From owner-freebsd-bugs@freebsd.org Wed Jan 3 20:10:45 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 143B5EAD0D5 for ; Wed, 3 Jan 2018 20:10:45 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3972639E7 for ; Wed, 3 Jan 2018 20:10:44 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w03KAiMo023133 for ; Wed, 3 Jan 2018 20:10:44 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w03KAimr023132 for freebsd-bugs@FreeBSD.org; Wed, 3 Jan 2018 20:10:44 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 224875] kldxref fails if a mod_depend md_cval is too close to the end of allocated sections Date: Wed, 03 Jan 2018 20:10:45 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jan 2018 20:10:45 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224875 Bug ID: 224875 Summary: kldxref fails if a mod_depend md_cval is too close to the end of allocated sections Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: emaste@freebsd.org In kldxref.c:read_kld() we have a 33-byte cval buffer: char ... cval[MAXMODNAME + 1] ... into which we read a string: check(EF_SEG_READ(&ef, (Elf_Off)md.md_cval, sizeof(cval), cval)); This requires that a 33-byte read is successful, however it may fail if the string is shorter than 32 characters (plus the NUL) and is located near the highest allocated address. It appears this has never been an issue with ld.bfd, which places a loadable .comment section after other sections of interest, so kldxref is free to re= ad unrelated data beyond the end of the cval string. ld.lld however places .comment early in the section list, and so the cval m= ay be in a .data or .rodata section that comes at the end of the section list. (CTF data may also be after .data/.rodata and would mitigate this issue; it= may happen only with CTF disabled) --=20 You are receiving this mail because: You are the assignee for the bug.=