This is the mail archive of the binutils@sources.redhat.com mailing list for the binutils project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: BFD overflows (part 2)

From: Nick Clifton <nickc at redhat dot com>
To: Mike Frysinger <vapier at gentoo dot org>
Cc: binutils at sources dot redhat dot com
Date: Tue, 17 May 2005 19:08:11 +0100
Subject: Re: BFD overflows (part 2)
References: <200505120736.35805.vapier@gentoo.org>

Hi Mike,

strings.095: Program received signal SIGSEGV, Segmentation fault. 0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0, shindex=5784064, strindex=47) at elf.c:280

This was a nasty one - the file was stimulating an infinite loop inside the code in elf.c between group_signature() and bfd_section_from_shdr(). Anyway I will be checking in the attached patch to catch and prevent this occurring in the future.

Cheers
  Nick

bfd/ChangeLog
2005-05-17  Nick Clifton  <nickc@redhat.com>

	* elf.c (group_signature): Check for a group section which is
	actually a (corrupt) symbol table section in disguise and prevent
	an infinite loop from occurring.

Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.293
diff -c -3 -p -r1.293 elf.c
*** bfd/elf.c	17 May 2005 16:23:26 -0000	1.293
--- bfd/elf.c	17 May 2005 18:00:45 -0000
*************** group_signature (bfd *abfd, Elf_Internal
*** 451,458 ****
    unsigned char esym[sizeof (Elf64_External_Sym)];
    Elf_External_Sym_Shndx eshndx;
    Elf_Internal_Sym isym;
  
!   /* First we need to ensure the symbol table is available.  */
    if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
      return NULL;
  
--- 451,473 ----
    unsigned char esym[sizeof (Elf64_External_Sym)];
    Elf_External_Sym_Shndx eshndx;
    Elf_Internal_Sym isym;
+   unsigned int i;
+ 
+   if (ghdr == NULL)
+     return NULL;
+ 
+   /* If this section is linked to by other sections then it is a symbol or
+      string section which is masquerading as a group.  This is a bad thing,
+      and if we carry on to the call to bfd_section_from_shdr below we will
+      enter an infinite loop.  So check now and break out if we detect this
+      case.  See:    
+      http://sources.redhat.com/ml/binutils/2005-05/msg00421.html
+      for a report of a case that tirggers this code.  */
+   for (i = elf_numsections (abfd); i--;)
+     if (elf_elfsections (abfd) [elf_elfsections (abfd) [i]->sh_link] == ghdr)
+       return NULL;
  
!   /* Next we need to ensure the symbol table is available.  */
    if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
      return NULL;

Follow-Ups:
- Re: BFD overflows (part 2)
  - From: H. J. Lu

References:
- BFD overflows (part 2)
  - From: Mike Frysinger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]