1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
From fbf1df9ca286de3323ae541973b08449f8d03aba Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Thu, 13 Feb 2025 14:59:34 +0100
Subject: [PATCH] strip: Verify symbol table is a real symbol table
We didn't check the symbol table referenced from the relocation table
was a real symbol table. This could cause a crash if that section
happened to be an SHT_NOBITS section without any data. Fix this by
adding an explicit check.
* src/strip.c (INTERNAL_ERROR_MSG): New macro that takes a
message string to display.
(INTERNAL_ERROR): Use INTERNAL_ERROR_MSG with elf_errmsg (-1).
(remove_debug_relocations): Check the sh_link referenced
section is real and isn't a SHT_NOBITS section.
https://sourceware.org/bugzilla/show_bug.cgi?id=32673
CVE: CVE-2025-1377
Upstream-Status: Backport [https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba]
Signed-off-by: Mark Wielaard <mark@klomp.org>
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
src/strip.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/strip.c b/src/strip.c
index 403e0f6..2b5d057 100644
--- a/src/strip.c
+++ b/src/strip.c
@@ -126,13 +126,14 @@ static char *tmp_debug_fname = NULL;
/* Close debug file descriptor, if opened. And remove temporary debug file. */
static void cleanup_debug (void);
-#define INTERNAL_ERROR(fname) \
+#define INTERNAL_ERROR_MSG(fname, msg) \
do { \
cleanup_debug (); \
error_exit (0, _("%s: INTERNAL ERROR %d (%s): %s"), \
- fname, __LINE__, PACKAGE_VERSION, elf_errmsg (-1)); \
+ fname, __LINE__, PACKAGE_VERSION, msg); \
} while (0)
+#define INTERNAL_ERROR(fname) INTERNAL_ERROR_MSG(fname, elf_errmsg (-1))
/* Name of the output file. */
static const char *output_fname;
@@ -631,7 +632,14 @@ remove_debug_relocations (Ebl *ebl, Elf *elf, GElf_Ehdr *ehdr,
resolve relocation symbol indexes. */
Elf64_Word symt = shdr->sh_link;
Elf_Data *symdata, *xndxdata;
- Elf_Scn * symscn = elf_getscn (elf, symt);
+ Elf_Scn *symscn = elf_getscn (elf, symt);
+ GElf_Shdr symshdr_mem;
+ GElf_Shdr *symshdr = gelf_getshdr (symscn, &symshdr_mem);
+ if (symshdr == NULL)
+ INTERNAL_ERROR (fname);
+ if (symshdr->sh_type == SHT_NOBITS)
+ INTERNAL_ERROR_MSG (fname, "NOBITS section");
+
symdata = elf_getdata (symscn, NULL);
xndxdata = get_xndxdata (elf, symscn);
if (symdata == NULL)
--
2.43.2
|
