Bug 29100 - Buffer overflow when read function mapping file
Summary: Buffer overflow when read function mapping file
Status: UNCONFIRMED
Alias: None
Product: binutils
Classification: Unclassified
Component: gprof (show other bugs)
Version: 2.38
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-28 06:57 UTC by yguoaz
Modified: 2022-08-16 11:58 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description yguoaz 2022-04-28 06:57:38 UTC
In the file gprof/corefile.c, the function read_function_mappings has the following code:
(link:https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=gprof/corefile.c;h=2838d49f9d22926affc5a62bd351bbdf914d51cd;hb=20756b0fbe065a84710aa38f2457563b57546440#l121)

static void
read_function_mappings (const char *filename) 
{
    FILE * file = fopen (filename, "r");
    int count = 0;

    while (!feof (file)) {
        ...
        matches = fscanf (file, "%" STR_BUFSIZE "[^\n]\n", dummy);
        if (!matches)
	    parse_error (filename);
        count++;
    }   
    symbol_map = ((struct function_map *)
		xmalloc (count * sizeof (struct function_map))); 
    // code that writes to symbol_map 
}

The value of the variable count is determined how many matches we get from the input file. It could be a really large value, e.g., close to INT_MAX. 

Then the computation of the allocation size "count * sizeof (struct function_map)" may trigger an integer overflow and thus leads to a small buffer allocated. This will lead to subsequent buffer overflows.
Comment 1 Alan Modra 2022-08-16 09:16:05 UTC
The calculation would need to overflow a size_t, not an int.
Comment 2 yguoaz 2022-08-16 11:53:44 UTC
(In reply to Alan Modra from comment #1)
> The calculation would need to overflow a size_t, not an int.

Hi, sizeof(size_t) == sizeof(int) may hold in certain platforms (e.g., a 32 bit machine). In that case, the overflow will happen and the size will wrap to a small value.
Comment 3 yguoaz 2022-08-16 11:58:42 UTC
(In reply to yguoaz from comment #2)
> (In reply to Alan Modra from comment #1)
> > The calculation would need to overflow a size_t, not an int.
> 
> Hi, sizeof(size_t) == sizeof(int) may hold in certain platforms (e.g., a 32
> bit machine). In that case, the overflow will happen and the size will wrap
> to a small value.

Changing the status to unconfirmed.