delorie.com/archives/browse.cgi   search  
Mail Archives: djgpp-workers/2017/05/16/12:39:17

X-Authentication-Warning: delorie.com: mail set sender to djgpp-workers-bounces using -f
X-Recipient: djgpp AT delorie DOT com
X-Recipient: djgpp-workers AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=Ik0Duk3gqSKDiRLbF8ljxTMQbW3h99jR7Lbqrfol/qY=;
b=bBYtbD+8qAM0AnL/uCGRCYpVKbgiCe6GRotcg8TaKHMyFMSha2FFH5Gn8Twufhu2qm
iru83rqq34cK96yz8m5jyk7OR/uHFE+8p/XjLtda37HFp2+QnQ6z3YtedWeO5JARR4+P
HvZII5VAtqF0CJ+jd/UNHS0w3IvcKuwkoRcqlLR2hbVbqBQ90Q4/mtfp/tiKZHqSj5Ar
kXggmV5Wsqi7n+izWgBJqjjH3U7iDNac9DVWnkxFCUdQqLq0Lt2jlOxPRoC8EN2ui9fz
/u34g/hoF+6P8rIXef6VDvWlIhRcwgk88OZ5dQ/03Pf0KkFUYG6MTu3gABk4YMo96FtD
/wTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=Ik0Duk3gqSKDiRLbF8ljxTMQbW3h99jR7Lbqrfol/qY=;
b=G0FPxx+Us4PbkWPw8dejFGklnDO6u2pENocfw2KJBdm2hbDYXXNKgJmK8wcvAWan/7
Yvqd6VUAQlTl/ygUkYjcIw771hAGpEuPwVezkZZCc8u39arr0sjOP0LF+DHf0jFvfb4K
sBIQ4DtcO1fBY2a0tHIFnMmU17ZUoYs5kMrc19WfBirKHAzH9juZyRR0xNwuedcLUFlI
XoJ/+sHvz0SFVI+PDCT4UBAy9tTHP/O7urgQ9Kkg+nLaA4Ib8F4HGOBxbujpFdD4U+Or
J9R0/szwoxK2ZbcVgtZna9semcUglUtYV8vQ9XtfMubL6akkd/pd9uDxZDpexWFOHLeu
Kmkw==
X-Gm-Message-State: AODbwcB3v6AizVLizi7mDb9bTX9ZEaQu8CULQOHOD7p96QarA/N86iEw
z8Y+5dDOv10NjsenUeMn82fKylJQww==
X-Received: by 10.237.42.102 with SMTP id k35mr12552845qtf.58.1494952743683;
Tue, 16 May 2017 09:39:03 -0700 (PDT)
MIME-Version: 1.0
From: "Ozkan Sezer (sezeroz AT gmail DOT com) [via djgpp-workers AT delorie DOT com]" <djgpp-workers AT delorie DOT com>
Date: Tue, 16 May 2017 19:39:03 +0300
Message-ID: <CAA2C=vCkJChtB6bWeToNGG6GuXeFze2EPyaztWZ631XqoBWWPA@mail.gmail.com>
Subject: dxe3gen patch: replace memcmp with strncmp
To: djgpp AT delorie DOT com, djgpp-workers AT delorie DOT com
Reply-To: djgpp-workers AT delorie DOT com

When dxe3gen is built from current source with -fsanitize=address, asan
(from gcc-4.9.4) aborts with the following:

==7887==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xbf98b830 at pc 0x80b1f76 bp 0xbf98b6e8 sp 0xbf98b6dc
READ of size 11 at 0xbf98b830 thread T0
    #0 0x80b1f75 in write_dxe /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1178
    #1 0x80b47dd in main /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1639
    #2 0x6f0f5d5 in __libc_start_main (/lib/libc.so.6+0x6f0f5d5)
    #3 0x804e1a0 (/home/sezero/proj/dxe3gen+0x804e1a0)

Address 0xbf98b830 is located in stack of thread T0 at offset 160 in frame
    #0 0x80b01b6 in write_dxe /home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:931

  This frame has 6 object(s):
    [32, 36) 'stsz'
    [96, 100) 'real_nrelocs'
    [160, 169) 'tmp' <== Memory access at offset 160 partially
overflows this variable
    [224, 240) 'fill'
    [288, 328) 'sc'
    [384, 464) 'dh'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/sezero/djgpp-cvs/src/dxe/dxe3gen.c:1178 write_dxe
Shadow bytes around the buggy address:
  0x37f316b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f316c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f316d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f316e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x37f316f0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4
=>0x37f31700: f4 f4 f2 f2 f2 f2[00]01 f4 f4 f2 f2 f2 f2 00 00
  0x37f31710: f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f2 f2
  0x37f31720: f2 f2 00 00 00 00 00 00 00 00 00 00 f4 f4 f3 f3
  0x37f31730: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x37f31740: f1 f1 00 00 04 f4 f3 f3 f3 f3 00 00 00 00 00 00
  0x37f31750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==7887==ABORTING


Replacing two memcmp() calls with strncmp() cures this, as in the
following patch. If no one objects, I'd like to apply this tomorrow
or the the day after.

Index: src/dxe/dxe3gen.c
===================================================================
RCS file: /cvs/djgpp/djgpp/src/dxe/dxe3gen.c,v
retrieving revision 1.24
diff -u -p -r1.24 dxe3gen.c
--- src/dxe/dxe3gen.c	30 Apr 2017 08:03:04 -0000	1.24
+++ src/dxe/dxe3gen.c	16 May 2017 16:28:28 -0000
@@ -1160,7 +1160,7 @@ static int write_dxe(FILE *inf, FILE *ou
         BOOL ok = FALSE;
         for (j = 0; j < opt.num_excl; j++)
         {
-          if (memcmp(opt.excl_prefix[j], name,
strlen(opt.excl_prefix[j])) == 0)
+          if (strncmp(opt.excl_prefix[j], name,
strlen(opt.excl_prefix[j])) == 0)
           {
             ok = TRUE;
             break;
@@ -1175,7 +1175,7 @@ static int write_dxe(FILE *inf, FILE *ou
         BOOL ok = FALSE;
         for (j = 0; j < opt.num_prefix; j++)
         {
-          if (memcmp(opt.export_prefix[j], name,
strlen(opt.export_prefix[j])) == 0)
+          if (strncmp(opt.export_prefix[j], name,
strlen(opt.export_prefix[j])) == 0)
           {
             ok = TRUE;
             break;

--
O.S.

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019