[Bug ld/24055] New: _bfd_xcoff_swap_aux_in smashes the stack

[wolfgang.thaller at gmx dot net]

https://sourceware.org/bugzilla/show_bug.cgi?id=24055

            Bug ID: 24055
           Summary: _bfd_xcoff_swap_aux_in smashes the stack
           Product: binutils
           Version: 2.31
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: ld
          Assignee: unassigned at sourceware dot org
          Reporter: wolfgang.thaller at gmx dot net
  Target Milestone: ---

Created attachment 11506
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11506&action=edit
Patch to avoid a buffer overflow.

Affected: 32-bit XCOFF (PowerPC32 AIX) and maybe some other COFF platforms.

Most call sites pass a pointer to a single stack-allocated union
internal_auxent as the last parameter to swap_aux_in.

The function _bfd_xcoff_swap_aux_in in coff-rs6000.c, when encountering a
C_FILE with multiple aux entries, attempts to copy numaux entries at once using
a memcpy, thus smashing the stack.

There appear to be a few more instances of the swap_aux_in code;
coffswap.h/coff_swap_aux_in and coffcode.h/coff_bigobj_swap_aux_in also copy
multiple entries in the C_FILE case.

By contrast, coff64-rs6000.c/_bfd_xcoff64_swap_aux_in and
peXXigen.c/_bfd_XXi_swap_aux_in only copy a single aux entry.

The attached patch makes the coff-rs6000.c version match the coff64-rs6000.c
one.
It fixes segfaults for me, but is only tested in the context of my hobby
project, a cross compiler to ancient 1990s PowerMacs
(https://github.com/autc04/Retro68).

-- 
You are receiving this mail because:
You are on the CC list for the bug.