Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame^] | 1 | From 489246368e2c49a795ad5ecbc8895cbc854292fa Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Clifton <nickc@redhat.com> |
| 3 | Date: Fri, 17 Feb 2017 15:59:45 +0000 |
| 4 | Subject: Fix illegal memory accesses in readelf when parsing a corrupt binary. |
| 5 | |
| 6 | PR binutils/21156 |
| 7 | * readelf.c (find_section_in_set): Test for invalid section |
| 8 | indicies. |
| 9 | |
| 10 | CVE: CVE-2017-6969 |
| 11 | Upstream-Status: Backport [master] |
| 12 | |
| 13 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> |
| 14 | --- |
| 15 | binutils/ChangeLog | 6 ++++++ |
| 16 | binutils/readelf.c | 10 ++++++++-- |
| 17 | 2 files changed, 14 insertions(+), 2 deletions(-) |
| 18 | |
| 19 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog |
| 20 | index a70bdb7a7b..dbf8eb079e 100644 |
| 21 | --- a/binutils/ChangeLog |
| 22 | +++ b/binutils/ChangeLog |
| 23 | @@ -1,3 +1,9 @@ |
| 24 | +2017-02-17 Nick Clifton <nickc@redhat.com> |
| 25 | + |
| 26 | + PR binutils/21156 |
| 27 | + * readelf.c (find_section_in_set): Test for invalid section |
| 28 | + indicies. |
| 29 | + |
| 30 | 2016-08-03 Tristan Gingold <gingold@adacore.com> |
| 31 | |
| 32 | * configure: Regenerate. |
| 33 | diff --git a/binutils/readelf.c b/binutils/readelf.c |
| 34 | index d31558c3b4..7f7365dbc5 100644 |
| 35 | --- a/binutils/readelf.c |
| 36 | +++ b/binutils/readelf.c |
| 37 | @@ -674,8 +674,14 @@ find_section_in_set (const char * name, unsigned int * set) |
| 38 | if (set != NULL) |
| 39 | { |
| 40 | while ((i = *set++) > 0) |
| 41 | - if (streq (SECTION_NAME (section_headers + i), name)) |
| 42 | - return section_headers + i; |
| 43 | + { |
| 44 | + /* See PR 21156 for a reproducer. */ |
| 45 | + if (i >= elf_header.e_shnum) |
| 46 | + continue; /* FIXME: Should we issue an error message ? */ |
| 47 | + |
| 48 | + if (streq (SECTION_NAME (section_headers + i), name)) |
| 49 | + return section_headers + i; |
| 50 | + } |
| 51 | } |
| 52 | |
| 53 | return find_section (name); |
| 54 | -- |
| 55 | 2.11.0 |
| 56 | |