This is the mail archive of the
mailing list for the binutils project.
eh-frame: CIE initial_instructions overflow
- From: Christophe Lyon <christophe dot lyon at linaro dot org>
- To: binutils at sourceware dot org
- Date: Wed, 18 Dec 2013 18:44:36 +0100
- Subject: eh-frame: CIE initial_instructions overflow
- Authentication-results: sourceware.org; auth=none
I am chasing a bug where the size of the CIE initial_instructions is
larger than 50.
Currently, in bfd/elf-eh-frame.c we have a definition of struct cie
which ends with:
unsigned char initial_instructions;
In _bfd_elf_parse_eh_frame(), we have:
initial_insn_length = end - buf;
if (initial_insn_length <= sizeof (cie->initial_instructions))
cie->initial_insn_length = initial_insn_length;
memcpy (cie->initial_instructions, buf, initial_insn_length);
so in my case, we don't enter the if(), and when later:
if (insns_end != end && this_inf->cie)
cie->initial_insn_length -= end - insns_end;
cie->length -= end - insns_end;
we write an incorrect value in cie->initial_insn_length, resulting in
later invalid memory accesses.
I am not sure about the intent of this static size of 50 (if I
increase it, the error disappears)?
Should I add code to increase the size of this field if it's not large
enough, or does it mean that the bug is elsewhere (e.g. in the actual
contents being parse)?
As the rest of the code assumes that all the CIEs have the same size,
it's so much easier to replace 50 by another, larger value than adding
bfd_realloc() calls and then checking if the size is still the default
one or not. Is it worth the change?