This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
[PATCH] bfd/elf.c: fix out-of-bounds access in find_link()
- From: Sergei Trofimovich <slyfox at gentoo dot org>
- To: binutils at sourceware dot org
- Cc: Sergei Trofimovich <slyfox at gentoo dot org>, Nick Clifton <nickc at redhat dot com>
- Date: Sat, 24 Jun 2017 18:40:41 +0100
- Subject: [PATCH] bfd/elf.c: fix out-of-bounds access in find_link()
- Authentication-results: sourceware.org; auth=none
The out-of-bounds access is reproducible on 'ia64-strip' command
(see sample from https://bugs.gentoo.org/show_bug.cgi?id=622500)
The output file contains less section than original one.
This tricks 'hint' access to go out-of-bounds:
==17093==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000598 ...
READ of size 8 at 0x61a000000598 thread T0
#0 0x7feeb6dd4333 in find_link binutils-gdb/bfd/elf.c:1295
#1 0x7feeb6dd48a1 in copy_special_section_fields binutils-gdb/bfd/elf.c:1379
#2 0x7feeb6dd5391 in _bfd_elf_copy_private_bfd_data binutils-gdb/bfd/elf.c:1501
#3 0x5623789a0952 in copy_object binutils-gdb/binutils/objcopy.c:2974
#4 0x5623789a25d4 in copy_file binutils-gdb/binutils/objcopy.c:3336
#5 0x5623789a6856 in strip_main binutils-gdb/binutils/objcopy.c:4261
#6 0x5623789ab0f9 in main binutils-gdb/binutils/objcopy.c:5368
#7 0x7feeb650f3f9 in __libc_start_main (/lib64/libc.so.6+0x39648203f9)
#8 0x562378996259 in _start (binutils-gdb/binutils/.libs/strip-new+0x16259)
The fix is simple: check hint against array size.
This makes gcc compile successfully on ia64.
Bug: https://bugs.gentoo.org/622500
Bug: https://sourceware.org/PR21669
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
CC: Nick Clifton <nickc@redhat.com>
---
bfd/elf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bfd/elf.c b/bfd/elf.c
index 5f37e7f79c..abb1499893 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -1291,7 +1291,8 @@ find_link (const bfd * obfd, const Elf_Internal_Shdr * iheader, const unsigned i
BFD_ASSERT (iheader != NULL);
/* See PR 20922 for a reproducer of the NULL test. */
- if (oheaders[hint] != NULL
+ if (hint < elf_numsections (obfd)
+ && oheaders[hint] != NULL
&& section_match (oheaders[hint], iheader))
return hint;
--
2.13.1