espressif/binutils-gdb
1
0
Fork 0
mirror of https://github.com/espressif/binutils-gdb.git synced 2025-06-28 23:39:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

This patch closes a potential security hole in applications that use

Browse Source 
the bfd library to parse binaries containing maliciously corrupt section
group headers.

	PR binutils/17510
	* elf.c (setup_group): Improve handling of corrupt group
	sections.
This commit is contained in:
Nick Clifton
2014-10-27 12:43:16 +00:00
parent 763905a3ad
commit 493a33860c
2 changed files with 36 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bfd/ChangeLog
View File

@ -1,3 +1,9 @@
2014-10-27 Nick Clifton <nickc@redhat.com>
PR binutils/17510
* elf.c (setup_group): Improve handling of corrupt group
sections.
2014-10-24 Tejas Belagod <tejas.belagod@arm.com> 2014-10-24 Tejas Belagod <tejas.belagod@arm.com>
* bfd-in.h (bfd_elf64_aarch64_set_options): Add a parameter. * bfd-in.h (bfd_elf64_aarch64_set_options): Add a parameter.

32
bfd/elf.c
View File

@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
if (shdr->contents == NULL) if (shdr->contents == NULL)
{ {
_bfd_error_handler _bfd_error_handler
(_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value); bfd_set_error (bfd_error_bad_value);
return FALSE; -- num_group;
continue;
} }
memset (shdr->contents, 0, amt); memset (shdr->contents, 0, amt);
@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd) || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size)) != shdr->sh_size))
return FALSE; {
_bfd_error_handler
(_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
-- num_group;
/* PR 17510: If the group contents are even partially
corrupt, do not allow any of the contents to be used. */
memset (shdr->contents, 0, amt);
continue;
}
/* Translate raw contents, a flag word followed by an /* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order, array of elf section indices all in target byte order,
@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
} }
} }
} }
/* PR 17510: Corrupt binaries might contain invalid groups. */
if (num_group != (unsigned) elf_tdata (abfd)->num_group)
{
elf_tdata (abfd)->num_group = num_group;
/* If all groups are invalid then fail. */
if (num_group == 0)
{
elf_tdata (abfd)->group_sect_ptr = NULL;
elf_tdata (abfd)->num_group = num_group = -1;
(*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
bfd_set_error (bfd_error_bad_value);
}
}
} }
} }
@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
{ {
(*_bfd_error_handler) (_("%B: no group info for section %A"), (*_bfd_error_handler) (_("%B: no group info for section %A"),
abfd, newsect); abfd, newsect);
return FALSE;
} }
return TRUE; return TRUE;
} }