blob: 902a90dbc39678688456c1339c82e8dabf0f2690 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From 102def4da826b3d9e169741421e5e67e8731909a Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 23 Oct 2018 18:30:22 +1030
Subject: [PATCH] PR23805, NULL pointer dereference in elf_link_input_bfd
PR 23805
* elflink.c (elf_link_input_bfd): Don't segfault on finding
STT_TLS symbols without any TLS sections. Instead, change the
symbol type to STT_NOTYPE.
Upstream-Status: Backport
CVE: CVE-2018-18606
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 7 +++++++
bfd/elflink.c | 20 ++++++++++++++------
2 files changed, 21 insertions(+), 6 deletions(-)
--- a/bfd/elflink.c
+++ b/bfd/elflink.c
@@ -10496,8 +10496,11 @@ elf_link_input_bfd (struct elf_final_lin
if (ELF_ST_TYPE (osym.st_info) == STT_TLS)
{
/* STT_TLS symbols are relative to PT_TLS segment base. */
- BFD_ASSERT (elf_hash_table (flinfo->info)->tls_sec != NULL);
- osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+ if (elf_hash_table (flinfo->info)->tls_sec != NULL)
+ osym.st_value -= elf_hash_table (flinfo->info)->tls_sec->vma;
+ else
+ osym.st_info = ELF_ST_INFO (ELF_ST_BIND (osym.st_info),
+ STT_NOTYPE);
}
}
@@ -11053,12 +11056,17 @@ elf_link_input_bfd (struct elf_final_lin
sym.st_value += osec->vma;
if (ELF_ST_TYPE (sym.st_info) == STT_TLS)
{
+ struct elf_link_hash_table *htab
+ = elf_hash_table (flinfo->info);
+
/* STT_TLS symbols are relative to PT_TLS
segment base. */
- BFD_ASSERT (elf_hash_table (flinfo->info)
- ->tls_sec != NULL);
- sym.st_value -= (elf_hash_table (flinfo->info)
- ->tls_sec->vma);
+ if (htab->tls_sec != NULL)
+ sym.st_value -= htab->tls_sec->vma;
+ else
+ sym.st_info
+ = ELF_ST_INFO (ELF_ST_BIND (sym.st_info),
+ STT_NOTYPE);
}
}
|
