Bug 11889

Summary: readelf: fixes for multiple crashes
Product: binutils Reporter: Dan Rosenberg <dan.j.rosenberg>
Component: binutilsAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: bug-binutils
Priority: P2    
Version: 2.20   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:
Attachments: Fix for readelf crashes
Revised patch, fixed casts

Description Dan Rosenberg 2010-08-06 05:00:14 UTC 
readelf crashes very easily when parsing malformed binaries. The attached patch
fixes three floating point exceptions (divide-by-zero) and approximately 13
out-of-bounds reads (due to null pointer dereference, integer overflows, and bad
array indexing). I have test files that trigger each of these crashes, but the
patch should be pretty self-explanatory. I've tested the patch, confirmed it
breaks no functionality, and that it resolves each of my crash files:

(Patch hosted on Ubuntu's Launchpad)
http://launchpadlibrarian.net/53144133/readelf-crashes.patch
Comment 1 Dan Rosenberg 2010-08-06 05:01:49 UTC 
Created attachment 4916 [details]
Fix for readelf crashes
Comment 2 Dan Rosenberg 2010-08-06 14:18:26 UTC 
Created attachment 4917 [details]
Revised patch, fixed casts

Fixed to work on 64-bit platforms
Comment 3 Sourceware Commits 2010-08-13 16:02:45 UTC 
Subject: Bug 11889

CVSROOT:	/cvs/src
Module name:	src
Changes by:	nickc@sourceware.org	2010-08-13 16:02:17

Modified files:
	binutils       : ChangeLog readelf.c 

Log message:
	PR binutils/11889
	* readelf.c (get_32bit_elf_symbols): Check for a corrupt
	sh_entsize.
	(get_64bit_elf_symbols): Likewise.
	(process_symbol_table): Likewise.
	(process_section_groups): Check for corrupt headers.
	(process_version_sections): Check for corrupt indicies.
	(process_corefile_note_segment): Likewise.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/ChangeLog.diff?cvsroot=src&r1=1.1670&r2=1.1671
http://sourceware.org/cgi-bin/cvsweb.cgi/src/binutils/readelf.c.diff?cvsroot=src&r1=1.512&r2=1.513
Comment 4 Nick Clifton 2010-08-13 16:03:57 UTC 
Hi Dan,

  Thanks for the bug report and patch.  I have checked it in, modulo a few
formatting fixes, along with this changelog entry.

Cheers
  Nick

binutils/ChangeLog
2010-08-13  Dan Rosenberg  <dan.j.rosenberg@gmail.com>

	PR binutils/11889
	* readelf.c (get_32bit_elf_symbols): Check for a corrupt
	sh_entsize.
	(get_64bit_elf_symbols): Likewise.
	(process_symbol_table): Likewise.
	(process_section_groups): Check for corrupt headers.
	(process_version_sections): Check for corrupt indicies.
	(process_corefile_note_segment): Likewise.