From: Alan Modra Date: Thu, 28 Nov 2024 23:48:36 +0000 (+1030) Subject: PR32399, buffer overflow printing core_file_failing_command X-Git-Tag: gdb-16-branchpoint~275 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e3b2da08eb21042f01a9f6862b487ca77484c92;p=thirdparty%2Fbinutils-gdb.git PR32399, buffer overflow printing core_file_failing_command Assorted targets do not check, as the ELF targets do, that the program name in a core file is NUL terminated. Fix some of them. I haven't attempted to fix all targets because editing host specific code can easily result in build bugs, which aren't discovered until someone build binutils for that host. (Of the files edited here, I can't easily compile hpux-core.c and osf-core.c on a linux system.) PR 32399 * hppabsd-core.c (hppabsd_core_core_file_p): Ensure core_command string is terminated. * hpux-core.c (hpux_core_core_file_p): Likewise. * irix-core.c (irix_core_core_file_p): Likewise. * lynx-core.c (lynx_core_file_p): Likewise. * osf-core.c (osf_core_core_file_p): Likewise. * mach-o.c (bfd_mach_o_core_file_failing_command): Likewise. --- diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c index ae5d1f8f1e5..1c24e641b3a 100644 --- a/bfd/hppabsd-core.c +++ b/bfd/hppabsd-core.c @@ -179,7 +179,8 @@ hppabsd_core_core_file_p (bfd *abfd) goto fail; core_regsec (abfd)->vma = 0; - strncpy (core_command (abfd), u.u_comm, MAXCOMLEN + 1); + strncpy (core_command (abfd), u.u_comm, MAXCOMLEN); + core_command (abfd)[MAXCOMLEN] = 0; core_signal (abfd) = u.u_code; return _bfd_no_cleanup; diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c index 1e2ea926f02..18516e3a897 100644 --- a/bfd/hpux-core.c +++ b/bfd/hpux-core.c @@ -177,7 +177,8 @@ hpux_core_core_file_p (bfd *abfd) struct proc_exec proc_exec; if (bfd_read (&proc_exec, core_header.len, abfd) != core_header.len) break; - strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN + 1); + strncpy (core_command (abfd), proc_exec.cmd, MAXCOMLEN); + core_command (abfd)[MAXCOMLEN] = 0; good_sections++; } break; diff --git a/bfd/irix-core.c b/bfd/irix-core.c index 80cb82d0fa3..7a486841d35 100644 --- a/bfd/irix-core.c +++ b/bfd/irix-core.c @@ -203,7 +203,8 @@ irix_core_core_file_p (bfd *abfd) if (!core_hdr (abfd)) return NULL; - strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE); + strncpy (core_command (abfd), coreout.c_name, CORE_NAMESIZE - 1); + core_command (abfd)[CORE_NAMESIZE - 1] = 0; core_signal (abfd) = coreout.c_sigcause; if (bfd_seek (abfd, coreout.c_vmapoffset, SEEK_SET) != 0) diff --git a/bfd/lynx-core.c b/bfd/lynx-core.c index 44d94ad8745..7870dc62866 100644 --- a/bfd/lynx-core.c +++ b/bfd/lynx-core.c @@ -120,7 +120,8 @@ lynx_core_file_p (bfd *abfd) if (!core_hdr (abfd)) return NULL; - strncpy (core_command (abfd), pss.pname, PNMLEN + 1); + strncpy (core_command (abfd), pss.pname, PNMLEN); + core_command (abfd)[PNMLEN] = 0; /* Compute the size of the thread contexts */ diff --git a/bfd/mach-o.c b/bfd/mach-o.c index 974747caadd..037718fb22c 100644 --- a/bfd/mach-o.c +++ b/bfd/mach-o.c @@ -6019,9 +6019,9 @@ bfd_mach_o_core_file_failing_command (bfd *abfd) int ret; ret = bfd_mach_o_core_fetch_environment (abfd, &buf, &len); - if (ret < 0) + if (ret < 0 || len == 0) return NULL; - + buf[len - 1] = 0; return (char *) buf; } diff --git a/bfd/osf-core.c b/bfd/osf-core.c index 55b127d48b3..6869dfa23ea 100644 --- a/bfd/osf-core.c +++ b/bfd/osf-core.c @@ -92,7 +92,8 @@ osf_core_core_file_p (bfd *abfd) if (!core_hdr (abfd)) return NULL; - strncpy (core_command (abfd), core_header.name, MAXCOMLEN + 1); + strncpy (core_command (abfd), core_header.name, MAXCOMLEN); + core_command (abfd)[MAXCOMLEN] = 0; core_signal (abfd) = core_header.signo; for (i = 0; i < core_header.nscns; i++)