blob: ccf3d3570e01ac8fb6ae75dc48e931bf0d5fbd9a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/
this patch is modified slightly to apply to our binutils
From 56933f9e3e90eebf1018ed7417d6c1184b91db6b Mon Sep 17 00:00:00 2001
From: "H.J. Lu" <hjl.tools@gmail.com>
Date: Fri, 22 Sep 2017 14:15:40 -0700
Subject: [PATCH] x86: Guard against corrupted PLT
There should be only one entry in PLT for a given symbol. Set howto to
NULL after processing a PLT entry to guard against corrupted PLT so that
the duplicated PLT entries are skipped.
PR binutils/22170
* elf32-i386.c (elf_i386_get_synthetic_symtab): Guard against
corrupted PLT.
* elf64-x86-64.c (elf_x86_64_get_synthetic_symtab): Likewise.
(cherry picked from commit 61e3bf5f83f7e505b6bc51ef65426e5b31e6e360)
---
bfd/ChangeLog | 7 +++++++
bfd/elf32-i386.c | 4 ++++
bfd/elf64-x86-64.c | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
index 9dc2d25..ba50c93 100644
--- a/bfd/elf32-i386.c
+++ b/bfd/elf32-i386.c
@@ -6616,6 +6616,10 @@ bad_return:
size += sizeof ("+0x") - 1 + 8;
n++;
s++;
+ /* There should be only one entry in PLT for a given
+ symbol. Set howto to NULL after processing a PLT
+ entry to guard against corrupted PLT. */
+ p->howto = NULL;
}
offset += plt_entry_size;
}
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index 558db98..d9225ad 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -6970,6 +6970,10 @@ bad_return:
size += sizeof ("+0x") - 1 + 8 + 8 * ABI_64_P (abfd);
n++;
s++;
+ /* There should be only one entry in PLT for a given
+ symbol. Set howto to NULL after processing a PLT
+ entry to guard against corrupted PLT. */
+ p->howto = NULL;
}
offset += plt_entry_size;
}
--
2.9.3
|