| From ad32986fdf9da1c8748e47b8b45100398223dba8 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Tue, 4 Apr 2017 11:23:36 +0100 |
| Subject: [PATCH] Fix null pointer dereferences when using a link built with |
| clang. |
| |
| PR binutils/21342 |
| * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer |
| dereference. |
| (bfd_elf_final_link): Only initialize the extended symbol index |
| section if there are extended symbol tables to list. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-7614 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| bfd/ChangeLog | 8 ++++++++ |
| bfd/elflink.c | 35 +++++++++++++++++++++-------------- |
| 2 files changed, 29 insertions(+), 14 deletions(-) |
| |
| Index: git/bfd/elflink.c |
| =================================================================== |
| --- git.orig/bfd/elflink.c |
| +++ git/bfd/elflink.c |
| @@ -119,15 +119,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd, |
| defined in shared libraries can't be overridden, because we |
| lose the link to the bfd which is via the symbol section. */ |
| h->root.type = bfd_link_hash_new; |
| + bh = &h->root; |
| } |
| + else |
| + bh = NULL; |
| |
| - bh = &h->root; |
| bed = get_elf_backend_data (abfd); |
| if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL, |
| sec, 0, NULL, FALSE, bed->collect, |
| &bh)) |
| return NULL; |
| h = (struct elf_link_hash_entry *) bh; |
| + BFD_ASSERT (h != NULL); |
| h->def_regular = 1; |
| h->non_elf = 0; |
| h->root.linker_def = 1; |
| @@ -11973,24 +11976,28 @@ bfd_elf_final_link (bfd *abfd, struct bf |
| { |
| /* Finish up and write out the symbol string table (.strtab) |
| section. */ |
| - Elf_Internal_Shdr *symstrtab_hdr; |
| + Elf_Internal_Shdr *symstrtab_hdr = NULL; |
| file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size; |
| |
| - symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; |
| - if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) |
| + if (elf_symtab_shndx_list (abfd)) |
| { |
| - symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; |
| - symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); |
| - symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); |
| - amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); |
| - symtab_shndx_hdr->sh_size = amt; |
| + symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; |
| |
| - off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, |
| - off, TRUE); |
| + if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) |
| + { |
| + symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; |
| + symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); |
| + symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); |
| + amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); |
| + symtab_shndx_hdr->sh_size = amt; |
| |
| - if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 |
| - || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) |
| - return FALSE; |
| + off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, |
| + off, TRUE); |
| + |
| + if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 |
| + || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) |
| + return FALSE; |
| + } |
| } |
| |
| symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr; |
| Index: git/bfd/ChangeLog |
| =================================================================== |
| --- git.orig/bfd/ChangeLog |
| +++ git/bfd/ChangeLog |
| @@ -1,3 +1,11 @@ |
| +2017-04-04 Nick Clifton <nickc@redhat.com> |
| + |
| + PR binutils/21342 |
| + * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer |
| + dereference. |
| + (bfd_elf_final_link): Only initialize the extended symbol index |
| + section if there are extended symbol tables to list. |
| + |
| 2017-03-07 Alan Modra <amodra@gmail.com> |
| |
| PR 21224 |