git.wh0rd.org Git - elf2flt.git/commit

author	Maxime Coquelin <maxime.coquelin@st.com>
	Wed, 20 Apr 2016 08:00:39 +0000 (10:00 +0200)
committer	Maxime Coquelin <maxime.coquelin@st.com>
	Wed, 20 Apr 2016 08:26:37 +0000 (10:26 +0200)
commit	4595382ea76f85dced017b1b17b37ef9513458b6
tree	0c73b2ca8747b33fcf6a35b78da48be95e145dad	tree \| snapshot
parent	8a3e74446fe7d866f0517ee089a37f4bdf4bc9f7	commit \| diff

Fix buffer overflow in output_relocs()

This crash is seen when trying to build uclibc for a ARMV7-M platform on a
x86-64 host:

make[1]: Entering directory `<...>/build/uclibc-1.0.14'
CC utils/getconf
*** buffer overflow detected ***: <...>/bin/elf2flt terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x2ad3be5f738f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x2ad3be68ec9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x2ad3be68db60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109069)[0x2ad3be68d069]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xbc)[0x2ad3be5ff70c]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xaef)[0x2ad3be5ce7df]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x2ad3be68d0f4]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x2ad3be68d04d]
<...>/bin/elf2flt[0x403cda]
<...>/bin/elf2flt[0x4030a4]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x2ad3be5a5ec5]
<...>/bin/elf2flt[0x403642]
...

In output_relocs, we do "sprintf(&addstr[0], "+0x%lx", ...)", with addrstr
being a 16 bytes array.

On 64bits hosts, in the unlikely case the value overflows 32bits, the buffer
may overflow.

Indeed, the maximum theorical size is 20 bytes (16 bytes for the value + 3
bytes for "+0x" + the end of string marker).

The reason the value overflows 32bits is yet to be understood, as the ARMV7-M
is 32bits architecture, but this patch first ensure the sprintf call is robust
enough.

Signed-off-by: Maxime Coquelin <mcoquelin.stm32@gmail.com>