From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <amodra@gmail.com>
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com
 [IPv6:2607:f8b0:4864:20::102e])
 by sourceware.org (Postfix) with ESMTPS id 306673857812
 for <binutils@sourceware.org>; Fri,  4 Sep 2020 10:02:32 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 306673857812
Received: by mail-pj1-x102e.google.com with SMTP id ls14so2823073pjb.3
 for <binutils@sourceware.org>; Fri, 04 Sep 2020 03:02:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:subject:message-id:mime-version
 :content-disposition:user-agent;
 bh=l0jfG7CfWpTpDoc6GBe84eI7xpyOzfjm3LhTjHG3pvk=;
 b=uN6YiTyu219LXaP00DsFnnzZ1rNf+43vIXF3kGzVaO779bP37VKodCLArkzpfh6mdM
 i0ViI/Zh2pV0vBmh6WoHxcicE/XYv4uVJmREjllzRXqofXDL+irvshAEDYO+4ipUBMZW
 CaC3141ZLzntWiVZDu4Zt0nPc7hwL5NNOBNx5gANU5jOUGHsxB3wmT68nRNGFzr2rK8i
 smOrKuhfB5WW0tw1g0tD3G5YUkkfqRxe60fbp4/bQ8BGzfWfBO67sy9mo0Nq4V5Er3n9
 CXIvf0ZSSlPNus8pP2QCP4dk6nm5ycMP2mAWykaBkyqQiwNhAYhTpEnHoJJkRoZiWMzW
 O6kg==
X-Gm-Message-State: AOAM531RtAcl3s3OekvoyDh2XkXVEfFyyLuAh+f6hdJGg2CJdF0QbgHZ
 /mYyWr9Y7cAgLDw6Ma6Y6QCnSqrW2ls=
X-Google-Smtp-Source: ABdhPJwuFIWnHaOXonkqubS30LICKAkaGTJ2PpxC2ytImP+7jeo+s0pqXjwMoWvtIo0T7pDfGBLrmg==
X-Received: by 2002:a17:902:7247:: with SMTP id
 c7mr8135456pll.273.1599213750557; 
 Fri, 04 Sep 2020 03:02:30 -0700 (PDT)
Received: from bubble.grove.modra.org ([2406:3400:51d:8cc0:ac34:d205:6aa4:829])
 by smtp.gmail.com with ESMTPSA id y203sm6371490pfb.58.2020.09.04.03.02.29
 for <binutils@sourceware.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 04 Sep 2020 03:02:29 -0700 (PDT)
Received: by bubble.grove.modra.org (Postfix, from userid 1000)
 id 1EB9180BD3; Fri,  4 Sep 2020 19:32:26 +0930 (ACST)
Date: Fri, 4 Sep 2020 19:32:25 +0930
From: Alan Modra <amodra@gmail.com>
To: binutils@sourceware.org
Subject: PR26574, heap buffer overflow in
 _bfd_elf_slurp_secondary_reloc_section
Message-ID: <20200904100225.GU15695@bubble.grove.modra.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Spam-Status: No, score=-9.8 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: binutils@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Binutils mailing list <binutils.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/binutils>,
 <mailto:binutils-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/binutils/>
List-Post: <mailto:binutils@sourceware.org>
List-Help: <mailto:binutils-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/binutils>,
 <mailto:binutils-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2020 10:02:33 -0000

A horribly fuzzed object with section headers inside the ELF header.
Disallow that, and crazy reloc sizes.

	PR 26574
	* elfcode.h (elf_object_p): Sanity check section header offset.
	* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
	sh_entsize.

diff --git a/bfd/elf.c b/bfd/elf.c
index ac2095f787..5a02f8dc30 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -12576,7 +12576,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd *      abfd,
       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
 
       if (hdr->sh_type == SHT_SECONDARY_RELOC
-	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+	  && (hdr->sh_entsize == ebd->s->sizeof_rel
+	      || hdr->sh_entsize == ebd->s->sizeof_rela))
 	{
 	  bfd_byte * native_relocs;
 	  bfd_byte * native_reloc;
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 2ed2f135c3..606ff64fd4 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -571,7 +571,7 @@ elf_object_p (bfd *abfd)
 
   /* If this is a relocatable file and there is no section header
      table, then we're hosed.  */
-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
     goto got_wrong_format_error;
 
   /* As a simple sanity check, verify that what BFD thinks is the
@@ -581,7 +581,7 @@ elf_object_p (bfd *abfd)
     goto got_wrong_format_error;
 
   /* Further sanity check.  */
-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
     goto got_wrong_format_error;
 
   ebd = get_elf_backend_data (abfd);
@@ -618,7 +618,7 @@ elf_object_p (bfd *abfd)
       && ebd->elf_osabi != ELFOSABI_NONE)
     goto got_wrong_format_error;
 
-  if (i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
     {
       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
 
@@ -819,7 +819,7 @@ elf_object_p (bfd *abfd)
 	}
     }
 
-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
     {
       unsigned int num_sec;
 
-- 
2.17.1


-- 
Alan Modra
Australia Development Lab, IBM