* BFD overflows
@ 2005-05-08 7:56 Mike Frysinger
2005-05-09 3:45 ` Alan Modra
0 siblings, 1 reply; 2+ messages in thread
From: Mike Frysinger @ 2005-05-08 7:56 UTC (permalink / raw)
To: binutils
[-- Attachment #1: Type: text/plain, Size: 1920 bytes --]
we were playing around with bfd-related apps in Gentoo and ended up finding
that many can be overflowed with junk binaries
Sebastian Krahmer from SuSe proposed this patch which fixes some of the
overflows (should apply cleanly to mainline and the 2.16 branch):
http://viewcvs.gentoo.org/src/patchsets/binutils/2.16/81_all_binutils-2.15-bfd-overflow.patch?root=gentoo&rev=1.1
however, at least one issue still remains. find attached a small binary
which, when you run `strings` on it, triggers a segfault:
$ strings --version
GNU strings 2.16
Copyright 2005 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License. This program has absolutely no warranty.
$ gdb --args strings strings.114
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting
program: /var/tmp/portage/binutils-2.16/binutils/strings /root/strings.114
Program received signal SIGSEGV, Segmentation fault.
0x0000000000422048 in bfd_elf_string_from_elf_section (abfd=0x5a9090,
shindex=26, strindex=11) at elf.c:288
288 if (hdr->contents == NULL
(gdb) bt
#0 0x0000000000422048 in bfd_elf_string_from_elf_section (abfd=0x5a9090,
shindex=26, strindex=11) at elf.c:288
#1 0x000000000042546f in bfd_section_from_shdr (abfd=0x5a9090, shindex=1) at
elf.c:1713
#2 0x00000000004522f8 in bfd_elf32_object_p (abfd=0x5a9090) at elfcode.h:723
#3 0x000000000040a2df in bfd_check_format_matches (abfd=0x5a9090,
format=bfd_object, matching=0x0) at format.c:228
#4 0x000000000040a07c in bfd_check_format (abfd=0x5a9090, format=bfd_object)
at format.c:91
#5 0x000000000040243a in strings_object_file (file=0x7fffffb25439
"/root/strings.114") at strings.c:358
#6 0x0000000000402532 in strings_file (file=0x7fffffb25439
"/root/strings.114") at strings.c:397
#7 0x000000000040230f in main (argc=2, argv=0x7fffffb24868) at strings.c:306
-mike
[-- Attachment #2: strings.114.bz2 --]
[-- Type: application/x-bzip2, Size: 8909 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: BFD overflows
2005-05-08 7:56 BFD overflows Mike Frysinger
@ 2005-05-09 3:45 ` Alan Modra
0 siblings, 0 replies; 2+ messages in thread
From: Alan Modra @ 2005-05-09 3:45 UTC (permalink / raw)
To: Mike Frysinger; +Cc: binutils
On Sat, May 07, 2005 at 09:14:41PM -0400, Mike Frysinger wrote:
> however, at least one issue still remains. find attached a small binary
> which, when you run `strings` on it, triggers a segfault:
* elfcode.h (elf_object_p): Add more sanity checks on elf header.
Applying mainline.
Index: bfd/elfcode.h
===================================================================
RCS file: /cvs/src/src/bfd/elfcode.h,v
retrieving revision 1.67
diff -u -p -r1.67 elfcode.h
--- bfd/elfcode.h 4 May 2005 15:53:28 -0000 1.67
+++ bfd/elfcode.h 8 May 2005 11:18:23 -0000
@@ -612,8 +612,13 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_shoff != 0)
{
+ bfd_signed_vma where = i_ehdrp->e_shoff;
+
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+
/* Seek to the section header table in the file. */
- if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0)
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
goto got_no_match;
/* Read the first section header at index 0, and convert to internal
@@ -625,13 +630,50 @@ elf_object_p (bfd *abfd)
/* If the section count is zero, the actual count is in the first
section header. */
if (i_ehdrp->e_shnum == SHN_UNDEF)
- i_ehdrp->e_shnum = i_shdr.sh_size;
+ {
+ i_ehdrp->e_shnum = i_shdr.sh_size;
+ if (i_ehdrp->e_shnum != i_shdr.sh_size)
+ goto got_wrong_format_error;
+ }
/* And similarly for the string table index. */
if (i_ehdrp->e_shstrndx == SHN_XINDEX)
- i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ {
+ i_ehdrp->e_shstrndx = i_shdr.sh_link;
+ if (i_ehdrp->e_shstrndx != i_shdr.sh_link)
+ goto got_wrong_format_error;
+ }
+
+ /* Sanity check that we can read all of the section headers.
+ It ought to be good enough to just read the last one. */
+ if (i_ehdrp->e_shnum != 1)
+ {
+ /* Check that we don't have a totally silly number of sections. */
+ if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr))
+ goto got_wrong_format_error;
+
+ where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr);
+ if (where != (file_ptr) where)
+ goto got_wrong_format_error;
+ if ((bfd_size_type) where <= i_ehdrp->e_shoff)
+ goto got_wrong_format_error;
+
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+ goto got_no_match;
+
+ /* Back to where we were. */
+ where = i_ehdrp->e_shoff + sizeof (x_shdr);
+ if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0)
+ goto got_no_match;
+ }
}
+ /* A further sanity check. */
+ if (i_ehdrp->e_shstrndx >= i_ehdrp->e_shnum)
+ goto got_wrong_format_error;
+
/* Allocate space for a copy of the section header table in
internal form. */
if (i_ehdrp->e_shnum != 0)
--
Alan Modra
IBM OzLabs - Linux Technology Centre
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-05-09 3:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-05-08 7:56 BFD overflows Mike Frysinger
2005-05-09 3:45 ` Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).