From: Arnout Vandecappelle <arnout@mind.be>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH v2] elf2flt: add patch "Fix buffer overflow in output_relocs()"
Date: Wed, 20 Apr 2016 23:12:56 +0200 [thread overview]
Message-ID: <5717F0D8.5000103@mind.be> (raw)
In-Reply-To: <1461146201-7352-1-git-send-email-mcoquelin.stm32@gmail.com>
On 04/20/16 11:56, Maxime Coquelin wrote:
> This patches fixes the following crash:
> make[1]: Entering directory `<...>/build/uclibc-1.0.14'
> CC utils/getconf
> *** buffer overflow detected ***: <...>/bin/elf2flt terminated
> ======= Backtrace: =========
> /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x2ad3be5f738f]
> /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x2ad3be68ec9c]
> /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x2ad3be68db60]
> /lib/x86_64-linux-gnu/libc.so.6(+0x109069)[0x2ad3be68d069]
> /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xbc)[0x2ad3be5ff70c]
> /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0xaef)[0x2ad3be5ce7df]
> /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x2ad3be68d0f4]
> /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x2ad3be68d04d]
> <...>/bin/elf2flt[0x403cda]
> <...>/bin/elf2flt[0x4030a4]
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x2ad3be5a5ec5]
> <...>/bin/elf2flt[0x403642]
>
> A pull-request has been sent for this patch to elf2flt developers, so we can
> remove it as soon as the patch is accepted upstream.
>
> Signed-off-by: Maxime Coquelin <mcoquelin.stm32@gmail.com>
> ---
> package/elf2flt/elf2flt.hash | 1 +
> package/elf2flt/elf2flt.mk | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/package/elf2flt/elf2flt.hash b/package/elf2flt/elf2flt.hash
> index be7c77605be7..89d22222733e 100644
> --- a/package/elf2flt/elf2flt.hash
> +++ b/package/elf2flt/elf2flt.hash
> @@ -1,2 +1,3 @@
> # Locally calculated
> sha256 64ede6936aa88028378e08192039c29791b9e32714cc861762214b8e106e7145 elf2flt-8a3e74446fe7d866f0517ee089a37f4bdf4bc9f7.tar.gz
> +sha256 2659d8a7fca078dfe7ce9a3754d94a0cad3dc1fc7b8b0db5cf08f14bb34e4865 4595382ea76f85dced017b1b17b37ef9513458b6.patch
> diff --git a/package/elf2flt/elf2flt.mk b/package/elf2flt/elf2flt.mk
> index 6c16c3000d89..d138a4c1cdf7 100644
> --- a/package/elf2flt/elf2flt.mk
> +++ b/package/elf2flt/elf2flt.mk
> @@ -8,6 +8,7 @@ ELF2FLT_VERSION = 8a3e74446fe7d866f0517ee089a37f4bdf4bc9f7
> ELF2FLT_SITE = $(call github,uclinux-dev,elf2flt,$(ELF2FLT_VERSION))
> ELF2FLT_LICENSE = GPLv2+
> ELF2FLT_LICENSE_FILES = LICENSE.TXT
> +ELF2FLT_PATCH = https://github.com/mcoquelin-stm32/elf2flt/commit/4595382ea76f85dced017b1b17b37ef9513458b6.patch
I generally suggest to download patches rather than putting them in buildroot.
However, I meant this for patches that are upstream (for some definition of
upstream, e.g. could be debian or gentoo). So that we have some chance of them
being maintained over time. I'm not so fond of downloading patches from a random
github fork; in that case, I think it's better to have the patch in buildroot
itself.
In your commit message, you write:
> Indeed, the maximum theorical size is 20 bytes (16 bytes for the value + 3
> bytes for "+0x" + the end of string marker).
>
> The reason the value overflows 32bits is yet to be understood, as the ARMV7-M
> is 32bits architecture, but this patch first ensure the sprintf call is robust
> enough.
Isn't that because we're subtracting a long from an int, so if it becomes
negative, it will be 0xffffffffnnnnnnnn?
Regards,
Arnout
>
> HOST_ELF2FLT_DEPENDENCIES = host-binutils host-zlib
>
>
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
next prev parent reply other threads:[~2016-04-20 21:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 9:56 [Buildroot] [PATCH v2] elf2flt: add patch "Fix buffer overflow in output_relocs()" Maxime Coquelin
2016-04-20 21:12 ` Arnout Vandecappelle [this message]
2016-04-21 12:43 ` Maxime Coquelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5717F0D8.5000103@mind.be \
--to=arnout@mind.be \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox