Re: src/contrib/elftoolchain/elfcopy/sections.c underallocates for Elf64_Rela and Elf32_Rela?

Sun, 08 Jul 2018 09:04:41 -0700 

On Sun, Jul 08, 2018 at 08:47:38AM -0700, Mark Millard via freebsd-toolchain 
wrote:
> src/contrib/elftoolchain/elfcopy/sections.c has and uses the macro:
> 
> 716   #define COPYREL(REL, SZ) do {                                   \
> 717           if (nrels == 0) {                                       \
> 718                   if ((REL##SZ = malloc(cap *                     \
> 719                       sizeof(Elf##SZ##_Rel))) == NULL)            \
> 720                           err(EXIT_FAILURE, "malloc failed");     \
> 721           }                                                       \
> 722           if (nrels >= cap) {                                     \
> 723                   cap *= 2;                                       \
> 724                   if ((REL##SZ = realloc(REL##SZ, cap *           \
> 725                       sizeof(Elf##SZ##_Rel))) == NULL)            \
> 726                           err(EXIT_FAILURE, "realloc failed");    \
> 727           }                                                       \
> 728           REL##SZ[nrels].r_offset = REL.r_offset;                 \
> 729           REL##SZ[nrels].r_info   = REL.r_info;                   \
> 730           if (s->type == SHT_RELA)                                \
> 731                   rela##SZ[nrels].r_addend = rela.r_addend;       \
> 732           nrels++;                                                \
> 733   } while (0)
> 
> The context has:
> 
> 687           Elf32_Rel       *rel32;
> 688           Elf64_Rel       *rel64;
> 689           Elf32_Rela      *rela32;
> 690           Elf64_Rela      *rela64;
> 
> So for, say, COPYREL(rela,64), the macro uses sizeof(Elf64_Rel) instead
> of sizeof(ELF64_Rela) in malloc and realloc but Elf64_Rela is the
> larger structure of the two ELF64_ types (by also having .r_addend).
> 
> The scan build on ci.freebsd.org complains about this:
> 
> Result of 'realloc' is converted to a pointer of type 'Elf64_Rela', which is 
> incompatible with sizeof operand type 'Elf64_Rel'
> 
> So far it does not look like a false-positive to me.

Looks like a valid bug to me.  I think the following patch is needed:

diff --git a/contrib/elftoolchain/elfcopy/sections.c 
b/contrib/elftoolchain/elfcopy/sections.c
index b292d18693b4..92265289c7d1 100644
--- a/contrib/elftoolchain/elfcopy/sections.c
+++ b/contrib/elftoolchain/elfcopy/sections.c
@@ -716,13 +716,13 @@ filter_reloc(struct elfcopy *ecp, struct section *s)
 #define        COPYREL(REL, SZ) do {                                   \
        if (nrels == 0) {                                       \
                if ((REL##SZ = malloc(cap *                     \
-                   sizeof(Elf##SZ##_Rel))) == NULL)            \
+                   sizeof(*REL##SZ))) == NULL)                 \
                        err(EXIT_FAILURE, "malloc failed");     \
        }                                                       \
        if (nrels >= cap) {                                     \
                cap *= 2;                                       \
                if ((REL##SZ = realloc(REL##SZ, cap *           \
-                   sizeof(Elf##SZ##_Rel))) == NULL)            \
+                   sizeof(*REL##SZ))) == NULL)                 \
                        err(EXIT_FAILURE, "realloc failed");    \
        }                                                       \
        REL##SZ[nrels].r_offset = REL.r_offset;                 \
_______________________________________________
freebsd-toolchain@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-toolchain
To unsubscribe, send any mail to "freebsd-toolchain-unsubscr...@freebsd.org"

Reply via email to