This commit causes hundreds of core file regressions in gdb:

commit f64e188b58f4aab4cbd03aa6e9fc1aa602546e26
Author: Nick Clifton <nickc@redhat.com>
Date:   Tue Dec 9 12:42:18 2014 +0000

    More fixes for memory access violations triggered by fuzzed binaries.
    [snip]
        * elf.c (elf_parse_notes): Check that the namedata is long enough
        for the string comparison that is about to be performed.
        (elf_read_notes): Zero-terminate the note buffer.

This change to elf_parse_notes is the culprit:

+           for (i = ARRAY_SIZE (grokers); i--;)
+             if (in.namesz >= sizeof grokers[i].string - 1
+                 && strncmp (in.namedata, grokers[i].string,
+                             sizeof (grokers[i].string) - 1) == 0)

Note how this applies sizeof to grokers[i].string...

bfd/ChangeLog

        * elf.c (elf_parse_notes): Define convenience macro
        GROKER_ELEMENT to add elements to 'grokers'.
        Use grokers.len instead of sizeof in string comparisons.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 76e382e6fdf6491d9bb086acabd29fafb9570026..9443507f243fe9935958bb5e8929907541633a30 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2014-12-11  Keith Seitz  <keiths@redhat.com>
+
+       * elf.c (elf_parse_notes): Define convenience macro
+       GROKER_ELEMENT to add elements to 'grokers' array.
+       Add 'len' element to 'grokers'.
+       Use grokers.len instead of sizeof in string
+       comparisons.
+
 2014-12-10  Alan Modra  <amodra@gmail.com>
 
        * Makefile.am (BFD32_LIBS, BFD32_LIBS_CFILES): Remove dwarf2

diff --git a/bfd/elf.c b/bfd/elf.c
index f7c1b9eaeb94418d2ea85eadf5d23ca70c311aee..c8238bae971990ac12de94576070e6e1d00934cd 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -9706,30 +9706,35 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset)
 
        case bfd_core:
          {
+#define GROKER_ELEMENT(S,F) {S, sizeof (S) - 1, F}
            struct
            {
              const char * string;
+             size_t len;
              bfd_boolean (* func)(bfd *, Elf_Internal_Note *);
            }
            grokers[] =
            {
-             { "", elfcore_grok_note },
-             { "NetBSD-CORE", elfcore_grok_netbsd_note },
-             { "OpenBSD", elfcore_grok_openbsd_note },
-             { "QNX", elfcore_grok_nto_note },
-             { "SPU/", elfcore_grok_spu_note }
+             GROKER_ELEMENT ("", elfcore_grok_note),
+             GROKER_ELEMENT ("NetBSD-CORE", elfcore_grok_netbsd_note),
+             GROKER_ELEMENT ( "OpenBSD", elfcore_grok_openbsd_note),
+             GROKER_ELEMENT ("QNX", elfcore_grok_nto_note),
+             GROKER_ELEMENT ("SPU/", elfcore_grok_spu_note)
            };
+#undef GROKER_ELEMENT
            int i;
 
            for (i = ARRAY_SIZE (grokers); i--;)
-             if (in.namesz >= sizeof grokers[i].string - 1
-                 && strncmp (in.namedata, grokers[i].string,
-                             sizeof (grokers[i].string) - 1) == 0)
-               {
-                 if (! grokers[i].func (abfd, & in))
-                   return FALSE;
-                 break;
-               }
+             {
+               if (in.namesz >= grokers[i].len
+                   && strncmp (in.namedata, grokers[i].string,
+                               grokers[i].len) == 0)
+                 {
+                   if (! grokers[i].func (abfd, & in))
+                     return FALSE;
+                   break;
+                 }
+             }
            break;
          }