aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Clifton <nickc@redhat.com>2014-10-27 12:43:16 +0000
committerNick Clifton <nickc@redhat.com>2014-10-27 12:45:36 +0000
commit493a33860c71cac998f1a56d6d87d6faa801fbaa (patch)
tree22158bb7a9faf541fd19af9f9b8e9d77d8df41f1
parent763905a3ad8f98d33bd9319790a8d53904554265 (diff)
downloadgdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.zip
gdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.tar.gz
gdb-493a33860c71cac998f1a56d6d87d6faa801fbaa.tar.bz2
This patch closes a potential security hole in applications that use
the bfd library to parse binaries containing maliciously corrupt section group headers. PR binutils/17510 * elf.c (setup_group): Improve handling of corrupt group sections.
-rw-r--r--bfd/ChangeLog6
-rw-r--r--bfd/elf.c34
2 files changed, 36 insertions, 4 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 04b6d86..7ba4431 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2014-10-27 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/17510
+ * elf.c (setup_group): Improve handling of corrupt group
+ sections.
+
2014-10-24 Tejas Belagod <tejas.belagod@arm.com>
* bfd-in.h (bfd_elf64_aarch64_set_options): Add a parameter.
diff --git a/bfd/elf.c b/bfd/elf.c
index c884d1d..c8ac826 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
if (shdr->contents == NULL)
{
_bfd_error_handler
- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
- return FALSE;
+ -- num_group;
+ continue;
}
memset (shdr->contents, 0, amt);
@@ -618,8 +619,17 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
- return FALSE;
-
+ {
+ _bfd_error_handler
+ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ bfd_set_error (bfd_error_bad_value);
+ -- num_group;
+ /* PR 17510: If the group contents are even partially
+ corrupt, do not allow any of the contents to be used. */
+ memset (shdr->contents, 0, amt);
+ continue;
+ }
+
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
}
}
}
+
+ /* PR 17510: Corrupt binaries might contain invalid groups. */
+ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
+ {
+ elf_tdata (abfd)->num_group = num_group;
+
+ /* If all groups are invalid then fail. */
+ if (num_group == 0)
+ {
+ elf_tdata (abfd)->group_sect_ptr = NULL;
+ elf_tdata (abfd)->num_group = num_group = -1;
+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
+ bfd_set_error (bfd_error_bad_value);
+ }
+ }
}
}
@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
{
(*_bfd_error_handler) (_("%B: no group info for section %A"),
abfd, newsect);
+ return FALSE;
}
return TRUE;
}