buffer overflow in process_sht_group_entries

An oss-fuzz testcase with a SHT_GROUP section named .debug managed to
break objcopy --compress-debug-sections.  The underlying problem is
that SEC_DEBUGGING is set by section name tests, thus the SHT_GROUP
section gets compressed.  The compressed section data is smaller than
the original section sh_size, and process_sht_group_entries tries to
look at sh_size worth of entries.  The patch fixes this mess by simply
not setting SEC_DEBUGGING on SHT_GROUP sections.

Note that it isn't correct to restrict SEC_DEBUGGING to SHT_PROGBITS
sections, as that will break processor/os special sections for debug.
eg. SHT_MIPS_DEBUG.

	* elf.c (_bfd_elf_make_section_from_shdr): Don't set
	SEC_DEBUGGING on SEC_GROUP sections no matter their name.

diff --git a/bfd/elf.c b/bfd/elf.c
index 4051f2f9329d2d18d36842eeb0f4de18d1629066..84a220f01ccd1f6db8e9b456583de5361cd9469b 100644 (file)
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -957,7 +957,7 @@ _bfd_elf_make_section_from_shdr (bfd *abfd,
       break;
     }
 
-  if ((flags & SEC_ALLOC) == 0)
+  if ((flags & (SEC_ALLOC | SEC_GROUP)) == 0)
     {
       /* The debugging sections appear to be recognized only by name,
         not any sort of flag.  Their SEC_ALLOC bits are cleared.  */