diff mbox series

elf: Don't match corrupt section header

Message ID 20250918235925.947120-1-hjl.tools@gmail.com
State New
Headers
Series elf: Don't match corrupt section header |

Commit Message

H.J. Lu Sept. 18, 2025, 11:59 p.m. UTC 
  Don't swap in nor match corrupt section header to avoid linker crash
later.

	PR ld/33457
	* elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
	false for corrupt section header.
	(elf_object_p): Don't match corrupt section header.

Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
---
 bfd/elfcode.h | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Comments

H.J. Lu Sept. 21, 2025, 7:47 a.m. UTC | #1 
On Fri, Sep 19, 2025 at 7:59 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> Don't swap in nor match corrupt section header to avoid linker crash
> later.
>
>         PR ld/33457
>         * elfcode.h (elf_swap_shdr_in): Changed to return bool.  Return
>         false for corrupt section header.
>         (elf_object_p): Don't match corrupt section header.
>
> Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
> ---
>  bfd/elfcode.h | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/bfd/elfcode.h b/bfd/elfcode.h
> index 9c65852e103..04a51918a0e 100644
> --- a/bfd/elfcode.h
> +++ b/bfd/elfcode.h
> @@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd,
>  /* Translate an ELF section header table entry in external format into an
>     ELF section header table entry in internal format.  */
>
> -static void
> +static bool
>  elf_swap_shdr_in (bfd *abfd,
>                   const Elf_External_Shdr *src,
>                   Elf_Internal_Shdr *dst)
> @@ -341,7 +341,8 @@ elf_swap_shdr_in (bfd *abfd,
>         {
>           _bfd_error_handler (_("warning: %pB has a section "
>                                 "extending past end of file"), abfd);
> -         abfd->read_only = 1;
> +         /*  Don't match corrupt section header: PR ld/33457.  */
> +         return false;
>         }
>      }
>    dst->sh_link = H_GET_32 (abfd, src->sh_link);
> @@ -350,6 +351,7 @@ elf_swap_shdr_in (bfd *abfd,
>    dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
>    dst->bfd_section = NULL;
>    dst->contents = NULL;
> +  return true;
>  }
>
>  /* Translate an ELF section header table entry in internal format into an
> @@ -642,9 +644,9 @@ elf_object_p (bfd *abfd)
>
>        /* Read the first section header at index 0, and convert to internal
>          form.  */
> -      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
> +      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
> +         || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
>         goto got_no_match;
> -      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
>
>        /* If the section count is zero, the actual count is in the first
>          section header.  */
> @@ -730,9 +732,9 @@ elf_object_p (bfd *abfd)
>          to internal form.  */
>        for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
>         {
> -         if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
> +         if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
> +             || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
>             goto got_no_match;
> -         elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
>
>           /* Sanity check sh_link and sh_info.  */
>           if (i_shdrp[shindex].sh_link >= num_sec)
> --
> 2.51.0
>

Any comments or objections?
diff mbox series

Patch

diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 9c65852e103..04a51918a0e 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -311,7 +311,7 @@  elf_swap_ehdr_out (bfd *abfd,
 /* Translate an ELF section header table entry in external format into an
    ELF section header table entry in internal format.  */
 
-static void
+static bool
 elf_swap_shdr_in (bfd *abfd,
 		  const Elf_External_Shdr *src,
 		  Elf_Internal_Shdr *dst)
@@ -341,7 +341,8 @@  elf_swap_shdr_in (bfd *abfd,
 	{
 	  _bfd_error_handler (_("warning: %pB has a section "
 				"extending past end of file"), abfd);
-	  abfd->read_only = 1;
+	  /*  Don't match corrupt section header: PR ld/33457.  */
+	  return false;
 	}
     }
   dst->sh_link = H_GET_32 (abfd, src->sh_link);
@@ -350,6 +351,7 @@  elf_swap_shdr_in (bfd *abfd,
   dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize);
   dst->bfd_section = NULL;
   dst->contents = NULL;
+  return true;
 }
 
 /* Translate an ELF section header table entry in internal format into an
@@ -642,9 +644,9 @@  elf_object_p (bfd *abfd)
 
       /* Read the first section header at index 0, and convert to internal
 	 form.  */
-      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+      if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+	  || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr))
 	goto got_no_match;
-      elf_swap_shdr_in (abfd, &x_shdr, &i_shdr);
 
       /* If the section count is zero, the actual count is in the first
 	 section header.  */
@@ -730,9 +732,9 @@  elf_object_p (bfd *abfd)
 	 to internal form.  */
       for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++)
 	{
-	  if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr))
+	  if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)
+	      || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex))
 	    goto got_no_match;
-	  elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex);
 
 	  /* Sanity check sh_link and sh_info.  */
 	  if (i_shdrp[shindex].sh_link >= num_sec)