Signed-off-by: Pamplemousse <xav.maso@gmail.com>launchpad/nixpkgs/master
Pamplemousse
3 years ago
parent
c0c22dd12d
commit
8748154972
@ -0,0 +1,77 @@ |
||||
From 8642dafaef21aa6747cec01df1977e9c52eb4679 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Modra <amodra@gmail.com>
|
||||
Date: Fri, 4 Sep 2020 19:19:18 +0930
|
||||
Subject: [PATCH] PR26574, heap buffer overflow in
|
||||
_bfd_elf_slurp_secondary_reloc_section
|
||||
|
||||
A horribly fuzzed object with section headers inside the ELF header.
|
||||
Disallow that, and crazy reloc sizes.
|
||||
|
||||
PR 26574
|
||||
* elfcode.h (elf_object_p): Sanity check section header offset.
|
||||
* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
|
||||
sh_entsize.
|
||||
---
|
||||
bfd/elf.c | 4 +++-
|
||||
bfd/elfcode.h | 8 ++++----
|
||||
3 files changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/bfd/elf.c b/bfd/elf.c
|
||||
index ac2095f787d..5a02f8dc309 100644
|
||||
--- a/bfd/elf.c
|
||||
+++ b/bfd/elf.c
|
||||
@@ -12576,7 +12576,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
|
||||
Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
|
||||
|
||||
if (hdr->sh_type == SHT_SECONDARY_RELOC
|
||||
- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
|
||||
+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
|
||||
+ && (hdr->sh_entsize == ebd->s->sizeof_rel
|
||||
+ || hdr->sh_entsize == ebd->s->sizeof_rela))
|
||||
{
|
||||
bfd_byte * native_relocs;
|
||||
bfd_byte * native_reloc;
|
||||
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
|
||||
index 2ed2f135c34..606ff64fd4d 100644
|
||||
--- a/bfd/elfcode.h
|
||||
+++ b/bfd/elfcode.h
|
||||
@@ -571,7 +571,7 @@ elf_object_p (bfd *abfd)
|
||||
|
||||
/* If this is a relocatable file and there is no section header
|
||||
table, then we're hosed. */
|
||||
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
|
||||
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
/* As a simple sanity check, verify that what BFD thinks is the
|
||||
@@ -581,7 +581,7 @@ elf_object_p (bfd *abfd)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
/* Further sanity check. */
|
||||
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
|
||||
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
ebd = get_elf_backend_data (abfd);
|
||||
@@ -618,7 +618,7 @@ elf_object_p (bfd *abfd)
|
||||
&& ebd->elf_osabi != ELFOSABI_NONE)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
- if (i_ehdrp->e_shoff != 0)
|
||||
+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
|
||||
{
|
||||
file_ptr where = (file_ptr) i_ehdrp->e_shoff;
|
||||
|
||||
@@ -819,7 +819,7 @@ elf_object_p (bfd *abfd)
|
||||
}
|
||||
}
|
||||
|
||||
- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
|
||||
+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
|
||||
{
|
||||
unsigned int num_sec;
|
||||
|
||||
--
|
||||
2.27.0
|
||||
|
||||
|
||||
Loading…
Reference in new issue