[PATCH] libiberty: Check zero value shstrndx in simple-object-elf.c

2019-07-12 Thread Ren Kimura 
This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is 
not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e. 
e_shstrndx == 0), a calculation of offset to string section table causes 
integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and cause memory corruption.

Signed-off-by: Ren Kimura 
---
 libiberty/simple-object-elf.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..33562e4eb18 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char 
header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
   XDELETE (eor);
   return NULL;
 }
-
+  
+  if (!eor->shstrndx)
+{
+  *errmsg = "invalid ELF shstrndx == 0";
+  *err = 0;
+  XDELETE (eor);
+  return NULL;
+}
+  
   return (void *) eor;
 }
 
-- 
2.19.1

[PATCH v2] libiberty: Check zero value shstrndx in simple-object-elf.c

2019-07-12 Thread Ren Kimura 
This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is 
not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e. 
e_shstrndx == 0), a calculation of offset to string section table causes 
integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and causes memory corruption.

Signed-off-by: Ren Kimura 
---
 libiberty/simple-object-elf.c | 10 +-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..9c561632bc5 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char 
header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
   XDELETE (eor);
   return NULL;
 }
-
+  
+  if (eor->shstrndx == 0)
+{
+  *errmsg = "invalid ELF shstrndx == 0";
+  *err = 0;
+  XDELETE (eor);
+  return NULL;
+}
+  
   return (void *) eor;
 }
 
-- 
2.19.1

Re: [PATCH v2] libiberty: Check zero value shstrndx in simple-object-elf.c

2019-07-12 Thread Ren Kimura 
Oh. I missed a ChangeLog entry.
Hold on... I'll send v3 patch.

Thanks

2019年7月12日(金) 19:37 Ren Kimura :
>
> This patch fixes a Bug 90924.
> simple_object_elf functions don't load section table 0 of ELF file, which is 
> not a useful.
> However If e_shstrndx in ELF header points to a section table 0 (i.e. 
> e_shstrndx == 0), a calculation of offset to string section table causes 
> integer overflow at every line "(eor->shstrndx - 1)".
> A result becomes negative value (unsigned int)-1 and causes memory corruption.
>
> Signed-off-by: Ren Kimura 
> ---
>  libiberty/simple-object-elf.c | 10 +-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
> index 22c9ae7ed2d..9c561632bc5 100644
> --- a/libiberty/simple-object-elf.c
> +++ b/libiberty/simple-object-elf.c
> @@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char 
> header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
>XDELETE (eor);
>return NULL;
>  }
> -
> +
> +  if (eor->shstrndx == 0)
> +{
> +  *errmsg = "invalid ELF shstrndx == 0";
> +  *err = 0;
> +  XDELETE (eor);
> +  return NULL;
> +}
> +
>return (void *) eor;
>  }
>
> --
> 2.19.1
>

[PATCH v3] libiberty: Check zero value shstrndx in simple-object-elf.c

2019-07-12 Thread Ren Kimura 
This patch fixes a Bug 90924.
simple_object_elf functions don't load section table 0 of ELF file, which is 
not a useful.
However If e_shstrndx in ELF header points to a section table 0 (i.e. 
e_shstrndx == 0), a calculation of offset to string section table causes 
integer overflow at every line "(eor->shstrndx - 1)".
A result becomes negative value (unsigned int)-1 and causes memory corruption.

Signed-off-by: Ren Kimura 
---
 libiberty/ChangeLog   |  5 +
 libiberty/simple-object-elf.c | 10 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
index c3daf2ae8c8..ea2f3e6a982 100644
--- a/libiberty/ChangeLog
+++ b/libiberty/ChangeLog
@@ -1,3 +1,8 @@
+2019-07-12  Ren Kimura  
+
+   * simple-object-elf.c (simple_object_elf_match): Check zero value 
shstrndx.
+   This fixes a Bug 90924.
+
 2019-05-31  Michael Forney  
 
* cp-demangle.c: Don't define CP_DYNAMIC_ARRAYS if __STDC_NO_VLA__
diff --git a/libiberty/simple-object-elf.c b/libiberty/simple-object-elf.c
index 22c9ae7ed2d..9c561632bc5 100644
--- a/libiberty/simple-object-elf.c
+++ b/libiberty/simple-object-elf.c
@@ -548,7 +548,15 @@ simple_object_elf_match (unsigned char 
header[SIMPLE_OBJECT_MATCH_HEADER_LEN],
   XDELETE (eor);
   return NULL;
 }
-
+  
+  if (eor->shstrndx == 0)
+{
+  *errmsg = "invalid ELF shstrndx == 0";
+  *err = 0;
+  XDELETE (eor);
+  return NULL;
+}
+  
   return (void *) eor;
 }
 
-- 
2.19.1