https://sourceware.org/bugzilla/show_bug.cgi?id=24055
Bug ID: 24055
Summary: _bfd_xcoff_swap_aux_in smashes the stack
Product: binutils
Version: 2.31
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: ld
Assignee: unassigned at sourceware dot org
Reporter: wolfgang.thaller at gmx dot net
Target Milestone: ---
Created attachment 11506
--> https://sourceware.org/bugzilla/attachment.cgi?id=11506&action=edit
Patch to avoid a buffer overflow.
Affected: 32-bit XCOFF (PowerPC32 AIX) and maybe some other COFF platforms.
Most call sites pass a pointer to a single stack-allocated union
internal_auxent as the last parameter to swap_aux_in.
The function _bfd_xcoff_swap_aux_in in coff-rs6000.c, when encountering a
C_FILE with multiple aux entries, attempts to copy numaux entries at once using
a memcpy, thus smashing the stack.
There appear to be a few more instances of the swap_aux_in code;
coffswap.h/coff_swap_aux_in and coffcode.h/coff_bigobj_swap_aux_in also copy
multiple entries in the C_FILE case.
By contrast, coff64-rs6000.c/_bfd_xcoff64_swap_aux_in and
peXXigen.c/_bfd_XXi_swap_aux_in only copy a single aux entry.
The attached patch makes the coff-rs6000.c version match the coff64-rs6000.c
one.
It fixes segfaults for me, but is only tested in the context of my hobby
project, a cross compiler to ancient 1990s PowerMacs
(https://github.com/autc04/Retro68).
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils
