This is the mail archive of the
binutils@sources.redhat.com
mailing list for the binutils project.
RFA: patch to bfd/elfcode.h for improving tolerance of bad ELF files
- To: binutils at sources dot redhat dot com
- Subject: RFA: patch to bfd/elfcode.h for improving tolerance of bad ELF files
- From: "Frank Ch. Eigler" <fche at redhat dot com>
- Date: Thu, 14 Jun 2001 15:32:01 -0400
Hi -
While playing with ELF files produced by buggy tools, I came across
a small bug in bfd/elfcode.h, fixed by the following patch. Briefly,
if a REL/RELA contains an invalid symbol index, it may be used without
range checking to construct pointers into the bfd symbols[] array.
That in turn can lead to a SEGV. The patch adds the range check.
May I commit?
- FChE
2001-06-14 Frank Ch. Eigler <fche@redhat.com>
* elfcode.h (elf_slurp_reloc_table_from_section): Detect corrupt
symbol index in relocation entry.
Index: elfcode.h
===================================================================
RCS file: /cvs/src/src/bfd/elfcode.h,v
retrieving revision 1.19
diff -u -1 -0 -r1.19 elfcode.h
--- elfcode.h 2001/05/23 08:23:27 1.19
+++ elfcode.h 2001/06/14 19:31:18
@@ -1307,20 +1307,27 @@
file, and absolute for an executable file or shared library.
The address of a normal BFD reloc is always section relative,
and the address of a dynamic reloc is absolute.. */
if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0 || dynamic)
relent->address = rela.r_offset;
else
relent->address = rela.r_offset - asect->vma;
if (ELF_R_SYM (rela.r_info) == 0)
relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
+ else if (ELF_R_SYM (rela.r_info) >= bfd_get_symcount (abfd))
+ {
+ (* _bfd_error_handler)
+ (_("warning: relocation %d corrupt: points to invalid symbol index %d"),
+ i, ELF_R_SYM (rela.r_info));
+ goto error_return;
+ }
else
{
asymbol **ps, *s;
ps = symbols + ELF_R_SYM (rela.r_info) - 1;
s = *ps;
/* Canonicalize ELF section symbols. FIXME: Why? */
if ((s->flags & BSF_SECTION_SYM) == 0)
relent->sym_ptr_ptr = ps;