From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23143 invoked by alias); 9 Apr 2011 09:50:53 -0000 Received: (qmail 23135 invoked by uid 22791); 9 Apr 2011 09:50:52 -0000 X-SWARE-Spam-Status: No, hits=-1.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,TW_BJ X-Spam-Check-By: sourceware.org Received: from mail-qy0-f169.google.com (HELO mail-qy0-f169.google.com) (209.85.216.169) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Sat, 09 Apr 2011 09:50:46 +0000 Received: by qyk2 with SMTP id 2so368925qyk.0 for ; Sat, 09 Apr 2011 02:50:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.114.80 with SMTP id d16mr2658186qcq.18.1302342645776; Sat, 09 Apr 2011 02:50:45 -0700 (PDT) Received: by 10.229.97.206 with HTTP; Sat, 9 Apr 2011 02:50:45 -0700 (PDT) In-Reply-To: <20110409043456.GG19002@bubble.grove.modra.org> References: <20110407010943.GW19002@bubble.grove.modra.org> <20110407085238.GZ19002@bubble.grove.modra.org> <20110409043456.GG19002@bubble.grove.modra.org> Date: Sat, 09 Apr 2011 09:50:00 -0000 Message-ID: Subject: Re: [patch bfd]: Prevent possible buffer overflow on pdata-section sorting From: Kai Tietz To: Kai Tietz , Binutils , Nick Clifton Cc: Alan Modra Content-Type: multipart/mixed; boundary=000e0cd6b216c701ca04a0794685 X-IsSubscribed: yes Mailing-List: contact binutils-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sourceware.org X-SW-Source: 2011-04/txt/msg00133.txt.bz2 --000e0cd6b216c701ca04a0794685 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-length: 1935 2011/4/9 Alan Modra : > On Thu, Apr 07, 2011 at 04:31:45PM +0200, Kai Tietz wrote: >> 2011/4/7 Alan Modra : >> > On Thu, Apr 07, 2011 at 08:15:42AM +0200, Kai Tietz wrote: >> >> Hmm, not sure. >> > >> > Well, I'm 99% sure. :-) =A0rawsize on an output section, if non-zero, = is >> > just a stale size at bfd_final_link. >> >> So this 1% hits. I changed locally to use here just sec->size and I >> found that pdata section doesn't get sorted proper anymore. (you can >> verify this by objdump -x and it prints warnings about not ascending >> data). > > Ah, what I missed seeing is that coff_compute_section_file_positions > is bumping the section size here: > > #ifdef COFF_IMAGE_WITH_PE > =A0 =A0 =A0/* Set the padded size. =A0*/ > =A0 =A0 =A0current->size =3D (current->size + page_size -1) & -page_size; > #endif > > Obviously, you do want the size of data before this padding is added, > but it's only a fluke that rawsize happens to be set correctly. =A0(You > get it from the lang_reset_memory_regions call during preliminary > section sizing in ldlang.c:strip_excluded_output_sections.) =A0That > seems a little unreliable to me. =A0I'd be happier if in > coff_compute_section_file_positions you always set rawsize in the loop > that is padding section size (do it before any block of code that > changes section size!). =A0Then just use sec->rawsize in your peXXigen.c > patch. =A0I'll preapprove those changes. > > -- > Alan Modra > Australia Development Lab, IBM > Ok, AFAICS it is enough here to set rawsize at one place. Just for bss-section we don't want to set rawsize. ChangeLog 2011-04-09 Kai Tietz * peXXigen.c (_bfd_XXi_final_link_postscripte): Sort pdata in tempor= ary buffer and use rawsize for sorting. * coffcode.h (coff_compute_section_file_positions): Set rawsize before doing alignment. Tested for x86_64-w64-mingw32. Ok for apply? Regards, Kai --000e0cd6b216c701ca04a0794685 Content-Type: text/plain; charset=US-ASCII; name="pdata_x64_sort.txt" Content-Disposition: attachment; filename="pdata_x64_sort.