From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23240 invoked by alias); 10 Dec 2014 21:22:28 -0000 Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-patches-owner@sourceware.org Received: (qmail 23220 invoked by uid 89); 10 Dec 2014 21:22:27 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_20,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-Spam-User: qpsmtpd, 2 recipients X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Wed, 10 Dec 2014 21:22:26 +0000 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sBALMOwB023193 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 10 Dec 2014 16:22:24 -0500 Received: from valrhona.uglyboxes.com (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sBALMOCU025178; Wed, 10 Dec 2014 16:22:24 -0500 From: Keith Seitz To: binutils@sourceware.org Cc: gdb-patches@sourceware.org Subject: [PATCH] Commit f64e188b5 broke core file support in gdb Date: Wed, 10 Dec 2014 21:22:00 -0000 Message-Id: <1418246544-28431-1-git-send-email-keiths@redhat.com> X-IsSubscribed: yes X-SW-Source: 2014-12/txt/msg00234.txt.bz2 This commit causes hundreds of core file regressions in gdb: commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26 Author: Nick Clifton Date: Tue Dec 9 12:42:18 2014 +0000 More fixes for memory access violations triggered by fuzzed binaries. PR binutils/17512 * objdump.c (display_any_bfd): Avoid infinite loop closing and opening the same archive again and again. * archive64.c (bfd_elf64_archive_slurp_armap): Add range checks. * libbfd.c (safe_read_leb128): New function. * libbfd-in.h (safe_read_leb128): Add prototype. * libbfd.h: Regenerate. * elf-attrs.c (_bfd_elf_parse_attributes): Use safe_read_leb128. Check for an over-long subsection length. * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. This hunk is the culprit: diff --git a/bfd/elf.c b/bfd/elf.c index 405ec33..f6923b4 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -9817,32 +9817,33 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset) return TRUE; case bfd_core: - if (CONST_STRNEQ (in.namedata, "NetBSD-CORE")) - { - if (! elfcore_grok_netbsd_note (abfd, &in)) - return FALSE; - } - else if (CONST_STRNEQ (in.namedata, "OpenBSD")) - { - if (! elfcore_grok_openbsd_note (abfd, &in)) - return FALSE; - } - else if (CONST_STRNEQ (in.namedata, "QNX")) + { + struct { - if (! elfcore_grok_nto_note (abfd, &in)) - return FALSE; + const char * string; + bfd_boolean (* func)(bfd *, Elf_Internal_Note *); } - else if (CONST_STRNEQ (in.namedata, "SPU/")) + grokers[] = { - if (! elfcore_grok_spu_note (abfd, &in)) - return FALSE; - } - else - { - if (! elfcore_grok_note (abfd, &in)) - return FALSE; - } - break; + { "", elfcore_grok_note }, + { "NetBSD-CORE", elfcore_grok_netbsd_note }, + { "OpenBSD", elfcore_grok_openbsd_note }, + { "QNX", elfcore_grok_nto_note }, + { "SPU/", elfcore_grok_spu_note } + }; + int i; + + for (i = ARRAY_SIZE (grokers); i--;) + if (in.namesz >= sizeof grokers[i].string - 1 + && strncmp (in.namedata, grokers[i].string, + sizeof (grokers[i].string) - 1) == 0) + { + if (! grokers[i].func (abfd, & in)) + return FALSE; + break; + } + break; + } case bfd_object: if (in.namesz == sizeof "GNU" && strcmp (in.namedata, "GNU") == 0) Note how this applies sizeof to grokers[i].string... Keith bfd/ChangeLog * elf.c (elf_parse_notes): Define convenience macro GROKER_ELEMENT to add string lengths to 'grokers'. Use grokers.len instead of sizeof in string comparisons. --- bfd/elf.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/bfd/elf.c b/bfd/elf.c index f7c1b9e..c8238ba 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -9706,30 +9706,35 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset) case bfd_core: { +#define GROKER_ELEMENT(S,F) {S, sizeof (S) - 1, F} struct { const char * string; + size_t len; bfd_boolean (* func)(bfd *, Elf_Internal_Note *); } grokers[] = { - { "", elfcore_grok_note }, - { "NetBSD-CORE", elfcore_grok_netbsd_note }, - { "OpenBSD", elfcore_grok_openbsd_note }, - { "QNX", elfcore_grok_nto_note }, - { "SPU/", elfcore_grok_spu_note } + GROKER_ELEMENT ("", elfcore_grok_note), + GROKER_ELEMENT ("NetBSD-CORE", elfcore_grok_netbsd_note), + GROKER_ELEMENT ( "OpenBSD", elfcore_grok_openbsd_note), + GROKER_ELEMENT ("QNX", elfcore_grok_nto_note), + GROKER_ELEMENT ("SPU/", elfcore_grok_spu_note) }; +#undef GROKER_ELEMENT int i; for (i = ARRAY_SIZE (grokers); i--;) - if (in.namesz >= sizeof grokers[i].string - 1 - && strncmp (in.namedata, grokers[i].string, - sizeof (grokers[i].string) - 1) == 0) - { - if (! grokers[i].func (abfd, & in)) - return FALSE; - break; - } + { + if (in.namesz >= grokers[i].len + && strncmp (in.namedata, grokers[i].string, + grokers[i].len) == 0) + { + if (! grokers[i].func (abfd, & in)) + return FALSE; + break; + } + } break; } -- 1.9.3