[v3] libiberty: Check zero value shstrndx in simple-object-elf.c

Message ID 20190712235916.28843-1-rkx1209dev@gmail.com
State New
Headers show
Series
  • [v3] libiberty: Check zero value shstrndx in simple-object-elf.c
Related show

Commit Message

Ren Kimura July 12, 2019, 11:59 p.m.
This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e. e_shstrndx == 0), a calculation of offset to string section table causes integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and causes memory corruption.

Signed-off-by: Ren Kimura <rkx1209dev@gmail.com>

---
 libiberty/ChangeLog           |  5 +++++
 libiberty/simple-object-elf.c | 10 +++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

-- 
2.19.1

Comments

Ian Lance Taylor July 13, 2019, 12:58 a.m. | #1
On Fri, Jul 12, 2019 at 4:59 PM Ren Kimura <rkx1209dev@gmail.com> wrote:
>

> This patch fixes a Bug 90924.

> simple_object_elf functions don't load section table 0 of ELF file, which is not a useful.

> However If e_shstrndx in ELF header points to a section table 0 (i.e. e_shstrndx == 0), a calculation of offset to string section table causes integer overflow at every line "(eor->shstrndx - 1)".

> A result becomes negative value (unsigned int)-1 and causes memory corruption.

>

> Signed-off-by: Ren Kimura <rkx1209dev@gmail.com>

> ---

>  libiberty/ChangeLog           |  5 +++++

>  libiberty/simple-object-elf.c | 10 +++++++++-

>  2 files changed, 14 insertions(+), 1 deletion(-)

>

> diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog

> index c3daf2ae8c8..ea2f3e6a982 100644

> --- a/libiberty/ChangeLog

> +++ b/libiberty/ChangeLog

> @@ -1,3 +1,8 @@

> +2019-07-12  Ren Kimura  <rkx1209dev@gmail.com>

> +

> +       * simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx.

> +       This fixes a Bug 90924.

> +

>  2019-05-31  Michael Forney  <mforney@mforney.org>

>

>         * cp-demangle.c: Don't define CP_DYNAMIC_ARRAYS if __STDC_NO_VLA__

> diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c

> index 22c9ae7ed2d..9c561632bc5 100644

> --- a/libiberty/simple-object-elf.c

> +++ b/libiberty/simple-object-elf.c

> @@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],

>        XDELETE (eor);

>        return NULL;

>      }

> -

> +

> +  if (eor->shstrndx == 0)

> +    {

> +      *errmsg = "invalid ELF shstrndx == 0";

> +      *err = 0;

> +      XDELETE (eor);

> +      return NULL;

> +    }

> +

>    return (void *) eor;

>  }



This is OK.

Thanks.

Ian

Patch

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index c3daf2ae8c8..ea2f3e6a982 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,8 @@ 
+2019-07-12  Ren Kimura  <rkx1209dev@gmail.com>
+
+	* simple-object-elf.c (simple_object_elf_match): Check zero value shstrndx.
+	This fixes a Bug 90924.
+
 2019-05-31  Michael Forney  <mforney@mforney.org>
 
 	* cp-demangle.c: Don't define CP_DYNAMIC_ARRAYS if __STDC_NO_VLA__
diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..9c561632bc5 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@  simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
       XDELETE (eor);
       return NULL;
     }
-
+  
+  if (eor->shstrndx == 0)
+    {
+      *errmsg = "invalid ELF shstrndx == 0";
+      *err = 0;
+      XDELETE (eor);
+      return NULL;
+    }
+  
   return (void *) eor;
 }