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gmad6g3f0 Content-length: 2802 SW5kZXg6IHNyYy9iZmQvcGVYWGlnZW4uYwo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09Ci0tLSBzcmMub3JpZy9iZmQvcGVYWGlnZW4uYwkyMDExLTA0LTA4IDIx OjA4OjIwLjIzMDQxMTUwMCArMDIwMAorKysgc3JjL2JmZC9wZVhYaWdlbi5j CTIwMTEtMDQtMDkgMTE6NDY6MDAuNjExNTA3OTAwICswMjAwCkBAIC0yNDU4 LDE1ICsyNDU4LDIzIEBAIF9iZmRfWFhpX2ZpbmFsX2xpbmtfcG9zdHNjcmlw dCAoYmZkICogYWIKIAogICAgIGlmIChzZWMpCiAgICAgICB7Ci0JYmZkX3Np emVfdHlwZSB4ID0gc2VjLT5yYXdzaXplID8gc2VjLT5yYXdzaXplIDogc2Vj LT5zaXplOworCWJmZF9zaXplX3R5cGUgeCA9IHNlYy0+cmF3c2l6ZTsKKwli ZmRfYnl0ZSAqdG1wX2RhdGEgPSBOVUxMOwogCi0JaWYgKHggJiYgYmZkX2dl dF9zZWN0aW9uX2NvbnRlbnRzIChhYmZkLCBzZWMsIHBmaW5mby0+Y29udGVu dHMsIDAsIHgpKQorCWlmICh4KQorCSAgdG1wX2RhdGEgPSBiZmRfbWFsbG9j ICh4KTsKKworCWlmICh0bXBfZGF0YSAhPSBOVUxMKQogCSAgewotCSAgICBx c29ydCAocGZpbmZvLT5jb250ZW50cywKLQkgICAgCSAgIChzaXplX3QpICgo c2VjLT5zaXplIDx4ID8gc2VjLT5zaXplIDogeCkgLyAxMiksCi0JICAgIAkg ICAxMiwgc29ydF94NjRfcGRhdGEpOwotCSAgICBiZmRfc2V0X3NlY3Rpb25f Y29udGVudHMgKHBmaW5mby0+b3V0cHV0X2JmZCwgc2VjLAotCSAgICAJCQkg ICAgICBwZmluZm8tPmNvbnRlbnRzLCAwLCB4KTsKKwkgICAgaWYgKGJmZF9n ZXRfc2VjdGlvbl9jb250ZW50cyAoYWJmZCwgc2VjLCB0bXBfZGF0YSwgMCwg eCkpCisJICAgICAgeworCQlxc29ydCAodG1wX2RhdGEsCisJCSAgICAgICAo c2l6ZV90KSAoeCAvIDEyKSwKKwkJICAgICAgIDEyLCBzb3J0X3g2NF9wZGF0 YSk7CisJCWJmZF9zZXRfc2VjdGlvbl9jb250ZW50cyAocGZpbmZvLT5vdXRw dXRfYmZkLCBzZWMsCisJCQkJCSAgdG1wX2RhdGEsIDAsIHgpOworCSAgICAg IH0KKwkgICAgZnJlZSAodG1wX2RhdGEpOwogCSAgfQogICAgICAgfQogICB9 CkluZGV4OiBzcmMvYmZkL2NvZmZjb2RlLmgKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gc3JjLm9yaWcvYmZkL2NvZmZjb2RlLmgJMjAxMS0wNC0wOSAx MDoyOToxOS4wMDAwMDAwMDAgKzAyMDAKKysrIHNyYy9iZmQvY29mZmNvZGUu aAkyMDExLTA0LTA5IDExOjQ2OjQ1LjkzODEwMDUwMCArMDIwMApAQCAtMzI5 Nyw2ICszMjk3LDExIEBAIGNvZmZfY29tcHV0ZV9zZWN0aW9uX2ZpbGVfcG9z aXRpb25zIChiZmQKICAgICAgIGlmICghKGN1cnJlbnQtPmZsYWdzICYgU0VD X0hBU19DT05URU5UUykpCiAJY29udGludWU7CiAKKyAgICAgIC8qIFNldCBy YXdzaXplIGZvciBlYWNoIHNlY3Rpb24gYmVmb3JlIHdlIGFyZSBkb2luZyBh bGlnbm1lbnQuICBCdXQKKyAgICAgICAgIGRvbid0IHNldCByYXdzaXplIGZv ciBCU1Mgc2VjdGlvbi4gICovCisgICAgICBpZiAoc3RyY21wIChjdXJyZW50 LT5uYW1lLCBfQlNTKSAhPSAwKQorICAgICAgICBjdXJyZW50LT5yYXdzaXpl ID0gY3VycmVudC0+c2l6ZTsKKwogI2lmZGVmIENPRkZfSU1BR0VfV0lUSF9Q RQogICAgICAgLyogTWFrZSBzdXJlIHdlIHNraXAgZW1wdHkgc2VjdGlvbnMg aW4gYSBQRSBpbWFnZS4gICovCiAgICAgICBpZiAoY3VycmVudC0+c2l6ZSA9 PSAwKQpAQCAtMzM2Myw3ICszMzY4LDcgQEAgY29mZl9jb21wdXRlX3NlY3Rp b25fZmlsZV9wb3NpdGlvbnMgKGJmZAogCiAjaWZkZWYgQ09GRl9JTUFHRV9X SVRIX1BFCiAgICAgICAvKiBTZXQgdGhlIHBhZGRlZCBzaXplLiAgKi8KLSAg ICAgIGN1cnJlbnQtPnNpemUgPSAoY3VycmVudC0+c2l6ZSArIHBhZ2Vfc2l6 ZSAtMSkgJiAtcGFnZV9zaXplOworICAgICAgY3VycmVudC0+c2l6ZSA9IChj dXJyZW50LT5zaXplICsgcGFnZV9zaXplIC0gMSkgJiAtcGFnZV9zaXplOwog I2VuZGlmCiAKICAgICAgIHNvZmFyICs9IGN1cnJlbnQtPnNpemU7Cg== --000e0cd6b216c701ca04a0794685--