Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 952477 Details for
Bug 1157276
CVE-2014-8485 binutils: lack of range checking leading to controlled write in _bfd_elf_setup_sections()
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Fixes for buffer overruns etc in BFD library
binutils-2.24-corrupt-binaries.patch (text/plain), 32.17 KB, created by
Nick Clifton
on 2014-10-31 12:39:06 UTC
(
hide
)
Description:
Fixes for buffer overruns etc in BFD library
Filename:
MIME Type:
Creator:
Nick Clifton
Created:
2014-10-31 12:39:06 UTC
Size:
32.17 KB
patch
obsolete
>diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c >*** ../binutils-2.24.orig/bfd/elf.c 2014-10-31 11:50:20.132220820 +0000 >--- bfd/elf.c 2014-10-31 11:53:23.669281197 +0000 >*************** setup_group (bfd *abfd, Elf_Internal_Shd >*** 608,616 **** > if (shdr->contents == NULL) > { > _bfd_error_handler >! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); > bfd_set_error (bfd_error_bad_value); >! return FALSE; > } > > memset (shdr->contents, 0, amt); >--- 608,617 ---- > if (shdr->contents == NULL) > { > _bfd_error_handler >! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); > bfd_set_error (bfd_error_bad_value); >! -- num_group; >! continue; > } > > memset (shdr->contents, 0, amt); >*************** setup_group (bfd *abfd, Elf_Internal_Shd >*** 618,625 **** > if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 > || (bfd_bread (shdr->contents, shdr->sh_size, abfd) > != shdr->sh_size)) >! return FALSE; >! > /* Translate raw contents, a flag word followed by an > array of elf section indices all in target byte order, > to the flag word followed by an array of elf section >--- 619,635 ---- > if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 > || (bfd_bread (shdr->contents, shdr->sh_size, abfd) > != shdr->sh_size)) >! { >! _bfd_error_handler >! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); >! bfd_set_error (bfd_error_bad_value); >! -- num_group; >! /* PR 17510: If the group contents are even partially >! corrupt, do not allow any of the contents to be used. */ >! memset (shdr->contents, 0, amt); >! continue; >! } >! > /* Translate raw contents, a flag word followed by an > array of elf section indices all in target byte order, > to the flag word followed by an array of elf section >*************** setup_group (bfd *abfd, Elf_Internal_Shd >*** 651,656 **** >--- 661,681 ---- > } > } > } >+ >+ /* PR 17510: Corrupt binaries might contain invalid groups. */ >+ if (num_group != (unsigned) elf_tdata (abfd)->num_group) >+ { >+ elf_tdata (abfd)->num_group = num_group; >+ >+ /* If all groups are invalid then fail. */ >+ if (num_group == 0) >+ { >+ elf_tdata (abfd)->group_sect_ptr = NULL; >+ elf_tdata (abfd)->num_group = num_group = -1; >+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); >+ bfd_set_error (bfd_error_bad_value); >+ } >+ } > } > } > >*************** setup_group (bfd *abfd, Elf_Internal_Shd >*** 716,721 **** >--- 741,747 ---- > { > (*_bfd_error_handler) (_("%B: no group info for section %A"), > abfd, newsect); >+ return FALSE; > } > return TRUE; > } >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1556,1593 **** > Elf_Internal_Ehdr *ehdr; > const struct elf_backend_data *bed; > const char *name; > > if (shindex >= elf_numsections (abfd)) > return FALSE; > > hdr = elf_elfsections (abfd)[shindex]; > ehdr = elf_elfheader (abfd); > name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, > hdr->sh_name); > if (name == NULL) >! return FALSE; > > bed = get_elf_backend_data (abfd); > switch (hdr->sh_type) > { > case SHT_NULL: > /* Inactive section. Throw it away. */ >! return TRUE; > >! case SHT_PROGBITS: /* Normal section with contents. */ >! case SHT_NOBITS: /* .bss section. */ >! case SHT_HASH: /* .hash section. */ >! case SHT_NOTE: /* .note section. */ > case SHT_INIT_ARRAY: /* .init_array section. */ > case SHT_FINI_ARRAY: /* .fini_array section. */ > case SHT_PREINIT_ARRAY: /* .preinit_array section. */ > case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ > case SHT_GNU_HASH: /* .gnu.hash section. */ >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > > case SHT_DYNAMIC: /* Dynamic linking