libiberty: Check zero value shstrndx in simple-object-elf.c
diff mbox series

Message ID 20190712220409.1781-1-rkx1209dev@gmail.com
State New
Headers show
Series
  • libiberty: Check zero value shstrndx in simple-object-elf.c
Related show

Commit Message

Ren Kimura July 12, 2019, 10:04 p.m. UTC
This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e. e_shstrndx == 0), a calculation of offset to string section table causes integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and cause memory corruption.

Signed-off-by: Ren Kimura <rkx1209dev@gmail.com>
---
 libiberty/simple-object-elf.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Ian Lance Taylor July 12, 2019, 11 p.m. UTC | #1
On Fri, Jul 12, 2019 at 3:04 PM Ren Kimura <rkx1209dev@gmail.com> wrote:
>
> This patch fixes a Bug 90924.
> simple_object_elf functions don't load section table 0 of ELF file, which is not a useful.
> However If e_shstrndx in ELF header points to a section table 0 (i.e. e_shstrndx == 0), a calculation of offset to string section table causes integer overflow at every line "(eor->shstrndx - 1)".
> A result becomes negative value (unsigned int)-1 and cause memory corruption.
>
> Signed-off-by: Ren Kimura <rkx1209dev@gmail.com>
> ---
>  libiberty/simple-object-elf.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
> index 22c9ae7ed2d..33562e4eb18 100644
> --- a/libiberty/simple-object-elf.c
> +++ b/libiberty/simple-object-elf.c
> @@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
>        XDELETE (eor);
>        return NULL;
>      }
> -
> +
> +  if (!eor->shstrndx)
> +    {
> +      *errmsg = "invalid ELF shstrndx == 0";
> +      *err = 0;
> +      XDELETE (eor);
> +      return NULL;
> +    }
> +
>    return (void *) eor;
>  }


Please write that as

    if (eor->shstrndx == 0)

It's not a boolean value, so don't use a boolean negation.

This is OK with that change and a ChangeLog entry.

Thanks.

Ian

Patch
diff mbox series

diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..33562e4eb18 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@  simple_object_elf_match (unsigned char header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
       XDELETE (eor);
       return NULL;
     }
-
+  
+  if (!eor->shstrndx)
+    {
+      *errmsg = "invalid ELF shstrndx == 0";
+      *err = 0;
+      XDELETE (eor);
+      return NULL;
+    }
+  
   return (void *) eor;
 }