* BFD overflows (part 2)
@ 2005-05-12 12:50 Mike Frysinger
2005-05-12 16:21 ` BFD overflows (part 2) [first patch] Mike Frysinger
2005-05-17 18:25 ` BFD overflows (part 2) Nick Clifton
0 siblings, 2 replies; 6+ messages in thread
From: Mike Frysinger @ 2005-05-12 12:50 UTC (permalink / raw)
To: binutils
[-- Attachment #1: Type: text/plain, Size: 702 bytes --]
the previous patch by Alan Modra fixed up many of the test cases we've been
using, but there's still some left that cause strings to segfualt (tested
against vanilla binutils-2.16.90.0.3)
find attached two binaries which trigger segfaults in different locations
strings.024:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
at elf.c:1751
1751 if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
strings.095:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0,
shindex=5784064, strindex=47) at elf.c:280
280 {
-mike
[-- Attachment #2: strings.024.bz2 --]
[-- Type: application/x-bzip2, Size: 8914 bytes --]
[-- Attachment #3: strings.095.bz2 --]
[-- Type: application/x-bzip2, Size: 8896 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BFD overflows (part 2) [first patch]
2005-05-12 12:50 BFD overflows (part 2) Mike Frysinger
@ 2005-05-12 16:21 ` Mike Frysinger
2005-05-17 17:16 ` Nick Clifton
2005-05-17 18:25 ` BFD overflows (part 2) Nick Clifton
1 sibling, 1 reply; 6+ messages in thread
From: Mike Frysinger @ 2005-05-12 16:21 UTC (permalink / raw)
To: binutils
[-- Attachment #1: Type: text/plain, Size: 418 bytes --]
On Thursday 12 May 2005 07:36 am, Mike Frysinger wrote:
> strings.024:
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
> at elf.c:1751
> 1751 if (elf_elfsections (abfd)[hdr->sh_link]->sh_type !=
> SHT_STRTAB)
find attached a small patch against mainline written by Tavis Ormandy
<taviso@gentoo.org> to fix this case
-mike
[-- Attachment #2: bfd-elf-dyn-overflow.patch --]
[-- Type: text/x-diff, Size: 708 bytes --]
--- bfd/ChangeLog
+++ bfd/ChangeLog
@@ -1,3 +1,7 @@
+2005-05-12 Tavis Ormandy <taviso@gentoo.org>
+
+ * elf.c: Add sanity check when parsing dynamic sections.
+
2005-05-09 Kelley Cook <kcook@gcc.gnu.org>
* configure.in: Replace AC_COMPILE_CHECK_SIZEOF with AC_CHECK_SIZEOF.
--- bfd/elf.c
+++ bfd/elf.c
@@ -1768,6 +1768,9 @@
case SHT_DYNAMIC: /* Dynamic linking information. */
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
return FALSE;
+ if (hdr->sh_link > elf_numsections (abfd) ||
+ elf_elfsections (abfd)[hdr->sh_link] == NULL)
+ return FALSE;
if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
{
Elf_Internal_Shdr *dynsymhdr;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BFD overflows (part 2) [first patch]
2005-05-12 16:21 ` BFD overflows (part 2) [first patch] Mike Frysinger
@ 2005-05-17 17:16 ` Nick Clifton
0 siblings, 0 replies; 6+ messages in thread
From: Nick Clifton @ 2005-05-17 17:16 UTC (permalink / raw)
To: Mike Frysinger, Tavis Ormandy; +Cc: binutils
Hi Mike, Hi Tavis,
>>strings.024:
>>Program received signal SIGSEGV, Segmentation fault.
>>0x0000000000419f37 in bfd_section_from_shdr (abfd=0x584090, shindex=20)
>> at elf.c:1751
>>1751 if (elf_elfsections (abfd)[hdr->sh_link]->sh_type !=
>>SHT_STRTAB)
> find attached a small patch against mainline written by Tavis Ormandy
> <taviso@gentoo.org> to fix this case
Thanks for submitting this patch - I have applied it to the mainline
sources.
