[Bug libctf/29983] 2.36+ type confusion in outdated-input warning causes out-of-bounds access and possible overwrite

[nick.alcock at oracle dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=29983

Nick Alcock <nick.alcock at oracle dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |nick.alcock at oracle 
dot com
             Status|NEW                         |ASSIGNED

--- Comment #1 from Nick Alcock <nick.alcock at oracle dot com> ---
Fix under test.

The root cause of this is a bug in the code which checks for outdated object
file inputs from old compilers that emitted a func info section format that has
never been supported by libctf: it mistakenly uses the wrong type for the value
of the ctf_link_inputs hashtable and treats it as a much larger structure than
it is: if unlucky and the controlling test fails, it tries to add stuff to a
list of errors and warnings located far beyond the *actual* end of the
structure in ctf_link_inputs.

It rarely bites in practice because it is relatively unlikely to happen on
systems with 64-bit pointers: we dereference the second pointer element of
(what we think is a) ctf_dict and then dig out its fourth byte (the header
flags word), but the corresponding element in the real structure is part of the
ctfa_magic in a ctf_archive (always allocated in a normal ld link), and it just
so happens that on a platform with 64-bit pointers the relevant bit of the
magic appears to have the relevant flags turned off. But on 32-bit this can
really bite, though it is very unlikely to cause anything but a crash and would
require near-total control of the process and careful preparation of the heap
to cause it to produce anything more than a crash.

Nonetheless, will backport the fix to all applicable branches.

-- 
You are receiving this mail because:
You are on the CC list for the bug.