From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 20217 invoked by alias); 9 May 2005 03:26:19 -0000 Mailing-List: contact binutils-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sources.redhat.com Received: (qmail 20047 invoked by uid 22791); 9 May 2005 03:26:12 -0000 Received: from gizmo11bw.bigpond.com (HELO gizmo11bw.bigpond.com) (144.140.70.21) by sourceware.org (qpsmtpd/0.30-dev) with SMTP; Mon, 09 May 2005 03:26:12 +0000 Received: (qmail 23779 invoked from network); 9 May 2005 03:25:51 -0000 Received: from unknown (HELO bwmam02.bigpond.com) (144.135.24.72) by gizmo11bw.bigpond.com with SMTP; 9 May 2005 03:25:51 -0000 Received: from cpe-144-136-167-90.sa.bigpond.net.au ([144.136.167.90]) by bwmam02.bigpond.com(MAM REL_3_4_2a 17/31426019) with SMTP id 31426019; Mon, 09 May 2005 13:25:51 +1000 Received: by bubble.grove.modra.org (Postfix, from userid 500) id 40EA61264AB; Mon, 9 May 2005 12:55:51 +0930 Date: Mon, 09 May 2005 03:45:00 -0000 From: Alan Modra To: Mike Frysinger Cc: binutils@sources.redhat.com Subject: Re: BFD overflows Message-ID: <20050509032550.GI782@bubble.grove.modra.org> Mail-Followup-To: Mike Frysinger , binutils@sources.redhat.com References: <200505072114.41510.vapier@gentoo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200505072114.41510.vapier@gentoo.org> User-Agent: Mutt/1.4i X-SW-Source: 2005-05/txt/msg00337.txt.bz2 On Sat, May 07, 2005 at 09:14:41PM -0400, Mike Frysinger wrote: > however, at least one issue still remains. find attached a small binary > which, when you run `strings` on it, triggers a segfault: * elfcode.h (elf_object_p): Add more sanity checks on elf header. Applying mainline. Index: bfd/elfcode.h =================================================================== RCS file: /cvs/src/src/bfd/elfcode.h,v retrieving revision 1.67 diff -u -p -r1.67 elfcode.h --- bfd/elfcode.h 4 May 2005 15:53:28 -0000 1.67 +++ bfd/elfcode.h 8 May 2005 11:18:23 -0000 @@ -612,8 +612,13 @@ elf_object_p (bfd *abfd) if (i_ehdrp->e_shoff != 0) { + bfd_signed_vma where = i_ehdrp->e_shoff; + + if (where != (file_ptr) where) + goto got_wrong_format_error; + /* Seek to the section header table in the file. */ - if (bfd_seek (abfd, (file_ptr) i_ehdrp->e_shoff, SEEK_SET) != 0) + if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) goto got_no_match; /* Read the first section header at index 0, and convert to internal @@ -625,13 +630,50 @@ elf_object_p (bfd *abfd) /* If the section count is zero, the actual count is in the first section header. */ if (i_ehdrp->e_shnum == SHN_UNDEF) - i_ehdrp->e_shnum = i_shdr.sh_size; + { + i_ehdrp->e_shnum = i_shdr.sh_size; + if (i_ehdrp->e_shnum != i_shdr.sh_size) + goto got_wrong_format_error; + } /* And similarly for the string table index. */ if (i_ehdrp->e_shstrndx == SHN_XINDEX) - i_ehdrp->e_shstrndx = i_shdr.sh_link; + { + i_ehdrp->e_shstrndx = i_shdr.sh_link; + if (i_ehdrp->e_shstrndx != i_shdr.sh_link) + goto got_wrong_format_error; + } + + /* Sanity check that we can read all of the section headers. + It ought to be good enough to just read the last one. */ + if (i_ehdrp->e_shnum != 1) + { + /* Check that we don't have a totally silly number of sections. */ + if (i_ehdrp->e_shnum > (unsigned int) -1 / sizeof (x_shdr)) + goto got_wrong_format_error; + + where += (i_ehdrp->e_shnum - 1) * sizeof (x_shdr); + if (where != (file_ptr) where) + goto got_wrong_format_error; + if ((bfd_size_type) where <= i_ehdrp->e_shoff) + goto got_wrong_format_error; + + if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) + goto got_no_match; + if (bfd_bread (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) + goto got_no_match; + + /* Back to where we were. */ + where = i_ehdrp->e_shoff + sizeof (x_shdr); + if (bfd_seek (abfd, (file_ptr) where, SEEK_SET) != 0) + goto got_no_match; + } } + /* A further sanity check. */ + if (i_ehdrp->e_shstrndx >= i_ehdrp->e_shnum) + goto got_wrong_format_error; + /* Allocate space for a copy of the section header table in internal form. */ if (i_ehdrp->e_shnum != 0) -- Alan Modra IBM OzLabs - Linux Technology Centre