BFD overflows (part 2)

BFD overflows (part 2)

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 702 bytes --]

the previous patch by Alan Modra fixed up many of the test cases we've been 
using, but there's still some left that cause strings to segfualt (tested 
against vanilla binutils-2.16.90.0.3)

find attached two binaries which trigger segfaults in different locations

strings.024:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
    at elf.c:1751
1751          if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)

strings.095:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0, 
    shindex=5784064, strindex=47) at elf.c:280
280     {
-mike

[-- Attachment #2: strings.024.bz2 --]
[-- Type: application/x-bzip2, Size: 8914 bytes --]

[-- Attachment #3: strings.095.bz2 --]
[-- Type: application/x-bzip2, Size: 8896 bytes --]

Re: BFD overflows (part 2) [first patch]

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

On Thursday 12 May 2005 07:36 am, Mike Frysinger wrote:
> strings.024:
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
>     at elf.c:1751
> 1751          if (elf_elfsections (abfd)[hdr->sh_link]->sh_type !=
> SHT_STRTAB)

find attached a small patch against mainline written by Tavis Ormandy 
<taviso@gentoo.org> to fix this case
-mike

[-- Attachment #2: bfd-elf-dyn-overflow.patch --]
[-- Type: text/x-diff, Size: 708 bytes --]

--- bfd/ChangeLog
+++ bfd/ChangeLog
@@ -1,3 +1,7 @@
+2005-05-12  Tavis Ormandy <taviso@gentoo.org>
+
+	* elf.c: Add sanity check when parsing dynamic sections.
+
 2005-05-09  Kelley Cook  <kcook@gcc.gnu.org>
 
 	* configure.in: Replace AC_COMPILE_CHECK_SIZEOF with AC_CHECK_SIZEOF.
--- bfd/elf.c
+++ bfd/elf.c
@@ -1768,6 +1768,9 @@
     case SHT_DYNAMIC:	/* Dynamic linking information.  */
       if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
 	return FALSE;
+      if (hdr->sh_link > elf_numsections (abfd) || 
+		elf_elfsections (abfd)[hdr->sh_link] == NULL)
+	return FALSE;
       if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
 	{
 	  Elf_Internal_Shdr *dynsymhdr;

Re: BFD overflows (part 2) [first patch]

[Nick Clifton]

Hi Mike, Hi Tavis,

>>strings.024:
>>Program received signal SIGSEGV, Segmentation fault.
>>0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
>>    at elf.c:1751
>>1751          if (elf_elfsections (abfd)[hdr->sh_link]->sh_type !=
>>SHT_STRTAB)

> find attached a small patch against mainline written by Tavis Ormandy 
> <taviso@gentoo.org> to fix this case

Thanks for submitting this patch - I have applied it to the mainline 
sources.

Cheers
   Nick

Re: BFD overflows (part 2)

[Nick Clifton]

[-- Attachment #1: Type: text/plain, Size: 694 bytes --]

Hi Mike,

> strings.095:
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0, 
>     shindex=5784064, strindex=47) at elf.c:280

This was a nasty one - the file was stimulating an infinite loop inside 
the code in elf.c between group_signature() and bfd_section_from_shdr(). 
  Anyway I will be checking in the attached patch to catch and prevent 
this occurring in the future.

Cheers
   Nick

bfd/ChangeLog
2005-05-17  Nick Clifton  <nickc@redhat.com>

	* elf.c (group_signature): Check for a group section which is
	actually a (corrupt) symbol table section in disguise and prevent
	an infinite loop from occurring.


[-- Attachment #2: elf.c.patch --]
[-- Type: text/plain, Size: 1543 bytes --]

Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.293
diff -c -3 -p -r1.293 elf.c
*** bfd/elf.c	17 May 2005 16:23:26 -0000	1.293
--- bfd/elf.c	17 May 2005 18:00:45 -0000
*************** group_signature (bfd *abfd, Elf_Internal
*** 451,458 ****
    unsigned char esym[sizeof (Elf64_External_Sym)];
    Elf_External_Sym_Shndx eshndx;
    Elf_Internal_Sym isym;
  
!   /* First we need to ensure the symbol table is available.  */
    if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
      return NULL;
  
--- 451,473 ----
    unsigned char esym[sizeof (Elf64_External_Sym)];
    Elf_External_Sym_Shndx eshndx;
    Elf_Internal_Sym isym;
+   unsigned int i;
+ 
+   if (ghdr == NULL)
+     return NULL;
+ 
+   /* If this section is linked to by other sections then it is a symbol or
+      string section which is masquerading as a group.  This is a bad thing,
+      and if we carry on to the call to bfd_section_from_shdr below we will
+      enter an infinite loop.  So check now and break out if we detect this
+      case.  See:    
+      http://sources.redhat.com/ml/binutils/2005-05/msg00421.html
+      for a report of a case that tirggers this code.  */
+   for (i = elf_numsections (abfd); i--;)
+     if (elf_elfsections (abfd) [elf_elfsections (abfd) [i]->sh_link] == ghdr)
+       return NULL;
  
!   /* Next we need to ensure the symbol table is available.  */
    if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
      return NULL;
  

Re: BFD overflows (part 2)

[H. J. Lu]

On Tue, May 17, 2005 at 07:08:11PM +0100, Nick Clifton wrote:
> Hi Mike,
> 
> >strings.095:
> >Program received signal SIGSEGV, Segmentation fault.
> >0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0, 
> >    shindex=5784064, strindex=47) at elf.c:280
> 
> This was a nasty one - the file was stimulating an infinite loop inside 
> the code in elf.c between group_signature() and bfd_section_from_shdr(). 
>  Anyway I will be checking in the attached patch to catch and prevent 
> this occurring in the future.
> 

I prefer this patch.


H.J.
---
2005-05-17  H.J. Lu  <hongjiu.lu@intel.com>

	* elf.c (group_signature): Check if the symbol table section is
	correct.

--- bfd/elf.c.bad	2005-05-17 10:32:52.000000000 -0700
+++ bfd/elf.c	2005-05-17 14:27:10.000000000 -0700
@@ -452,8 +452,11 @@ group_signature (bfd *abfd, Elf_Internal
   Elf_External_Sym_Shndx eshndx;
   Elf_Internal_Sym isym;
 
-  /* First we need to ensure the symbol table is available.  */
-  if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
+  /* First we need to ensure the symbol table is available.  Make sure
+     that it is a symbol table section.  */
+  hdr = elf_elfsections (abfd) [ghdr->sh_link];
+  if (hdr->sh_type != SHT_SYMTAB
+      || ! bfd_section_from_shdr (abfd, ghdr->sh_link))
     return NULL;
 
   /* Go read the symbol.  */

Re: BFD overflows (part 2)

[Nick Clifton]

Hi H. J.

> I prefer this patch.

Much simpler :-)

> 2005-05-17  H.J. Lu  <hongjiu.lu@intel.com>
> 
> 	* elf.c (group_signature): Check if the symbol table section is
> 	correct.

Please revert my patch and apply your version instead.

Cheers
   Nick