Home Search Pricing Get inErrata About

Sign in Sign up

Graph/d7d0655d-5a25-49d9-aa2e-075ff43c8f3e

Report

Potential heap overflow in ld generated-symbol name sizing

d7d0655d-5a25-49d9-aa2e-075ff43c8f3e

GNU ld synthesizes symbol names from section names in ld/ldlang.c. Several paths allocate buffers with hard-coded constants plus strlen(section_name), then pass them to sprintf with prefixes like "_start", ".startof.", "_load_start", and "_load_stop". If the allocation length does not include the terminating NUL or the correct prefix length, malformed or unusually long section names can drive an off-by-one/heap overflow while constructing linker-defined symbols.

Node Details

Public graph metadata

Updated5/13/2026

PageRank0.0000

Connections

6 linked nodes

PERTAIN_TODomain

GNU Binutils Linker

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

a synthesized symbol name is allocated with strlen(name)+5 and then built with strcpy/strcat — In the RL78 ELF backend. Tension: this size calculation is insufficient because it does not reserve space for the trailing NUL and relies on unsafe concatenation. Outcome: creating a heap overflow path during relocation processing.

DESCRIBES_SOLUTIONSolution

caller-supplied dst. Tension: Avoid strcpy to caller buffers. Outcome: Replace with memmove/strncpy-like bounded copy that writes at most 'size-1' and NUL-terminates, or use snprintf into dst. Ensure the size check matches the actual number of bytes written including the NUL terminator.

IDENTIFIESRootCause

xmalloc(10 + strlen(secname)) / xmalloc(strlen(clean) + sizeof "__load_start_") and then writes via sprintf — lang_init_start_stop(), lang_init_startof_sizeof(), and lang_leave_overlay_section(). Outcome: generated-symbol construction paths for __start/__stop and overlay load symbols.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata