This commit causes hundreds of core file regressions in gdb:

commit f64e188b58 Author: Nick Clifton <nickc@redhat.com> Date: Tue Dec 9 12:42:18 2014 +0000 More fixes for memory access violations triggered by fuzzed binaries. [snip] * elf.c (elf_parse_notes): Check that the namedata is long enough for the string comparison that is about to be performed. (elf_read_notes): Zero-terminate the note buffer. This change to elf_parse_notes is the culprit: + for (i = ARRAY_SIZE (grokers); i--;) + if (in.namesz >= sizeof grokers[i].string - 1 + && strncmp (in.namedata, grokers[i].string, + sizeof (grokers[i].string) - 1) == 0) Note how this applies sizeof to grokers[i].string... bfd/ChangeLog * elf.c (elf_parse_notes): Define convenience macro GROKER_ELEMENT to add elements to 'grokers'. Use grokers.len instead of sizeof in string comparisons.
2014-12-11 09:39:24 -08:00 · 2014-12-11 09:39:24 -08:00 · 8acbedd60e
parent 540feddfde
commit 8acbedd60e
2 changed files with 26 additions and 13 deletions
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@ -1,3 +1,11 @@
+2014-12-11  Keith Seitz  <keiths@redhat.com>
+
+	* elf.c (elf_parse_notes): Define convenience macro
+	GROKER_ELEMENT to add elements to 'grokers' array.
+	Add 'len' element to 'grokers'.
+	Use grokers.len instead of sizeof in string
+	comparisons.
+
 2014-12-10  Alan Modra  <amodra@gmail.com>

 	* Makefile.am (BFD32_LIBS, BFD32_LIBS_CFILES): Remove dwarf2
--- a/bfd/elf.c
+++ b/bfd/elf.c
@ -9706,30 +9706,35 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset)

 	case bfd_core:
 	  {
+#define GROKER_ELEMENT(S,F) {S, sizeof (S) - 1, F}
 	    struct
 	    {
 	      const char * string;
+	      size_t len;
 	      bfd_boolean (* func)(bfd *, Elf_Internal_Note *);
 	    }
 	    grokers[] =
 	    {
-	      { "", elfcore_grok_note },
-	      { "NetBSD-CORE", elfcore_grok_netbsd_note },
-	      { "OpenBSD", elfcore_grok_openbsd_note },
-	      { "QNX", elfcore_grok_nto_note },
-	      { "SPU/", elfcore_grok_spu_note }
+	      GROKER_ELEMENT ("", elfcore_grok_note),
+	      GROKER_ELEMENT ("NetBSD-CORE", elfcore_grok_netbsd_note),
+	      GROKER_ELEMENT ( "OpenBSD", elfcore_grok_openbsd_note),
+	      GROKER_ELEMENT ("QNX", elfcore_grok_nto_note),
+	      GROKER_ELEMENT ("SPU/", elfcore_grok_spu_note)
 	    };
+#undef GROKER_ELEMENT
 	    int i;

 	    for (i = ARRAY_SIZE (grokers); i--;)
-	      if (in.namesz >= sizeof grokers[i].string - 1
-		  && strncmp (in.namedata, grokers[i].string,
-			      sizeof (grokers[i].string) - 1) == 0)
-		{
-		  if (! grokers[i].func (abfd, & in))
-		    return FALSE;
-		  break;
-		}
+	      {
+		if (in.namesz >= grokers[i].len
+		    && strncmp (in.namedata, grokers[i].string,
+				grokers[i].len) == 0)
+		  {
+		    if (! grokers[i].func (abfd, & in))
+		      return FALSE;
+		    break;
+		  }
+	      }
 	    break;
 	  }