From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by sourceware.org (Postfix) with ESMTPS id E34373858D20 for ; Tue, 29 Aug 2023 18:32:23 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org E34373858D20 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1bf1935f6c2so748655ad.1 for ; Tue, 29 Aug 2023 11:32:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693333943; x=1693938743; darn=sourceware.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=12SxKsyw9k/d9BtNcD3LcTGQ1psJEa8mFfz+ldARiwU=; b=IPLxPT63bOCUiCGBrWOkOpQ590oUPo3LuLoedM+66qfTE0WoT5Ik2jSoZh4OVgn5XM gqk1pJfWMJ3MCupwPF1YcCn/tLsqvzzbLaxZT+kCeirY2lzXfAvWhaEqRtgLa8uhdqAU QWrPOYvphvDc7BT0VEUg2gBRhcsO3W+7PRkq0l8fUgyrtB2mM+wCMLU9gywKOKbfX4AM cn8zUjqUKmxurYydOu9tIVg8iLFBBU/jTaND5eDg6ghc/QJw5oBseDHn6A3CLDRZCx9K LIxVvofAO0626MSjU1+s1ld89ZGFMuF2ah7/DAMPyL+GByP5e/jvytCB+I3g93DBFKaJ xNvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693333943; x=1693938743; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=12SxKsyw9k/d9BtNcD3LcTGQ1psJEa8mFfz+ldARiwU=; b=ZSaXS+MUkeNNTve+a2HT/JsqfROn8/b0ciuK8j+/uNCBTVVS92HVfovqzZm/nazxM0 cHIidhLP3wJmJKRYRx9gFJNL/pQbRzZ7T5CkttRVnqUrEK2VCM0E1nmbow4HzDtf9xGp zI6OGkCEzwJ9aIz5H4SI7e4DQrpyvIdmPtPIH3264QTV7GQdczUas23Guh7O/nJRY1v2 oDX4UroW1yRZ/dPShlxFXJSIN/q8jkvJFp18nAM36U4GRFOcWFObgnJ3rK/NcjT4wtY2 0HLRiAIdh/IGuXFzPZyFCUcJPB3t8pVdFg0DGfvdlfXYzRfOhLbS1HJxWsM81tWjyULj Mq8w== X-Gm-Message-State: AOJu0YxkJ5xy1/7SGKgMFTFnnOTpReTq76wV/EJJIPqBXkwybuk+T322 wbVATXqxlgfn9PNRvOSGmxE= X-Google-Smtp-Source: AGHT+IF2TKNNi844EGqxdFJILuvK7MMkvNy2xJAVJE8I7N/LwC6ToEXdDXoU+uIQdqsgptAhIT9cKQ== X-Received: by 2002:a17:902:f693:b0:1b8:8682:62fb with SMTP id l19-20020a170902f69300b001b8868262fbmr5536180plg.4.1693333942781; Tue, 29 Aug 2023 11:32:22 -0700 (PDT) Received: from [172.31.0.109] ([136.36.130.248]) by smtp.gmail.com with ESMTPSA id v9-20020a170902b7c900b001bb750189desm9657110plz.255.2023.08.29.11.32.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Aug 2023 11:32:22 -0700 (PDT) Message-ID: <9fa664a4-beb1-c5bf-74f5-3c3088101412@gmail.com> Date: Tue, 29 Aug 2023 12:32:20 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: som: buffer overflow writing strings Content-Language: en-US To: Alan Modra , binutils@sourceware.org References: From: Jeff Law In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 8/25/23 00:33, Alan Modra via Binutils wrote: > Code in som_write_symbol_strings neglected to allow for padding, which > can result in a buffer overflow. It also used xrealloc, which we're > not supposed to use in libbfd because libbfd isn't supposed to call > exit. Also a realloc is perhaps not a good idea when none of the > buffer contents are needed, so replace with free, bfd_malloc. There > were three copies of the string handling code, so rather than fix them > all I've extracted them to a function. This necessitated making one > of the fields in struct som_symbol unsigned. > > * som.c (add_string): New function. > (som_write_space_strings, som_write_symbol_strings): Use it. > * som.h (som_symbol_type ): Make unsigned. Thanks for fixing this. Amazing how this problem slipped through as long as it did. Of course SOM died ~20+ years ago, so that may explain how the bug has survived so long. One could certainly argue about how useful being able to write object files for a dead format on a dead architecture is. I wouldn't lose any sleep if SOM quietly went away. jeff