From ad32986fdf9da1c8748e47b8b45100398223dba8 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 4 Apr 2017 11:23:36 +0100 Subject: [PATCH] Fix null pointer dereferences when using a link built with clang. PR binutils/21342 * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer dereference. (bfd_elf_final_link): Only initialize the extended symbol index section if there are extended symbol tables to list. Upstream-Status: Backport https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 CVE: CVE-2017-7614 Singed-off-by: Armin Kuster --- bfd/elflink.c | 35 +++++++++++++++++++++-------------- 2 files changed, 29 insertions(+), 14 deletions(-) Index: git/bfd/elflink.c =================================================================== --- git.orig/bfd/elflink.c +++ git/bfd/elflink.c @@ -118,15 +118,18 @@ _bfd_elf_define_linkage_sym (bfd *abfd, defined in shared libraries can't be overridden, because we lose the link to the bfd which is via the symbol section. */ h->root.type = bfd_link_hash_new; + bh = &h->root; } + else + bh = NULL; - bh = &h->root; bed = get_elf_backend_data (abfd); if (!_bfd_generic_link_add_one_symbol (info, abfd, name, BSF_GLOBAL, sec, 0, NULL, FALSE, bed->collect, &bh)) return NULL; h = (struct elf_link_hash_entry *) bh; + BFD_ASSERT (h != NULL); h->def_regular = 1; h->non_elf = 0; h->root.linker_def = 1; @@ -11789,24 +11792,28 @@ bfd_elf_final_link (bfd *abfd, struct bf { /* Finish up and write out the symbol string table (.strtab) section. */ - Elf_Internal_Shdr *symstrtab_hdr; + Elf_Internal_Shdr *symstrtab_hdr = NULL; file_ptr off = symtab_hdr->sh_offset + symtab_hdr->sh_size; - symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; - if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) + if (elf_symtab_shndx_list (abfd)) { - symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; - symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); - symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); - amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); - symtab_shndx_hdr->sh_size = amt; + symtab_shndx_hdr = & elf_symtab_shndx_list (abfd)->hdr; - off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, - off, TRUE); + if (symtab_shndx_hdr != NULL && symtab_shndx_hdr->sh_name != 0) + { + symtab_shndx_hdr->sh_type = SHT_SYMTAB_SHNDX; + symtab_shndx_hdr->sh_entsize = sizeof (Elf_External_Sym_Shndx); + symtab_shndx_hdr->sh_addralign = sizeof (Elf_External_Sym_Shndx); + amt = bfd_get_symcount (abfd) * sizeof (Elf_External_Sym_Shndx); + symtab_shndx_hdr->sh_size = amt; - if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 - || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) - return FALSE; + off = _bfd_elf_assign_file_position_for_section (symtab_shndx_hdr, + off, TRUE); + + if (bfd_seek (abfd, symtab_shndx_hdr->sh_offset, SEEK_SET) != 0 + || (bfd_bwrite (flinfo.symshndxbuf, amt, abfd) != amt)) + return FALSE; + } } symstrtab_hdr = &elf_tdata (abfd)->strtab_hdr; Index: git/bfd/ChangeLog =================================================================== --- git.orig/bfd/ChangeLog +++ git/bfd/ChangeLog @@ -1,3 +1,11 @@ +2017-04-04 Nick Clifton + + PR binutils/21342 + * elflink.c (_bfd_elf_define_linkage_sym): Prevent null pointer + dereference. + (bfd_elf_final_link): Only initialize the extended symbol index + section if there are extended symbol tables to list. + 2016-08-02 Nick Clifton PR ld/17739