information. */ > if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! return FALSE; > if (hdr->sh_link > elf_numsections (abfd)) > { > /* PR 10478: Accept Solaris binaries with a sh_link >--- 1582,1655 ---- > Elf_Internal_Ehdr *ehdr; > const struct elf_backend_data *bed; > const char *name; >+ bfd_boolean ret = TRUE; >+ static bfd_boolean * sections_being_created = NULL; >+ static bfd * sections_being_created_abfd = NULL; >+ static unsigned int nesting = 0; > > if (shindex >= elf_numsections (abfd)) > return FALSE; > >+ if (++ nesting > 3) >+ { >+ /* PR17512: A corrupt ELF binary might contain a recursive group of >+ sections, each the string indicies pointing to the next in the >+ loop. Detect this here, by refusing to load a section that we are >+ already in the process of loading. We only trigger this test if >+ we have nested at least three sections deep as normal ELF binaries >+ can expect to recurse at least once. >+ >+ FIXME: It would be better if this array was attached to the bfd, >+ rather than being held in a static pointer. */ >+ >+ if (sections_being_created_abfd != abfd) >+ sections_being_created = NULL; >+ if (sections_being_created == NULL) >+ { >+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ >+ sections_being_created = (bfd_boolean *) >+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); >+ sections_being_created_abfd = abfd; >+ } >+ if (sections_being_created [shindex]) >+ { >+ (*_bfd_error_handler) >+ (_("%B: warning: loop in section dependencies detected"), abfd); >+ return FALSE; >+ } >+ sections_being_created [shindex] = TRUE; >+ } >+ > hdr = elf_elfsections (abfd)[shindex]; > ehdr = elf_elfheader (abfd); > name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, > hdr->sh_name); > if (name == NULL) >! goto fail; > > bed = get_elf_backend_data (abfd); > switch (hdr->sh_type) > { > case SHT_NULL: > /* Inactive section. Throw it away. */ >! goto success; > >! case SHT_PROGBITS: /* Normal section with contents. */ >! case SHT_NOBITS: /* .bss section. */ >! case SHT_HASH: /* .hash section. */ >! case SHT_NOTE: /* .note section. */ > case SHT_INIT_ARRAY: /* .init_array section. */ > case SHT_FINI_ARRAY: /* .fini_array section. */ > case SHT_PREINIT_ARRAY: /* .preinit_array section. */ > case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ > case SHT_GNU_HASH: /* .gnu.hash section. */ >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > > case SHT_DYNAMIC: /* Dynamic linking information. */ > if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! goto fail; >! > if (hdr->sh_link > elf_numsections (abfd)) > { > /* PR 10478: Accept Solaris binaries with a sh_link >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1601,1611 **** > break; > /* Otherwise fall through. */ > default: >! return FALSE; > } > } > else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) >! return FALSE; > else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) > { > Elf_Internal_Shdr *dynsymhdr; >--- 1663,1673 ---- > break; > /* Otherwise fall through. */ > default: >! goto fail; > } > } > else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) >! goto fail; > else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) > { > Elf_Internal_Shdr *dynsymhdr; >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1634,1657 **** > } > } > } >! break; > >! case SHT_SYMTAB: /* A symbol table */ > if (elf_onesymtab (abfd) == shindex) >! return TRUE; > > if (hdr->sh_entsize != bed->s->sizeof_sym) >! return FALSE; > if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) > { > if (hdr->sh_size != 0) >! return FALSE; > /* Some assemblers erroneously set sh_info to one with a > zero sh_size. ld sees this as a global symbol count > of (unsigned) -1. Fix it here. */ > hdr->sh_info = 0; >! return TRUE; > } > BFD_ASSERT (elf_onesymtab (abfd) == 0); > elf_onesymtab (abfd) = shindex; > elf_tdata (abfd)->symtab_hdr = *hdr; >--- 1696,1721 ---- > } > } > } >! goto success; > >! case SHT_SYMTAB: /* A symbol table. */ > if (elf_onesymtab (abfd) == shindex) >! goto success; > > if (hdr->sh_entsize != bed->s->sizeof_sym) >! goto fail; >! > if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) > { > if (hdr->sh_size != 0) >! goto fail; > /* Some assemblers erroneously set sh_info to one with a > zero sh_size. ld sees this as a global symbol count > of (unsigned) -1. Fix it here. */ > hdr->sh_info = 0; >! goto success; > } >+ > BFD_ASSERT (elf_onesymtab (abfd) == 0); > elf_onesymtab (abfd) = shindex; > elf_tdata (abfd)->symtab_hdr = *hdr; >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1668,1674 **** > && (abfd->flags & DYNAMIC) != 0 > && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, > shindex)) >! return FALSE; > > /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we > can't read symbols without that section loaded as well. It >--- 1732,1738 ---- > && (abfd->flags & DYNAMIC) != 0 > && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, > shindex)) >! goto fail; > > /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we > can't read symbols without that section loaded as well. It >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1694,1719 **** > break; > } > if (i != shindex) >! return bfd_section_from_shdr (abfd, i); > } >! return TRUE; > >! case SHT_DYNSYM: /* A dynamic symbol table */ > if (elf_dynsymtab (abfd) == shindex) >! return TRUE; > > if (hdr->sh_entsize != bed->s->sizeof_sym) >! return FALSE; > if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) > { > if (hdr->sh_size != 0) >! return FALSE; > /* Some linkers erroneously set sh_info to one with a > zero sh_size. ld sees this as a global symbol count > of (unsigned) -1. Fix it here. */ > hdr->sh_info = 0; >! return TRUE; > } > BFD_ASSERT (elf_dynsymtab (abfd) == 0); > elf_dynsymtab (abfd) = shindex; > elf_tdata (abfd)->dynsymtab_hdr = *hdr; >--- 1758,1786 ---- > break; > } > if (i != shindex) >! ret = bfd_section_from_shdr (abfd, i); > } >! goto success; > >! case SHT_DYNSYM: /* A dynamic symbol table. */ > if (elf_dynsymtab (abfd) == shindex) >! goto success; > > if (hdr->sh_entsize != bed->s->sizeof_sym) >! goto fail; >! > if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) > { > if (hdr->sh_size != 0) >! goto fail; >! > /* Some linkers erroneously set sh_info to one with a > zero sh_size. ld sees this as a global symbol count > of (unsigned) -1. Fix it here. */ > hdr->sh_info = 0; >! goto success; > } >+ > BFD_ASSERT (elf_dynsymtab (abfd) == 0); > elf_dynsymtab (abfd) = shindex; > elf_tdata (abfd)->dynsymtab_hdr = *hdr; >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1722,1755 **** > > /* Besides being a symbol table, we also treat this as a regular > section, so that objcopy can handle it. */ >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > >! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ > if (elf_symtab_shndx (abfd) == shindex) >! return TRUE; > > BFD_ASSERT (elf_symtab_shndx (abfd) == 0); > elf_symtab_shndx (abfd) = shindex; > elf_tdata (abfd)->symtab_shndx_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; >! return TRUE; > >! case SHT_STRTAB: /* A string table */ > if (hdr->bfd_section != NULL) >! return TRUE; > if (ehdr->e_shstrndx == shindex) > { > elf_tdata (abfd)->shstrtab_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; >! return TRUE; > } > if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) > { > symtab_strtab: > elf_tdata (abfd)->strtab_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; >! return TRUE; > } > if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) > { > dynsymtab_strtab: >--- 1789,1826 ---- > > /* Besides being a symbol table, we also treat this as a regular > section, so that objcopy can handle it. */ >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > >! case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ > if (elf_symtab_shndx (abfd) == shindex) >! goto success; > > BFD_ASSERT (elf_symtab_shndx (abfd) == 0); > elf_symtab_shndx (abfd) = shindex; > elf_tdata (abfd)->symtab_shndx_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; >! goto success; > >! case SHT_STRTAB: /* A string table. */ > if (hdr->bfd_section != NULL) >! goto success; >! > if (ehdr->e_shstrndx == shindex) > { > elf_tdata (abfd)->shstrtab_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; >! goto success; > } >+ > if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) > { > symtab_strtab: > elf_tdata (abfd)->strtab_hdr = *hdr; > elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; >! goto success; > } >+ > if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) > { > dynsymtab_strtab: >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1758,1765 **** > elf_elfsections (abfd)[shindex] = hdr; > /* We also treat this as a regular section, so that objcopy > can handle it. */ >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); > } > > /* If the string table isn't one of the above, then treat it as a >--- 1829,1837 ---- > elf_elfsections (abfd)[shindex] = hdr; > /* We also treat this as a regular section, so that objcopy > can handle it. */ >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); >! goto success; > } > > /* If the string table isn't one of the above, then treat it as a >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1777,1785 **** > { > /* Prevent endless recursion on broken objects. */ > if (i == shindex) >! return FALSE; > if (! bfd_section_from_shdr (abfd, i)) >! return FALSE; > if (elf_onesymtab (abfd) == i) > goto symtab_strtab; > if (elf_dynsymtab (abfd) == i) >--- 1849,1857 ---- > { > /* Prevent endless recursion on broken objects. */ > if (i == shindex) >! goto fail; > if (! bfd_section_from_shdr (abfd, i)) >! goto fail; > if (elf_onesymtab (abfd) == i) > goto symtab_strtab; > if (elf_dynsymtab (abfd) == i) >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1787,1793 **** > } > } > } >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > > case SHT_REL: > case SHT_RELA: >--- 1859,1866 ---- > } > } > } >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > > case SHT_REL: > case SHT_RELA: >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1802,1808 **** > if (hdr->sh_entsize > != (bfd_size_type) (hdr->sh_type == SHT_REL > ? bed->s->sizeof_rel : bed->s->sizeof_rela)) >! return FALSE; > > /* Check for a bogus link to avoid crashing. */ > if (hdr->sh_link >= num_sec) >--- 1875,1881 ---- > if (hdr->sh_entsize > != (bfd_size_type) (hdr->sh_type == SHT_REL > ? bed->s->sizeof_rel : bed->s->sizeof_rela)) >! goto fail; > > /* Check for a bogus link to avoid crashing. */ > if (hdr->sh_link >= num_sec) >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1810,1817 **** > ((*_bfd_error_handler) > (_("%B: invalid link %lu for reloc section %s (index %u)"), > abfd, hdr->sh_link, name, shindex)); >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); > } > > /* For some incomprehensible reason Oracle distributes >--- 1883,1891 ---- > ((*_bfd_error_handler) > (_("%B: invalid link %lu for reloc section %s (index %u)"), > abfd, hdr->sh_link, name, shindex)); >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); >! goto success; > } > > /* For some incomprehensible reason Oracle distributes >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1852,1858 **** > if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB > || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) > && ! bfd_section_from_shdr (abfd, hdr->sh_link)) >! return FALSE; > > /* If this reloc section does not use the main symbol table we > don't treat it as a reloc section. BFD can't adequately >--- 1926,1932 ---- > if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB > || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) > && ! bfd_section_from_shdr (abfd, hdr->sh_link)) >! goto fail; > > /* If this reloc section does not use the main symbol table we > don't treat it as a reloc section. BFD can't adequately >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1867,1880 **** > || hdr->sh_info >= num_sec > || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL > || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); > > if (! bfd_section_from_shdr (abfd, hdr->sh_info)) >! return FALSE; > target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); > if (target_sect == NULL) >! return FALSE; > > esdt = elf_section_data (target_sect); > if (hdr->sh_type == SHT_RELA) >--- 1941,1958 ---- > || hdr->sh_info >= num_sec > || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL > || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) >! { >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); >! goto