This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: Invalid SHT_NOTE sections in input files
- From: Alan Modra <amodra at bigpond dot net dot au>
- To: binutils at sourceware dot org
- Date: Tue, 8 Jul 2008 20:43:09 +0930
- Subject: Re: Invalid SHT_NOTE sections in input files
- References: <20080624213253.GA22565@caradoc.them.org>
On Tue, Jun 24, 2008 at 05:32:53PM -0400, Daniel Jacobowitz wrote:
> Since 2007-08-24 (build-id support), we parse note sections in any
> file opened by BFD - including linker input. This shows up as an
> intermittent segfault in ld-elf/orphan, because four ld tests create
> invalid note sections (note-1, note-2, orphan, unknown).
>
> This patch fixes the crash but adds four new failures as we detect the
> corrupt input. Should we be more forgiving of invalid note sections?
Yes, I think we want the following. I tweaked your patch a little so
that a sizes like -1 wouldn't sneak through the test by being rounded
up to 0. I'm going to be away for 10 days so won't commit this. If
it passes your scrutiny, please commit.
* elf.c (_bfd_elf_make_section_from_shdr): Ignore return from
elf_parse_notes. Use bfd_malloc_and_get_section.
(elf_parse_notes): Validate note namesz and descsz.
Index: bfd/elf.c
===================================================================
RCS file: /cvs/src/src/bfd/elf.c,v
retrieving revision 1.450
diff -u -p -r1.450 elf.c
--- bfd/elf.c 30 Jun 2008 20:53:06 -0000 1.450
+++ bfd/elf.c 8 Jul 2008 11:05:16 -0000
@@ -928,20 +928,12 @@ _bfd_elf_make_section_from_shdr (bfd *ab
PT_NOTEs from the core files are currently not parsed using BFD. */
if (hdr->sh_type == SHT_NOTE)
{
- char *contents;
+ bfd_byte *contents;
- contents = bfd_malloc (hdr->sh_size);
- if (!contents)
+ if (!bfd_malloc_and_get_section (abfd, newsect, &contents))
return FALSE;
- if (!bfd_get_section_contents (abfd, hdr->bfd_section, contents, 0,
- hdr->sh_size)
- || !elf_parse_notes (abfd, contents, hdr->sh_size, -1))
- {
- free (contents);
- return FALSE;
- }
-
+ elf_parse_notes (abfd, (char *) contents, hdr->sh_size, -1);
free (contents);
}
@@ -8481,14 +8473,21 @@ elf_parse_notes (bfd *abfd, char *buf, s
Elf_External_Note *xnp = (Elf_External_Note *) p;
Elf_Internal_Note in;
+ if (p + sizeof (Elf_External_Note) > buf + size)
+ return FALSE;
+
in.type = H_GET_32 (abfd, xnp->type);
in.namesz = H_GET_32 (abfd, xnp->namesz);
in.namedata = xnp->name;
+ if (in.namesz > (buf - in.namedata) + size)
+ return FALSE;
in.descsz = H_GET_32 (abfd, xnp->descsz);
in.descdata = in.namedata + BFD_ALIGN (in.namesz, 4);
in.descpos = offset + (in.descdata - buf);
+ if (in.descsz > (buf - in.descdata) + size)
+ return FALSE;
switch (bfd_get_format (abfd))
{
--
Alan Modra
Australia Development Lab, IBM