From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 29854 invoked by alias); 27 Jun 2019 16:13:45 -0000 Mailing-List: contact dwz-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: dwz-owner@sourceware.org Received: (qmail 29845 invoked by uid 89); 27 Jun 2019 16:13:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.6 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 spammy= X-Spam-Status: No, score=-24.6 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_PASS autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: mx1.suse.de X-Virus-Scanned: by amavisd-new at test-mx.suse.de Date: Tue, 01 Jan 2019 00:00:00 -0000 From: Tom de Vries To: dwz@sourceware.org, jakub@redhat.com Subject: [committed] Fix dynamic-stack-buffer-overflow (write_dso, distance) Message-ID: <20190627161338.GA7240@delia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-SW-Source: 2019-q2/txt/msg00082.txt.bz2 Hi, When compiling with gcc 8 and -fsanitize=address -lasan, we run into a dynamic-stack-buffer-overflow related to the distance variable in write_dso. The variable is allocated with dimension dso->ehdr.e_shnum, but we use dso->ehdr.e_shnum elements while not using element 0. Fix this by increasing the size of the distance variable. This fixes the dwz-fedora-s390x buildbot failure. Committed to trunk. Thanks, - Tom Fix dynamic-stack-buffer-overflow (write_dso, distance) 2019-06-27 Tom de Vries PR dwz/24734 * dwz.c (write_dso): Increase size of distance. --- dwz.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dwz.c b/dwz.c index a73fe38..4e14086 100644 --- a/dwz.c +++ b/dwz.c @@ -10549,7 +10549,7 @@ write_dso (DSO *dso, const char *file, struct stat *st) GElf_Word shstrtabadd = 0; char *shstrtab = NULL; bool remove_sections[SECTION_COUNT]; - GElf_Off distance[dso->ehdr.e_shnum]; + GElf_Off distance[dso->ehdr.e_shnum + 1]; /* Array of sections and section header table sorted by file offset. */ unsigned int sorted_section_numbers[dso->ehdr.e_shnum + 1];