This patch closes a potential security hole in applications that use

the bfd library to parse binaries containing maliciously corrupt section
group headers.

	PR binutils/17510
	* elf.c (setup_group): Improve handling of corrupt group
	sections.

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 04b6d86..7ba4431 100644 (file)
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,9 @@
+2014-10-27  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/17510
+       * elf.c (setup_group): Improve handling of corrupt group
+       sections.
+
 2014-10-24  Tejas Belagod  <tejas.belagod@arm.com>
 
        * bfd-in.h (bfd_elf64_aarch64_set_options): Add a parameter.

diff --git a/bfd/elf.c b/bfd/elf.c
index c884d1d..c8ac826 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
                  if (shdr->contents == NULL)
                    {
                      _bfd_error_handler
-                       (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+                       (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
                      bfd_set_error (bfd_error_bad_value);
-                     return FALSE;
+                     -- num_group;
+                     continue;
                    }
 
                  memset (shdr->contents, 0, amt);
@@ -618,8 +619,17 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
                  if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
                      || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
                          != shdr->sh_size))
-                   return FALSE;
-
+                   {
+                     _bfd_error_handler
+                       (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+                     bfd_set_error (bfd_error_bad_value);
+                     -- num_group;
+                     /* PR 17510: If the group contents are even partially
+                        corrupt, do not allow any of the contents to be used.  */
+                     memset (shdr->contents, 0, amt);
+                     continue;
+                   }
+                 
                  /* Translate raw contents, a flag word followed by an
                     array of elf section indices all in target byte order,
                     to the flag word followed by an array of elf section
@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
                    }
                }
            }
+
+         /* PR 17510: Corrupt binaries might contain invalid groups.  */
+         if (num_group != (unsigned) elf_tdata (abfd)->num_group)
+           {
+             elf_tdata (abfd)->num_group = num_group;
+
+             /* If all groups are invalid then fail.  */
+             if (num_group == 0)
+               {
+                 elf_tdata (abfd)->group_sect_ptr = NULL;
+                 elf_tdata (abfd)->num_group = num_group = -1;
+                 (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
+                 bfd_set_error (bfd_error_bad_value);
+               }
+           }
        }
     }
 
@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shdr *hdr, asection *newsect)
     {
       (*_bfd_error_handler) (_("%B: no group info for section %A"),
                             abfd, newsect);
+      return FALSE;
     }
   return TRUE;
 }