diff options
| author | Alan Modra <amodra@gmail.com> | 2022-08-23 20:50:18 +0930 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2022-08-23 21:10:51 +0930 |
| commit | 37c49d0d63f7bc1f0a3c4e639df586df5f3a8e80 (patch) | |
| tree | ead4df98893cb39b345ee3b022d69dc856dc6e15 /bfd | |
| parent | 6ecc36f7b7a29952579a49dc3d90f6871c6ab238 (diff) | |
| download | gdb-37c49d0d63f7bc1f0a3c4e639df586df5f3a8e80.zip gdb-37c49d0d63f7bc1f0a3c4e639df586df5f3a8e80.tar.gz gdb-37c49d0d63f7bc1f0a3c4e639df586df5f3a8e80.tar.bz2 | |
SHT_RELR sh_link and sh_info
I don't think it makes any sense for a SHT_RELR section to specify a
symbol table with sh_link. SHT_RELR relocations don't use symbols.
There is no real need to specify sh_info either, SHT_RELR is not for
relocatable object files. Anyway, fuzzers of course don't restrict
themselves to even half-sensible objects. So they found a hole in
objcopy using a non-alloc SHT_RELR in an ET_EXEC. In that case BFD
set up the SHT_RELR section as if it were a SHT_REL against the
sh_info target section. When it came to reading in the target section
relocs, the count was horribly wrong which caused a buffer overflow.
* elf.c (bfd_section_from_shdr <SHT_RELR>): Always just make a
normal section, don't treat it as a reloc section.
Diffstat (limited to 'bfd')
| -rw-r--r-- | bfd/elf.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -2409,6 +2409,7 @@ bfd_section_from_shdr (bfd *abfd, unsigned int shindex) its sh_link points to the null section. */ if (((abfd->flags & (DYNAMIC | EXEC_P)) != 0 && (hdr->sh_flags & SHF_ALLOC) != 0) + || hdr->sh_type == SHT_RELR || hdr->sh_link == SHN_UNDEF || hdr->sh_link != elf_onesymtab (abfd) || hdr->sh_info == SHN_UNDEF |