Re: RFA: patch to bfd/elfcode.h for improving tolerance of bad ELF files

["H . J . Lu" <hjl at lucon dot org>]

On Thu, Jun 14, 2001 at 03:32:01PM -0400, Frank Ch. Eigler wrote:
> Hi -
> 
> While playing with ELF files produced by buggy tools, I came across
> a small bug in bfd/elfcode.h, fixed by the following patch.  Briefly,
> if a REL/RELA contains an invalid symbol index, it may be used without
> range checking to construct pointers into the bfd symbols[] array.
> That in turn can lead to a SEGV.  The patch adds the range check.
> 
> May I commit?
> 
> - FChE
> 
> 
> 2001-06-14  Frank Ch. Eigler  <fche@redhat.com>
> 
> 	* elfcode.h (elf_slurp_reloc_table_from_section): Detect corrupt
> 	symbol index in relocation entry.
> 
> 
> Index: elfcode.h
> ===================================================================
> RCS file: /cvs/src/src/bfd/elfcode.h,v
> retrieving revision 1.19
> diff -u -1 -0 -r1.19 elfcode.h
> --- elfcode.h	2001/05/23 08:23:27	1.19
> +++ elfcode.h	2001/06/14 19:31:18
> @@ -1307,20 +1307,27 @@
>  	 file, and absolute for an executable file or shared library.
>  	 The address of a normal BFD reloc is always section relative,
>  	 and the address of a dynamic reloc is absolute..  */
>        if ((abfd->flags & (EXEC_P | DYNAMIC)) == 0 || dynamic)
>  	relent->address = rela.r_offset;
>        else
>  	relent->address = rela.r_offset - asect->vma;
>  
>        if (ELF_R_SYM (rela.r_info) == 0)
>  	relent->sym_ptr_ptr = bfd_abs_section_ptr->symbol_ptr_ptr;
> +      else if (ELF_R_SYM (rela.r_info) >= bfd_get_symcount (abfd))
> +	{
> +	  (* _bfd_error_handler)
> +	    (_("warning: relocation %d corrupt: points to invalid symbol index %d"),
> +	     i, ELF_R_SYM (rela.r_info));
> +	  goto error_return;
> +	}

That error message doesn't tell me much. I'd like to see the value of
bfd_get_symcount (abfd). Something like

  (_("warning: relocation %d corrupt: points to invalid symbol index %d (>= %d)"),
	i, ELF_R_SYM (rela.r_info), bfd_get_symcount (abfd));

H.J.