> Date: Tue, 23 Oct 2018 23:45:55 +0200 > From: Christian Weisgerber <[email protected]> > > I ran across this: > > $ readelf -h /usr/local/bin/w3m > ... > readelf(71968) in free(): bogus pointer (double free?) 0x1 > Abort trap (core dumped) > > In readelf.c there's a static arrary: > > static bfd_vma dynamic_info[DT_JMPREL + 1]; > > Later this array is written to like this: > > switch (entry->d_tag) > { > ... > case DT_TEXTREL : > case DT_JMPREL : > case DT_RUNPATH : > dynamic_info[entry->d_tag] = entry->d_un.d_val; > ... > > Alas, DT_RUNPATH > DT_JMPREL, so we have an out-of-bounds write > that splats somewhere into memory. In my case it mangled an unrelated > pointer. > > I checked that DT_RUNPATH is the numerically highest value used to > index dynamic_info[], so let's size the array appropriately. > > OK?
ok kettenis@ > Index: gnu/usr.bin/binutils/binutils/readelf.c > =================================================================== > RCS file: /cvs/src/gnu/usr.bin/binutils/binutils/readelf.c,v > retrieving revision 1.11 > diff -u -p -r1.11 readelf.c > --- gnu/usr.bin/binutils/binutils/readelf.c 31 Aug 2014 13:40:02 -0000 > 1.11 > +++ gnu/usr.bin/binutils/binutils/readelf.c 23 Oct 2018 21:30:49 -0000 > @@ -129,7 +129,7 @@ Elf_Internal_Syminfo *dynamic_syminfo; > unsigned long dynamic_syminfo_offset; > unsigned int dynamic_syminfo_nent; > char program_interpreter[64]; > -bfd_vma dynamic_info[DT_JMPREL + 1]; > +bfd_vma dynamic_info[DT_RUNPATH + 1]; > bfd_vma version_info[16]; > Elf_Internal_Ehdr elf_header; > Elf_Internal_Shdr *section_headers; > Index: gnu/usr.bin/binutils-2.17/binutils/readelf.c > =================================================================== > RCS file: /cvs/src/gnu/usr.bin/binutils-2.17/binutils/readelf.c,v > retrieving revision 1.15 > diff -u -p -r1.15 readelf.c > --- gnu/usr.bin/binutils-2.17/binutils/readelf.c 23 Oct 2017 05:26:58 > -0000 1.15 > +++ gnu/usr.bin/binutils-2.17/binutils/readelf.c 23 Oct 2018 21:25:53 > -0000 > @@ -136,7 +136,7 @@ static Elf_Internal_Syminfo *dynamic_sym > static unsigned long dynamic_syminfo_offset; > static unsigned int dynamic_syminfo_nent; > static char program_interpreter[64]; > -static bfd_vma dynamic_info[DT_JMPREL + 1]; > +static bfd_vma dynamic_info[DT_RUNPATH + 1]; > static bfd_vma version_info[16]; > static Elf_Internal_Ehdr elf_header; > static Elf_Internal_Shdr *section_headers; > -- > Christian "naddy" Weisgerber [email protected] > >
