaY MOaDDPB9DhDb6k1Bd8tzVBoZ/6Zpz9kEaSQhC6f1n4i3AbSxMUn2iVbAMnR7mWG6Gwg6 tgRgPvuUdBqDm+D/y6MTKtVoiNvuHfwpgMviLcXPnx8+OgFKLl/h+K+HUIe7H0Uzj1Tn 1MJA== Return-Path: Received: from bubble.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158]) by smtp.gmail.com with ESMTPSA id 199sm5394836pfu.71.2020.02.26.22.34.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Feb 2020 22:34:16 -0800 (PST) Received: by bubble.grove.modra.org (Postfix, from userid 1000) id E70E3806B5; Thu, 27 Feb 2020 17:04:12 +1030 (ACDT) Date: Thu, 27 Feb 2020 06:34:00 -0000 From: Alan Modra To: binutils@sourceware.org Subject: bfd_stat_arch_elt buffer overflow Message-ID: <20200227063412.GE32593@bubble.grove.modra.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-IsSubscribed: yes X-SW-Source: 2020-02/txt/msg00554.txt.bz2 If you manage to put an xcoff object file into a non-xcoff archive (created by first putting a non-xcoff object file into it), and have xcoff support compiled into libbfd, then objdump -x on the archive can segfault. The problem is that _bfd_xcoff_stat_arch_elt expects abfd->arelt_data->arch_header to be one of the xcoff variants, but arelt_data is generated depending on the archive format, *not* the element format. * bfd.c (bfd_stat_arch_elt): Use vector of containing archive, if file is an archive element. * bfd-in2.h: Regenerate. diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h index 2d56fdad41..44bc7041cd 100644 --- a/bfd/bfd-in2.h +++ b/bfd/bfd-in2.h @@ -7121,7 +7121,8 @@ bfd_boolean bfd_set_private_flags (bfd *abfd, flagword flags); BFD_SEND (abfd, _bfd_debug_info_accumulate, (abfd, section)) #define bfd_stat_arch_elt(abfd, stat) \ - BFD_SEND (abfd, _bfd_stat_arch_elt,(abfd, stat)) + BFD_SEND (abfd->my_archive ? abfd->my_archive : abfd, \ + _bfd_stat_arch_elt, (abfd, stat)) #define bfd_update_armap_timestamp(abfd) \ BFD_SEND (abfd, _bfd_update_armap_timestamp, (abfd)) diff --git a/bfd/bfd.c b/bfd/bfd.c index 463f94bb94..1c1238c036 100644 --- a/bfd/bfd.c +++ b/bfd/bfd.c @@ -2063,7 +2063,8 @@ DESCRIPTION . BFD_SEND (abfd, _bfd_debug_info_accumulate, (abfd, section)) . .#define bfd_stat_arch_elt(abfd, stat) \ -. BFD_SEND (abfd, _bfd_stat_arch_elt,(abfd, stat)) +. BFD_SEND (abfd->my_archive ? abfd->my_archive : abfd, \ +. _bfd_stat_arch_elt, (abfd, stat)) . .#define bfd_update_armap_timestamp(abfd) \ . BFD_SEND (abfd, _bfd_update_armap_timestamp, (abfd)) -- Alan Modra Australia Development Lab, IBM