success; >! } > > if (! bfd_section_from_shdr (abfd, hdr->sh_info)) >! goto fail; >! > target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); > if (target_sect == NULL) >! goto fail; > > esdt = elf_section_data (target_sect); > if (hdr->sh_type == SHT_RELA) >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1886,1892 **** > amt = sizeof (*hdr2); > hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); > if (hdr2 == NULL) >! return FALSE; > *hdr2 = *hdr; > *p_hdr = hdr2; > elf_elfsections (abfd)[shindex] = hdr2; >--- 1964,1970 ---- > amt = sizeof (*hdr2); > hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); > if (hdr2 == NULL) >! goto fail; > *hdr2 = *hdr; > *p_hdr = hdr2; > elf_elfsections (abfd)[shindex] = hdr2; >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1902,1935 **** > target_sect->use_rela_p = 1; > } > abfd->flags |= HAS_RELOC; >! return TRUE; > } > > case SHT_GNU_verdef: > elf_dynverdef (abfd) = shindex; > elf_tdata (abfd)->dynverdef_hdr = *hdr; >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > > case SHT_GNU_versym: > if (hdr->sh_entsize != sizeof (Elf_External_Versym)) >! return FALSE; > elf_dynversym (abfd) = shindex; > elf_tdata (abfd)->dynversym_hdr = *hdr; >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > > case SHT_GNU_verneed: > elf_dynverref (abfd) = shindex; > elf_tdata (abfd)->dynverref_hdr = *hdr; >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > > case SHT_SHLIB: >! return TRUE; > > case SHT_GROUP: > if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) >! return FALSE; > if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! return FALSE; > if (hdr->contents != NULL) > { > Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; >--- 1980,2019 ---- > target_sect->use_rela_p = 1; > } > abfd->flags |= HAS_RELOC; >! goto success; > } > > case SHT_GNU_verdef: > elf_dynverdef (abfd) = shindex; > elf_tdata (abfd)->dynverdef_hdr = *hdr; >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > > case SHT_GNU_versym: > if (hdr->sh_entsize != sizeof (Elf_External_Versym)) >! goto fail; >! > elf_dynversym (abfd) = shindex; > elf_tdata (abfd)->dynversym_hdr = *hdr; >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > > case SHT_GNU_verneed: > elf_dynverref (abfd) = shindex; > elf_tdata (abfd)->dynverref_hdr = *hdr; >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; > > case SHT_SHLIB: >! goto success; > > case SHT_GROUP: > if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) >! goto fail; >! > if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! goto fail; >! > if (hdr->contents != NULL) > { > Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1955,1961 **** > } > } > } >! break; > > default: > /* Possibly an attributes section. */ >--- 2039,2045 ---- > } > } > } >! goto success; > > default: > /* Possibly an attributes section. */ >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1963,1976 **** > || hdr->sh_type == bed->obj_attrs_section_type) > { > if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! return FALSE; > _bfd_elf_parse_attributes (abfd, hdr); >! return TRUE; > } > > /* Check for any processor-specific section types. */ > if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) >! return TRUE; > > if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) > { >--- 2047,2060 ---- > || hdr->sh_type == bed->obj_attrs_section_type) > { > if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) >! goto fail; > _bfd_elf_parse_attributes (abfd, hdr); >! goto success; > } > > /* Check for any processor-specific section types. */ > if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) >! goto success; > > if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) > { >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 1982,1990 **** > "specific section `%s' [0x%8x]"), > abfd, name, hdr->sh_type); > else >! /* Allow sections reserved for applications. */ >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); > } > else if (hdr->sh_type >= SHT_LOPROC > && hdr->sh_type <= SHT_HIPROC) >--- 2066,2077 ---- > "specific section `%s' [0x%8x]"), > abfd, name, hdr->sh_type); > else >! { >! /* Allow sections reserved for applications. */ >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, >! shindex); >! goto success; >! } > } > else if (hdr->sh_type >= SHT_LOPROC > && hdr->sh_type <= SHT_HIPROC) >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 2005,2012 **** > "`%s' [0x%8x]"), > abfd, name, hdr->sh_type); > else >! /* Otherwise it should be processed. */ >! return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); > } > else > /* FIXME: We should handle this section. */ >--- 2092,2102 ---- > "`%s' [0x%8x]"), > abfd, name, hdr->sh_type); > else >! { >! /* Otherwise it should be processed. */ >! ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); >! goto success; >! } > } > else > /* FIXME: We should handle this section. */ >*************** bfd_section_from_shdr (bfd *abfd, unsign >*** 2014,2023 **** > (_("%B: don't know how to handle section `%s' [0x%8x]"), > abfd, name, hdr->sh_type); > >! return FALSE; > } > >! return TRUE; > } > > /* Return the local symbol specified by ABFD, R_SYMNDX. */ >--- 2104,2123 ---- > (_("%B: don't know how to handle section `%s' [0x%8x]"), > abfd, name, hdr->sh_type); > >! goto fail; > } > >! fail: >! ret = FALSE; >! success: >! if (sections_being_created && sections_being_created_abfd == abfd) >! sections_being_created [shindex] = FALSE; >! if (-- nesting == 0) >! { >! sections_being_created = NULL; >! sections_being_created_abfd = abfd; >! } >! return ret; > } > > /* Return the local symbol specified by ABFD, R_SYMNDX. */ >*************** elfcore_write_lwpstatus (bfd *abfd, >*** 9296,9302 **** > lwpstat.pr_lwpid = pid >> 16; > lwpstat.pr_cursig = cursig; > #if defined (HAVE_LWPSTATUS_T_PR_REG) >! memcpy (lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg)); > #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT) > #if !defined(gregs) > memcpy (lwpstat.pr_context.uc_mcontext.gregs, >--- 9396,9402 ---- > lwpstat.pr_lwpid = pid >> 16; > lwpstat.pr_cursig = cursig; > #if defined (HAVE_LWPSTATUS_T_PR_REG) >! memcpy (&lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg)); > #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT) > #if !defined(gregs) > memcpy (lwpstat.pr_context.uc_mcontext.gregs, >diff -cpr ../binutils-2.24.orig/bfd/ihex.c bfd/ihex.c >*** ../binutils-2.24.orig/bfd/ihex.c 2014-10-31 11:50:20.143220890 +0000 >--- bfd/ihex.c 2014-10-31 11:51:45.746721162 +0000 >*************** ihex_scan (bfd *abfd) >*** 322,328 **** > { > if (! ISHEX (buf[i])) > { >! ihex_bad_byte (abfd, lineno, hdr[i], error); > goto error_return; > } > } >--- 322,328 ---- > { > if (! ISHEX (buf[i])) > { >! ihex_bad_byte (abfd, lineno, buf[i], error); > goto error_return; > } > } >diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c >*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-31 11:50:20.149220928 +0000 >--- bfd/peXXigen.c 2014-10-31 11:51:00.397462266 +0000 >*************** _bfd_XXi_swap_aouthdr_in (bfd * abfd, >*** 460,465 **** >--- 460,476 ---- > { > int idx; > >+ /* PR 17512: Corrupt PE binaries can cause seg-faults. */ >+ if (a->NumberOfRvaAndSizes > 16) >+ { >+ (*_bfd_error_handler) >+ (_("%B: aout header specifies an invalid number of data-directory entries: %d"), >+ abfd, a->NumberOfRvaAndSizes); >+ /* Paranoia: If the number is corrupt, then assume that the >+ actual entries themselves might be corrupt as well. */ >+ a->NumberOfRvaAndSizes = 0; >+ } >+ > for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) > { > /* If data directory is empty, rva also should be 0. */ >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1364,1370 **** > bfd_size_type datasize = 0; > bfd_size_type dataoff; > bfd_size_type i; >! bfd_signed_vma adj; > struct EDT_type > { > long export_flags; /* Reserved - should be zero. */ >--- 1375,1381 ---- > bfd_size_type datasize = 0; > bfd_size_type dataoff; > bfd_size_type i; >! bfd_vma adj; > struct EDT_type > { > long export_flags; /* Reserved - should be zero. */ >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1414,1419 **** >--- 1425,1437 ---- > _("\nThere is an export table, but the section containing it could not be found\n")); > return TRUE; > } >+ else if (!