blob: 3d036c4cf64855aea3e5ca3ff79ca15874c4a35a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 17 Feb 2017 15:59:45 +0000
Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary.
PR binutils/21156
* readelf.c (find_section_in_set): Test for invalid section
indicies.
CVE: CVE-2017-6969
Upstream-Status: Backport [master]
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
---
binutils/ChangeLog | 6 ++++++
binutils/readelf.c | 10 ++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index a70bdb7a7b..dbf8eb079e 100644
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-02-17 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21156
+ * readelf.c (find_section_in_set): Test for invalid section
+ indicies.
+
2016-08-03 Tristan Gingold <gingold@adacore.com>
* configure: Regenerate.
diff --git a/binutils/readelf.c b/binutils/readelf.c
index d31558c3b4..7f7365dbc5 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set)
if (set != NULL)
{
while ((i = *set++) > 0)
- if (streq (SECTION_NAME (section_headers + i), name))
- return section_headers + i;
+ {
+ /* See PR 21156 for a reproducer. */
+ if (i >= elf_header.e_shnum)
+ continue; /* FIXME: Should we issue an error message ? */
+
+ if (streq (SECTION_NAME (section_headers + i), name))
+ return section_headers + i;
+ }
}
return find_section (name);
--
2.11.0
|
