This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Invalid SHT_NOTE sections in input files
- From: Daniel Jacobowitz <drow at false dot org>
- To: binutils at sourceware dot org
- Date: Tue, 24 Jun 2008 17:32:53 -0400
- Subject: Invalid SHT_NOTE sections in input files
Since 2007-08-24 (build-id support), we parse note sections in any
file opened by BFD - including linker input. This shows up as an
intermittent segfault in ld-elf/orphan, because four ld tests create
invalid note sections (note-1, note-2, orphan, unknown).
This patch fixes the crash but adds four new failures as we detect the
corrupt input. Should we be more forgiving of invalid note sections?
--
Daniel Jacobowitz
CodeSourcery
2008-06-24 Daniel Jacobowitz <dan@codesourcery.com>
* elf.c (elf_parse_notes): Avoid out-of-bounds access.
Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.448
diff -u -p -r1.448 elf.c
--- bfd/elf.c 4 Jun 2008 14:24:05 -0000 1.448
+++ bfd/elf.c 24 Jun 2008 21:28:17 -0000
@@ -8481,6 +8481,9 @@ elf_parse_notes (bfd *abfd, char *buf, s
Elf_External_Note *xnp = (Elf_External_Note *) p;
Elf_Internal_Note in;
+ if (p + sizeof (Elf_External_Note) > buf + size)
+ return FALSE;
+
in.type = H_GET_32 (abfd, xnp->type);
in.namesz = H_GET_32 (abfd, xnp->namesz);
@@ -8527,6 +8530,9 @@ elf_parse_notes (bfd *abfd, char *buf, s
break;
}
+ if (BFD_ALIGN (in.descsz, 4) > (buf - in.descdata) + size)
+ return FALSE;
+
p = in.descdata + BFD_ALIGN (in.descsz, 4);
}