diff options
author | Nick Clifton <nickc@redhat.com> | 2014-10-27 12:43:16 +0000 |
---|---|---|
committer | Nick Clifton <nickc@redhat.com> | 2014-10-27 12:45:36 +0000 |
commit | 493a33860c71cac998f1a56d6d87d6faa801fbaa (patch) | |
tree | 22158bb7a9faf541fd19af9f9b8e9d77d8df41f1 | |
parent | 763905a3ad8f98d33bd9319790a8d53904554265 (diff) | |
download | gdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.zip gdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.tar.gz gdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.tar.bz2 |
This patch closes a potential security hole in applications that use
the bfd library to parse binaries containing maliciously corrupt section
group headers.
PR binutils/17510
* elf.c (setup_group): Improve handling of corrupt group
sections.
-rw-r--r-- | bfd/ChangeLog | 6 | ||||
-rw-r--r-- | bfd/elf.c | 34 |
2 files changed, 36 insertions, 4 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 04b6d86..7ba4431 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2014-10-27 Nick Clifton <nickc@redhat.com> + + PR binutils/17510 + * elf.c (setup_group): Improve handling of corrupt group + sections. + 2014-10-24 Tejas Belagod <tejas.belagod@arm.com> * bfd-in.h (bfd_elf64_aarch64_set_options): Add a parameter. @@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) if (shdr->contents == NULL) { _bfd_error_handler - (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); + (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); bfd_set_error (bfd_error_bad_value); - return FALSE; + -- num_group; + continue; } memset (shdr->contents, 0, amt); @@ -618,8 +619,17 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 || (bfd_bread (shdr->contents, shdr->sh_size, abfd) != shdr->sh_size)) - return FALSE; - + { + _bfd_error_handler + (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); + bfd_set_error (bfd_error_bad_value); + -- num_group; + /* PR 17510: If the group contents are even partially + corrupt, do not allow any of the contents to be used. */ + memset (shdr->contents, 0, amt); + continue; + } + /* Translate raw contents, a flag word followed by an array of elf section indices all in target byte order, to the flag word followed by an array of elf section @@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) } } } + + /* PR 17510: Corrupt binaries might contain invalid groups. */ + if (num_group != (unsigned) elf_tdata (abfd)->num_group) + { + elf_tdata (abfd)->num_group = num_group; + + /* If all groups are invalid then fail. */ + if (num_group == 0) + { + elf_tdata (abfd)->group_sect_ptr = NULL; + elf_tdata (abfd)->num_group = num_group = -1; + (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); + bfd_set_error (bfd_error_bad_value); + } + } } } @@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect) { (*_bfd_error_handler) (_("%B: no group info for section %A"), abfd, newsect); + return FALSE; } return TRUE; } |