This is the mail archive of the
binutils@sources.redhat.com
mailing list for the binutils project.
Re: buffer overflow with ar
- From: Ralf Corsepius <ralf dot corsepius at rtems dot org>
- To: Nick Clifton <nickc at redhat dot com>
- Cc: Binutils List <binutils at sources dot redhat dot com>, Joel Sherrill <joel dot sherrill at OARcorp dot com>
- Date: Thu, 07 Jul 2005 18:09:43 +0200
- Subject: Re: buffer overflow with ar
- References: <1120582504.30532.22.camel@mccallum.corsepiu.local> <42CD15BA.8000606@redhat.com>
On Thu, 2005-07-07 at 12:44 +0100, Nick Clifton wrote:
> Hi Ralf,
>
> > When trying to use a cross-ar from vanilla binutils-2.16 or
> > binutils-2.16.1 on FC4, I am observing this
> >
> > # arm-rtems4.7-ar rc ./libgcc.a libgcc/./_udivsi3.o
> > *** buffer overflow detected ***: arm-rtems4.7-ar terminated
>
> > /lib/libc.so.6(__sprintf_chk+0x30)[0x1eee24]
> > arm-rtems4.7-ar[0x804f5f6]
> Can you run this under a debugger and find out which call to sprintf is
> overflowing, and what the parameters are ?
The sprintf in bfd/archive.c:2071 (binutils-2.16.1) is the culprit:
2069 memset (&hdr, 0, sizeof (struct ar_hdr));
2070 hdr.ar_name[0] = '/';
2071 sprintf (hdr.ar_size, "%-10d", (int) mapsize);
2072 sprintf (hdr.ar_date, "%ld", (long) time (NULL));
2073 /* This, at least, is what Intel coff sets the values to. */
2074 sprintf ((hdr.ar_uid), "%d", 0);
2075 sprintf ((hdr.ar_gid), "%d", 0);
2076 sprintf ((hdr.ar_mode), "%-7o", (unsigned) 0);
2077 strncpy (hdr.ar_fmag, ARFMAG, 2);
A test case to reproduce the breakdown:
#include <stdio.h>
int main( void )
{
struct my_hdr_t {
char name[16];
char size[10];
};
struct my_hdr_t hdr;
sprintf( hdr.size, "%-10d", 28 );
}
# gcc -Wall -D_FORTIFY_SOURCE=2 -O2 -m32 -o test test.c
# ./test
*** buffer overflow detected ***: ./test terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x20f565]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x20ee30]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x191b58]
/lib/libc.so.6(_IO_padn+0x7b)[0x18796b]
/lib/libc.so.6(_IO_vfprintf+0x204e)[0x16ddb0]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x20eed1]
/lib/libc.so.6(__sprintf_chk+0x30)[0x20ee24]
./test[0x80483c0]
/lib/libc.so.6(__libc_start_main+0xc6)[0x145de6]
./test[0x804831d]
======= Memory map: ========
00130000-00131000 r-xp 00130000 00:00 0
00131000-00255000 r-xp 00000000 03:02 3908184 /lib/libc-2.3.5.so
00255000-00257000 r-xp 00124000 03:02 3908184 /lib/libc-2.3.5.so
00257000-00259000 rwxp 00126000 03:02 3908184 /lib/libc-2.3.5.so
00259000-0025b000 rwxp 00259000 00:00 0
00a54000-00a5d000 r-xp 00000000 03:02
3908131 /lib/libgcc_s-4.0.0-20050520.so.1
00a5d000-00a5e000 rwxp 00009000 03:02
3908131 /lib/libgcc_s-4.0.0-20050520.so.1
00dc9000-00de3000 r-xp 00000000 03:02 3908151 /lib/ld-2.3.5.so
00de3000-00de4000 r-xp 00019000 03:02 3908151 /lib/ld-2.3.5.so
00de4000-00de5000 rwxp 0001a000 03:02 3908151 /lib/ld-2.3.5.so
08048000-08049000 r-xp 00000000 03:02 835629 /tmp/test
08049000-0804a000 rw-p 00000000 03:02 835629 /tmp/test
08a21000-08a42000 rw-p 08a21000 00:00 0 [heap]
b7f0d000-b7f0e000 rw-p b7f0d000 00:00 0
b7f29000-b7f2a000 rw-p b7f29000 00:00 0
bfe15000-bfe2a000 rw-p bfe15000 00:00 0 [stack]
Aborted
Ralf