From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Sat, 18 Nov 2017 23:18:22 +1030
Subject: [PATCH] PR22443, Global buffer overflow in
 _bfd_elf_get_symbol_version_string

Symbols like *ABS* defined in bfd/section.c:global_syms are not
elf_symbol_type.  They can appear on relocs and perhaps other places
in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
to cast an asymbol based on the bfd being ELF.  I think we lose
nothing by excluding all section symbols, not just the global_syms.

	PR 22443
	* nm.c (sort_symbols_by_size): Don't attempt to access
	section symbol internal_elf_sym.
	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
	for section symbols.
	* objdump.c (compare_symbols): Don't attempt to access
	section symbol internal_elf_sym.
	(objdump_print_symname): Don't call bfd_get_symbol_version_string
	for section symbols.

Upstream-Status: Backport
Affects: <= 2.29.1
CVE:  CVE-2017-17125
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 binutils/ChangeLog | 12 ++++++++++++
 binutils/nm.c      | 17 ++++++++++-------
 binutils/objdump.c |  6 +++---
 3 files changed, 25 insertions(+), 10 deletions(-)

Index: git/binutils/nm.c
===================================================================
--- git.orig/binutils/nm.c
+++ git/binutils/nm.c
@@ -765,7 +765,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
       asection *sec;
       bfd_vma sz;
       asymbol *temp;
-      int synthetic = (sym->flags & BSF_SYNTHETIC);
 
       if (from + size < fromend)
 	{
@@ -782,10 +781,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boo
       sec = bfd_get_section (sym);
 
       /* Synthetic symbols don't have a full type set of data available, thus
-	 we can't rely on that information for the symbol size.  */
-      if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+	 we can't rely on that information for the symbol size.  Ditto for
+	 bfd/section.c:global_syms like *ABS*.  */
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+	  && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
 	sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
-      else if (!synthetic && bfd_is_com_section (sec))
+      else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+	       && bfd_is_com_section (sec))
 	sz = sym->value;
       else
 	{
@@ -874,8 +876,9 @@ print_symbol (bfd *        abfd,
 
   info.sinfo = &syminfo;
   info.ssize = ssize;
-  /* Synthetic symbols do not have a full symbol type set of data available.  */
-  if ((sym->flags & BSF_SYNTHETIC) != 0)
+  /* Synthetic symbols do not have a full symbol type set of data available.
+     Nor do bfd/section.c:global_syms like *ABS*.  */
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
     {
       info.elfinfo = NULL;
       info.coffinfo = NULL;
@@ -893,7 +896,7 @@ print_symbol (bfd *        abfd,
       const char *  version_string = NULL;
       bfd_boolean   hidden = FALSE;
 
-      if ((sym->flags & BSF_SYNTHETIC) == 0)
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
       if (bfd_is_und_section (bfd_get_section (sym)))
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c
+++ git/binutils/objdump.c
@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const v
       bfd_vma asz, bsz;
 
       asz = 0;
-      if ((a->flags & BSF_SYNTHETIC) == 0)
+      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
       bsz = 0;
-      if ((b->flags & BSF_SYNTHETIC) == 0)
+      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
 	bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
       if (asz != bsz)
 	return asz > bsz ? -1 : 1;
@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct
 	name = alloc;
     }
 
-  if ((sym->flags & BSF_SYNTHETIC) == 0)
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
     version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
   if (bfd_is_und_section (bfd_get_section (sym)))
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,15 @@
+2017-11-18  Alan Modra  <amodra@gmail.com>
+
+       PR 22443
+       * nm.c (sort_symbols_by_size): Don't attempt to access
+       section symbol internal_elf_sym.
+       (print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
+       for section symbols.
+       * objdump.c (compare_symbols): Don't attempt to access
+       section symbol internal_elf_sym.
+       (objdump_print_symname): Don't call bfd_get_symbol_version_string
+       for section symbols.
+
 2017-11-29  Nick Clifton  <nickc@redhat.com>
 
        PR 22508