This is the mail archive of the mailing list for the binutils project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Fix for reads of unallocated memory in ld

I don't have commit privileges, could someone please review, and if found satisfactory, apply this patch?

--Douglas Rupp

Patch attached for errors found with valgrind while working on arm-wrs-vxworks-ld, e.g.:

==13043== Invalid read of size 1
==13043==    at 0x4935A2: iterative_hash (hashtab.c:974)
==13043==  Address 0x66e0e1b is not stack'd, malloc'd or (recently) free'd

It's not specific to arm-wrs-vxworks. The problem is there's a path through elf-eh-frame.c/skip_non_nops() that doesn't set the return value properly, and leaves it off by 1. Later on this value, which should be 0, causes a problem is in this bit of code also in bfd/elf-eh-frame.c:

      insns_end = skip_non_nops (insns, end, length, &set_loc_count);
      this_inf->size -= end - insns_end;
      if (insns_end != end && this_inf->cie)
          cie->initial_insn_length -= end - insns_end;
          cie->length -= end - insns_end;

If cie->initial_insn_length is 0, the subtraction underflows to 255 which is a bogus value. When the hashing function gets ahold of the value, it starts reading unallocated memory.

Attachment: nops.diff.txt
Description: Text document

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]