(section->flags & SEC_HAS_CONTENTS)) >+ { >+ fprintf (file, >+ _("\nThere is an export table in %s, but that section has no contents\n"), >+ section->name); >+ return TRUE; >+ } > > dataoff = addr - section->vma; > datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1426,1431 **** >--- 1444,1458 ---- > } > } > >+ /* PR 17512: Handle corrupt PE binaries. */ >+ if (datasize < 36) >+ { >+ fprintf (file, >+ _("\nThere is an export table in %s, but it is too small (%d)\n"), >+ section->name, (int) datasize); >+ return TRUE; >+ } >+ > fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), > section->name, (unsigned long) addr); > >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1469,1476 **** > fprintf (file, > _("Name \t\t\t\t")); > bfd_fprintf_vma (abfd, file, edt.name); >! fprintf (file, >! " %s\n", data + edt.name - adj); > > fprintf (file, > _("Ordinal Base \t\t\t%ld\n"), edt.base); >--- 1496,1506 ---- > fprintf (file, > _("Name \t\t\t\t")); > bfd_fprintf_vma (abfd, file, edt.name); >! >! if ((edt.name >= adj) && (edt.name < adj + datasize)) >! fprintf (file, " %s\n", data + edt.name - adj); >! else >! fprintf (file, "(outside .edata section)\n"); > > fprintf (file, > _("Ordinal Base \t\t\t%ld\n"), edt.base); >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1516,1522 **** > _("\nExport Address Table -- Ordinal Base %ld\n"), > edt.base); > >! for (i = 0; i < edt.num_functions; ++i) > { > bfd_vma eat_member = bfd_get_32 (abfd, > data + edt.eat_addr + (i * 4) - adj); >--- 1546,1557 ---- > _("\nExport Address Table -- Ordinal Base %ld\n"), > edt.base); > >! /* PR 17512: Handle corrupt PE binaries. */ >! if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) >! fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), >! (long) edt.eat_addr, >! (long) edt.num_functions); >! else for (i = 0; i < edt.num_functions; ++i) > { > bfd_vma eat_member = bfd_get_32 (abfd, > data + edt.eat_addr + (i * 4) - adj); >*************** pe_print_edata (bfd * abfd, void * vfile >*** 1552,1558 **** > fprintf (file, > _("\n[Ordinal/Name Pointer] Table\n")); > >! for (i = 0; i < edt.num_names; ++i) > { > bfd_vma name_ptr = bfd_get_32 (abfd, > data + >--- 1587,1602 ---- > fprintf (file, > _("\n[Ordinal/Name Pointer] Table\n")); > >! /* PR 17512: Handle corrupt PE binaries. */ >! if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) >! fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), >! (long) edt.npt_addr, >! (long) edt.num_names); >! else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) >! fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), >! (long) edt.ot_addr, >! (long) edt.num_names); >! else for (i = 0; i < edt.num_names; ++i) > { > bfd_vma name_ptr = bfd_get_32 (abfd, > data + >diff -cpr ../binutils-2.24.orig/bfd/srec.c bfd/srec.c >*** ../binutils-2.24.orig/bfd/srec.c 2014-10-31 11:50:20.144220896 +0000 >--- bfd/srec.c 2014-10-31 11:50:55.808436025 +0000 >*************** srec_bad_byte (bfd *abfd, >*** 248,254 **** > } > else > { >! char buf[10]; > > if (! ISPRINT (c)) > sprintf (buf, "\\%03o", (unsigned int) c); >--- 248,254 ---- > } > else > { >! char buf[40]; > > if (! ISPRINT (c)) > sprintf (buf, "\\%03o", (unsigned int) c); >*************** srec_scan (bfd *abfd) >*** 454,461 **** > case 'S': > { > file_ptr pos; >! char hdr[3]; >! unsigned int bytes; > bfd_vma address; > bfd_byte *data; > unsigned char check_sum; >--- 454,461 ---- > case 'S': > { > file_ptr pos; >! unsigned char hdr[3]; >! unsigned int bytes, min_bytes; > bfd_vma address; > bfd_byte *data; > unsigned char check_sum; >*************** srec_scan (bfd *abfd) >*** 478,483 **** >--- 478,496 ---- > } > > check_sum = bytes = HEX (hdr + 1); >+ min_bytes = 3; >+ if (hdr[0] == '2' || hdr[0] == '8') >+ min_bytes = 4; >+ else if (hdr[0] == '3' || hdr[0] == '7') >+ min_bytes = 5; >+ if (bytes < min_bytes) >+ { >+ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"), >+ abfd, lineno, bytes); >+ bfd_set_error (bfd_error_bad_value); >+ goto error_return; >+ } >+ > if (bytes * 2 > bufsize) > { > if (buf != NULL)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=952477">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1157276
: 952477 |
952478
|
1044338