This is the mail archive of the
binutils-cvs@sourceware.org
mailing list for the binutils project.
[binutils-gdb] fix out-of-bounds access in elf.c:find_link
- From: Alan Modra <amodra at sourceware dot org>
- To: bfd-cvs at sourceware dot org
- Date: 25 Jun 2017 05:00:00 -0000
- Subject: [binutils-gdb] fix out-of-bounds access in elf.c:find_link
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5cc4ca837deac7dc962d8a3741aa120c50ab41da
commit 5cc4ca837deac7dc962d8a3741aa120c50ab41da
Author: Sergei Trofimovich <slyfox@gentoo.org>
Date: Sat Jun 24 18:40:41 2017 +0100
fix out-of-bounds access in elf.c:find_link
The out-of-bounds access is reproducible on 'ia64-strip' command
(see sample from https://bugs.gentoo.org/show_bug.cgi?id=622500)
The output file contains less section than original one.
This tricks 'hint' access to go out-of-bounds:
* elf.c (find_link): Bounds check "hint".
Diff:
---
bfd/ChangeLog | 4 ++++
bfd/elf.c | 6 ++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index f7ef5e1..945cb68 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,7 @@
+2017-06-25 Sergei Trofimovich <slyfox@gentoo.org>
+
+ * elf.c (find_link): Bounds check "hint".
+
2017-06-24 Thomas Preud'homme <thomas.preudhomme@arm.com>
* elf32-arm.c (using_thumb_only): Update list of architectures in
diff --git a/bfd/elf.c b/bfd/elf.c
index 5f37e7f..76c6a5c 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1283,7 +1283,8 @@ section_match (const Elf_Internal_Shdr * a,
to be the correct section. */
static unsigned int
-find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned int hint)
+find_link (const bfd *obfd, const Elf_Internal_Shdr *iheader,
+ const unsigned int hint)
{
Elf_Internal_Shdr ** oheaders = elf_elfsections (obfd);
unsigned int i;
@@ -1291,7 +1292,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned i
BFD_ASSERT (iheader != NULL);
/* See PR 20922 for a reproducer of the NULL test. */
- if (oheaders[hint] != NULL
+ if (hint < elf_numsections (obfd)
+ && oheaders[hint] != NULL
&& section_match (oheaders[hint], iheader))
return hint;