| From 1d9a2696903fc59d6a936f4ab4e4407ef329d066 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Fri, 17 Feb 2017 15:59:45 +0000 |
| Subject: Fix illegal memory accesses in readelf when parsing |
| a corrupt binary. |
| |
| PR binutils/21156 |
| * readelf.c (find_section_in_set): Test for invalid section |
| indicies. |
| |
| CVE: CVE-2017-6969 |
| Upstream-Status: Backport [master] |
| |
| Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> |
| --- |
| binutils/ChangeLog | 6 ++++++ |
| binutils/readelf.c | 10 ++++++++-- |
| 2 files changed, 14 insertions(+), 2 deletions(-) |
| |
| diff --git a/binutils/ChangeLog b/binutils/ChangeLog |
| index bd63c8a0d8..1d840b42f9 100644 |
| --- a/binutils/ChangeLog |
| +++ b/binutils/ChangeLog |
| @@ -1,3 +1,9 @@ |
| +2017-02-17 Nick Clifton <nickc@redhat.com> |
| + |
| + PR binutils/21156 |
| + * readelf.c (find_section_in_set): Test for invalid section |
| + indicies. |
| + |
| 2017-02-13 Nick Clifton <nickc@redhat.com> |
| |
| PR binutils/21139 |
| diff --git a/binutils/readelf.c b/binutils/readelf.c |
| index 7c158c6342..4960491c5c 100644 |
| --- a/binutils/readelf.c |
| +++ b/binutils/readelf.c |
| @@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set) |
| if (set != NULL) |
| { |
| while ((i = *set++) > 0) |
| - if (streq (SECTION_NAME (section_headers + i), name)) |
| - return section_headers + i; |
| + { |
| + /* See PR 21156 for a reproducer. */ |
| + if (i >= elf_header.e_shnum) |
| + continue; /* FIXME: Should we issue an error message ? */ |
| + |
| + if (streq (SECTION_NAME (section_headers + i), name)) |
| + return section_headers + i; |
| + } |
| } |
| |
| return find_section (name); |
| -- |
| 2.11.0 |
| |