This is the mail archive of the mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

eh-frame: CIE initial_instructions overflow


I am chasing a bug where the size of the CIE initial_instructions is
larger than 50.

Currently, in bfd/elf-eh-frame.c we have a definition of struct cie
which ends with:
  unsigned char initial_instructions[50];

In _bfd_elf_parse_eh_frame(), we have:
      initial_insn_length = end - buf;
      if (initial_insn_length <= sizeof (cie->initial_instructions))
          cie->initial_insn_length = initial_insn_length;
          memcpy (cie->initial_instructions, buf, initial_insn_length);

so in my case, we don't enter the if(), and when later:
      if (insns_end != end && this_inf->cie)
      cie->initial_insn_length -= end - insns_end;
      cie->length -= end - insns_end;

we write an incorrect value in cie->initial_insn_length, resulting in
later invalid memory accesses.

I am not sure about the intent of this static size of 50 (if I
increase it, the error disappears)?
Should I add code to increase the size of this field if it's not large
enough, or does it mean that the bug is elsewhere (e.g. in the actual
contents being parse)?

As the rest of the code assumes that all the CIEs have the same size,
it's so much easier to replace 50 by another, larger value than adding
bfd_realloc() calls and then checking if the size is still the default
one or not. Is it worth the change?



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]