Summary: | LD: ld crashes for malformed inputs | ||
---|---|---|---|
Product: | binutils | Reporter: | Marcel Böhme <boehme.marcel> |
Component: | ld | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nickc, thuanpv |
Priority: | P2 | ||
Version: | 2.28 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Marcel Böhme
2016-12-02 07:19:50 UTC
The master branch has been updated by Nick Clifton <nickc@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=406bd128dba2a59d0736839fc87a59bce319076c commit 406bd128dba2a59d0736839fc87a59bce319076c Author: Nick Clifton <nickc@redhat.com> Date: Mon Dec 5 16:00:43 2016 +0000 Fix seg-fault in linker when passed a bogus input script. PR ld/20906 * ldlex.l: Check for bogus strings in linker scripts. Hi Marcel, Thanks for reporting this bug. I have checked in a small patch to the linker script parser which should fix the problem. Cheers Nick This is CVE-2017-7227 The master branch has been updated by Alan Modra <amodra@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ef4fa071e2c25b71e81a91646b43378cf957388 commit 6ef4fa071e2c25b71e81a91646b43378cf957388 Author: Alan Modra <amodra@gmail.com> Date: Wed Nov 3 16:21:42 2021 +1030 asan: dlltool buffer overflow: embedded NUL in string yyleng gives the pattern length, xstrdup just copies up to the NUL. So it is quite possible writing at an index of yyleng-2 overflows the xstrdup allocated string buffer. xmemdup quite handily avoids this problem, even writing the terminating NUL over the trailing quote. Use it in ldlex.l too where we'd already had a report of this problem and fixed it by hand, and to implement xmemdup0 in gas. binutils/ * deflex.l (single and double quote strings): Use xmemdup. gas/ * as.h (xmemdup0): Use xmemdup. ld/ PR 20906 * ldlex.l (double quote string): Use xmemdup. |