This is the mail archive of the binutils-cvs@sourceware.org mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[binutils-gdb] PR22443, Global buffer overflow in _bfd_elf_get_symbol_version_string

From: Alan Modra <amodra at sourceware dot org>
To: bfd-cvs at sourceware dot org
Date: 18 Nov 2017 21:16:54 -0000
Subject: [binutils-gdb] PR22443, Global buffer overflow in _bfd_elf_get_symbol_version_string

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4

commit 160b1a618ad94988410dc81fce9189fcda5b7ff4
Author: Alan Modra <amodra@gmail.com>
Date:   Sat Nov 18 23:18:22 2017 +1030

    PR22443, Global buffer overflow in _bfd_elf_get_symbol_version_string
    
    Symbols like *ABS* defined in bfd/section.c:global_syms are not
    elf_symbol_type.  They can appear on relocs and perhaps other places
    in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
    to cast an asymbol based on the bfd being ELF.  I think we lose
    nothing by excluding all section symbols, not just the global_syms.
    
    	PR 22443
    	* nm.c (sort_symbols_by_size): Don't attempt to access
    	section symbol internal_elf_sym.
    	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
    	for section symbols.
    	* objdump.c (compare_symbols): Don't attempt to access
    	section symbol internal_elf_sym.
    	(objdump_print_symname): Don't call bfd_get_symbol_version_string
    	for section symbols.

Diff:
---
 binutils/ChangeLog | 12 ++++++++++++
 binutils/nm.c      | 17 ++++++++++-------
 binutils/objdump.c |  6 +++---
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3c9973f..2f4c0d8 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,15 @@
+2017-11-18  Alan Modra  <amodra@gmail.com>
+
+	PR 22443
+	* nm.c (sort_symbols_by_size): Don't attempt to access
+	section symbol internal_elf_sym.
+	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
+	for section symbols.
+	* objdump.c (compare_symbols): Don't attempt to access
+	section symbol internal_elf_sym.
+	(objdump_print_symname): Don't call bfd_get_symbol_version_string
+	for section symbols.
+
 2017-11-17  Jim Wilson  <jimw@sifive.com>
 
 	* readelf.c (elf/riscv.h): Alphabetize include.
diff --git a/binutils/nm.c b/binutils/nm.c
index 5b421785..dd49f09 100644
--- a/binutils/nm.c
+++ b/binutils/nm.c
@@ -763,7 +763,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,
       asection *sec;
       bfd_vma sz;
       asymbol *temp;
-      int synthetic = (sym->flags & BSF_SYNTHETIC);
 
       if (from + size < fromend)
 	{
@@ -780,10 +779,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,
       sec = bfd_get_section (sym);
 
       /* Synthetic symbols don't have a full type set of data available, thus
-	 we can't rely on that information for the symbol size.  */
-      if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+	 we can't rely on that information for the symbol size.  Ditto for
+	 bfd/section.c:global_syms like *ABS*.  */
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+	  && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
 	sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
-      else if (!synthetic && bfd_is_com_section (sec))
+      else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+	       && bfd_is_com_section (sec))
 	sz = sym->value;
       else
 	{
@@ -872,8 +874,9 @@ print_symbol (bfd *        abfd,
 
   info.sinfo = &syminfo;
   info.ssize = ssize;
-  /* Synthetic symbols do not have a full symbol type set of data available.  */
-  if ((sym->flags & BSF_SYNTHETIC) != 0)
+  /* Synthetic symbols do not have a full symbol type set of data available.
+     Nor do bfd/section.c:global_syms like *ABS*.  */
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
     {
       info.elfinfo = NULL;
       info.coffinfo = NULL;
@@ -891,7 +894,7 @@ print_symbol (bfd *        abfd,
       const char *  version_string = NULL;
       bfd_boolean   hidden = FALSE;
 
-      if ((sym->flags & BSF_SYNTHETIC) == 0)
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
       if (bfd_is_und_section (bfd_get_section (sym)))
diff --git a/binutils/objdump.c b/binutils/objdump.c
index 1a1e32f..40b4acf 100644
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const void *bp)
       bfd_vma asz, bsz;
 
       asz = 0;
-      if ((a->flags & BSF_SYNTHETIC) == 0)
+      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
       bsz = 0;
-      if ((b->flags & BSF_SYNTHETIC) == 0)
+      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
       if (asz != bsz)
 	return asz > bsz ? -1 : 1;
@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct disassemble_info *inf,
 	name = alloc;
     }
 
-  if ((sym->flags & BSF_SYNTHETIC) == 0)
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
     version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
   if (bfd_is_und_section (bfd_get_section (sym)))

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]