Cheers
Nick
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BFD overflows (part 2)
2005-05-12 12:50 BFD overflows (part 2) Mike Frysinger
2005-05-12 16:21 ` BFD overflows (part 2) [first patch] Mike Frysinger
@ 2005-05-17 18:25 ` Nick Clifton
2005-05-17 22:00 ` H. J. Lu
1 sibling, 1 reply; 6+ messages in thread
From: Nick Clifton @ 2005-05-17 18:25 UTC (permalink / raw)
To: Mike Frysinger; +Cc: binutils
[-- Attachment #1: Type: text/plain, Size: 694 bytes --]
Hi Mike,
> strings.095:
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0,
> shindex=5784064, strindex=47) at elf.c:280
This was a nasty one - the file was stimulating an infinite loop inside
the code in elf.c between group_signature() and bfd_section_from_shdr().
Anyway I will be checking in the attached patch to catch and prevent
this occurring in the future.
Cheers
Nick
bfd/ChangeLog
2005-05-17 Nick Clifton <nickc@redhat.com>
* elf.c (group_signature): Check for a group section which is
actually a (corrupt) symbol table section in disguise and prevent
an infinite loop from occurring.
[-- Attachment #2: elf.c.patch --]
[-- Type: text/plain, Size: 1543 bytes --]
Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.293
diff -c -3 -p -r1.293 elf.c
*** bfd/elf.c 17 May 2005 16:23:26 -0000 1.293
--- bfd/elf.c 17 May 2005 18:00:45 -0000
*************** group_signature (bfd *abfd, Elf_Internal
*** 451,458 ****
unsigned char esym[sizeof (Elf64_External_Sym)];
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
! /* First we need to ensure the symbol table is available. */
if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
--- 451,473 ----
unsigned char esym[sizeof (Elf64_External_Sym)];
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
+ unsigned int i;
+
+ if (ghdr == NULL)
+ return NULL;
+
+ /* If this section is linked to by other sections then it is a symbol or
+ string section which is masquerading as a group. This is a bad thing,
+ and if we carry on to the call to bfd_section_from_shdr below we will
+ enter an infinite loop. So check now and break out if we detect this
+ case. See:
+ http://sources.redhat.com/ml/binutils/2005-05/msg00421.html
+ for a report of a case that tirggers this code. */
+ for (i = elf_numsections (abfd); i--;)
+ if (elf_elfsections (abfd) [elf_elfsections (abfd) [i]->sh_link] == ghdr)
+ return NULL;
! /* Next we need to ensure the symbol table is available. */
if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: BFD overflows (part 2)
2005-05-17 18:25 ` BFD overflows (part 2) Nick Clifton
@ 2005-05-17 22:00 ` H. J. Lu
2005-05-18 8:09 ` Nick Clifton
0 siblings, 1 reply; 6+ messages in thread
From: H. J. Lu @ 2005-05-17 22:00 UTC (permalink / raw)
To: Nick Clifton; +Cc: Mike Frysinger, binutils
On Tue, May 17, 2005 at 07:08:11PM +0100, Nick Clifton wrote:
> Hi Mike,
>
> >strings.095:
> >Program received signal SIGSEGV, Segmentation fault.
> >0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0,
> > shindex=5784064, strindex=47) at elf.c:280
>
> This was a nasty one - the file was stimulating an infinite loop inside
> the code in elf.c between group_signature() and bfd_section_from_shdr().
> Anyway I will be checking in the attached patch to catch and prevent
> this occurring in the future.
>
I prefer this patch.
H.J.
---
2005-05-17 H.J. Lu <hongjiu.lu@intel.com>
* elf.c (group_signature): Check if the symbol table section is
correct.
--- bfd/elf.c.bad 2005-05-17 10:32:52.000000000 -0700
+++ bfd/elf.c 2005-05-17 14:27:10.000000000 -0700
@@ -452,8 +452,11 @@ group_signature (bfd *abfd, Elf_Internal
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
- /* First we need to ensure the symbol table is available. */
- if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
+ /* First we need to ensure the symbol table is available. Make sure
+ that it is a symbol table section. */
+ hdr = elf_elfsections (abfd) [ghdr->sh_link];
+ if (hdr->sh_type != SHT_SYMTAB
+ || ! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
/* Go read the symbol. */
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-05-18 8:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-05-12 12:50 BFD overflows (part 2) Mike Frysinger
2005-05-12 16:21 ` BFD overflows (part 2) [first patch] Mike Frysinger
2005-05-17 17:16 ` Nick Clifton
2005-05-17 18:25 ` BFD overflows (part 2) Nick Clifton
2005-05-17 22:00 ` H. J. Lu
2005-05-18 8:09 ` Nick Clifton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).