From 4770fb94ee04ef767cb2c171a24168d2b5acca04 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sat, 1 Dec 2018 21:52:37 +1030 Subject: [PATCH] PR23946, illegal memory access in readelf.c:slurp_ia64_unwind_table PR 23946 * readelf.c (slurp_ia64_unwind_table): Bounds check symbol index on reloc. (slurp_hppa_unwind_table): Likewise. --- binutils/ChangeLog | 7 +++++++ binutils/readelf.c | 22 ++++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/binutils/ChangeLog b/binutils/ChangeLog index ccaa9c9a117..612b0ed0a32 100644 --- a/binutils/ChangeLog +++ b/binutils/ChangeLog @@ -1,3 +1,10 @@ +2018-12-01 Alan Modra + + PR 23946 + * readelf.c (slurp_ia64_unwind_table): Bounds check symbol index + on reloc. + (slurp_hppa_unwind_table): Likewise. + 2018-12-01 Alan Modra PR 23945 diff --git a/binutils/readelf.c b/binutils/readelf.c index 9eb5931fe3a..9969e46ea4e 100644 --- a/binutils/readelf.c +++ b/binutils/readelf.c @@ -7597,9 +7597,9 @@ slurp_ia64_unwind_table (Filedata * filedata, for (rp = rela; rp < rela + nrelas; ++rp) { + unsigned int sym_ndx; unsigned int r_type = get_reloc_type (filedata, rp->r_info); relname = elf_ia64_reloc_type (r_type); - sym = aux->symtab + get_reloc_symindex (rp->r_info); /* PR 17531: file: 9fa67536. */ if (relname == NULL) @@ -7623,6 +7623,15 @@ slurp_ia64_unwind_table (Filedata * filedata, continue; } + sym_ndx = get_reloc_symindex (rp->r_info); + if (sym_ndx >= aux->nsyms) + { + warn (_("Skipping reloc with invalid symbol index: %u\n"), + sym_ndx); + continue; + } + sym = aux->symtab + sym_ndx; + switch (rp->r_offset / eh_addr_size % 3) { case 0: @@ -8053,9 +8062,9 @@ slurp_hppa_unwind_table (Filedata * filedata, for (rp = rela; rp < rela + nrelas; ++rp) { + unsigned int sym_ndx; unsigned int r_type = get_reloc_type (filedata, rp->r_info); relname = elf_hppa_reloc_type (r_type); - sym = aux->symtab + get_reloc_symindex (rp->r_info); if (relname == NULL) { @@ -8077,6 +8086,15 @@ slurp_hppa_unwind_table (Filedata * filedata, continue; } + sym_ndx = get_reloc_symindex (rp->r_info); + if (sym_ndx >= aux->nsyms) + { + warn (_("Skipping reloc with invalid symbol index: %u\n"), + sym_ndx); + continue; + } + sym = aux->symtab + sym_ndx; + switch ((rp->r_offset % unw_ent_size) / 4) { case 0: -- 2.30.2