diff options
| author | Alan Modra <amodra@gmail.com> | 2025-08-17 15:13:06 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2025-08-17 16:02:56 +0930 |
| commit | f586f9b61d1e5d91f010e68922b8c8b86f787a27 (patch) | |
| tree | 723776ed1cf707cb5b7297655c30d5e031b91799 | |
| parent | 3f7c685f26df75ee3822a3629b2794deafdf881f (diff) | |
| download | binutils-f586f9b61d1e5d91f010e68922b8c8b86f787a27.zip binutils-f586f9b61d1e5d91f010e68922b8c8b86f787a27.tar.gz binutils-f586f9b61d1e5d91f010e68922b8c8b86f787a27.tar.bz2 | |
buffer overflow in process_sht_group_entries
An oss-fuzz testcase with a SHT_GROUP section named .debug managed to
break objcopy --compress-debug-sections. The underlying problem is
that SEC_DEBUGGING is set by section name tests, thus the SHT_GROUP
section gets compressed. The compressed section data is smaller than
the original section sh_size, and process_sht_group_entries tries to
look at sh_size worth of entries. The patch fixes this mess by simply
not setting SEC_DEBUGGING on SHT_GROUP sections.
Note that it isn't correct to restrict SEC_DEBUGGING to SHT_PROGBITS
sections, as that will break processor/os special sections for debug.
eg. SHT_MIPS_DEBUG.
* elf.c (_bfd_elf_make_section_from_shdr): Don't set
SEC_DEBUGGING on SEC_GROUP sections no matter their name.
| -rw-r--r-- | bfd/elf.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -957,7 +957,7 @@ _bfd_elf_make_section_from_shdr (bfd *abfd, break; } - if ((flags & SEC_ALLOC) == 0) + if ((flags & (SEC_ALLOC | SEC_GROUP)) == 0) { /* The debugging sections appear to be recognized only by name, not any sort of flag. Their SEC_ALLOC bits are cleared. */ |