This is the mail archive of the
binutils@sources.redhat.com
mailing list for the binutils project.
Re: BFD overflows (part 2)
- From: Nick Clifton <nickc at redhat dot com>
- To: Mike Frysinger <vapier at gentoo dot org>
- Cc: binutils at sources dot redhat dot com
- Date: Tue, 17 May 2005 19:08:11 +0100
- Subject: Re: BFD overflows (part 2)
- References: <200505120736.35805.vapier@gentoo.org>
Hi Mike,
strings.095:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000418678 in bfd_elf_string_from_elf_section (abfd=0x4643a0,
shindex=5784064, strindex=47) at elf.c:280
This was a nasty one - the file was stimulating an infinite loop inside
the code in elf.c between group_signature() and bfd_section_from_shdr().
Anyway I will be checking in the attached patch to catch and prevent
this occurring in the future.
Cheers
Nick
bfd/ChangeLog
2005-05-17 Nick Clifton <nickc@redhat.com>
* elf.c (group_signature): Check for a group section which is
actually a (corrupt) symbol table section in disguise and prevent
an infinite loop from occurring.
Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.293
diff -c -3 -p -r1.293 elf.c
*** bfd/elf.c 17 May 2005 16:23:26 -0000 1.293
--- bfd/elf.c 17 May 2005 18:00:45 -0000
*************** group_signature (bfd *abfd, Elf_Internal
*** 451,458 ****
unsigned char esym[sizeof (Elf64_External_Sym)];
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
! /* First we need to ensure the symbol table is available. */
if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;
--- 451,473 ----
unsigned char esym[sizeof (Elf64_External_Sym)];
Elf_External_Sym_Shndx eshndx;
Elf_Internal_Sym isym;
+ unsigned int i;
+
+ if (ghdr == NULL)
+ return NULL;
+
+ /* If this section is linked to by other sections then it is a symbol or
+ string section which is masquerading as a group. This is a bad thing,
+ and if we carry on to the call to bfd_section_from_shdr below we will
+ enter an infinite loop. So check now and break out if we detect this
+ case. See:
+ http://sources.redhat.com/ml/binutils/2005-05/msg00421.html
+ for a report of a case that tirggers this code. */
+ for (i = elf_numsections (abfd); i--;)
+ if (elf_elfsections (abfd) [elf_elfsections (abfd) [i]->sh_link] == ghdr)
+ return NULL;
! /* Next we need to ensure the symbol table is available. */
if (! bfd_section_from_shdr (abfd, ghdr->sh_link))
return NULL;