From: H.J. Lu Date: Thu, 18 Sep 2025 23:59:25 +0000 (-0700) Subject: elf: Don't match corrupt section header in linker input X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9ca499644a21ceb3f946d1c179c38a83be084490;p=thirdparty%2Fbinutils-gdb.git elf: Don't match corrupt section header in linker input Don't swap in nor match corrupt section header in linker input to avoid linker crash later. PR ld/33457 * elfcode.h (elf_swap_shdr_in): Changed to return bool. Return false for corrupt section header in linker input. (elf_object_p): Reject if elf_swap_shdr_in returns false. Signed-off-by: H.J. Lu --- diff --git a/bfd/elfcode.h b/bfd/elfcode.h index 9c65852e103..5224a1abee6 100644 --- a/bfd/elfcode.h +++ b/bfd/elfcode.h @@ -311,7 +311,7 @@ elf_swap_ehdr_out (bfd *abfd, /* Translate an ELF section header table entry in external format into an ELF section header table entry in internal format. */ -static void +static bool elf_swap_shdr_in (bfd *abfd, const Elf_External_Shdr *src, Elf_Internal_Shdr *dst) @@ -341,6 +341,9 @@ elf_swap_shdr_in (bfd *abfd, { _bfd_error_handler (_("warning: %pB has a section " "extending past end of file"), abfd); + /* PR ld/33457: Don't match corrupt section header. */ + if (abfd->is_linker_input) + return false; abfd->read_only = 1; } } @@ -350,6 +353,7 @@ elf_swap_shdr_in (bfd *abfd, dst->sh_entsize = H_GET_WORD (abfd, src->sh_entsize); dst->bfd_section = NULL; dst->contents = NULL; + return true; } /* Translate an ELF section header table entry in internal format into an @@ -642,9 +646,9 @@ elf_object_p (bfd *abfd) /* Read the first section header at index 0, and convert to internal form. */ - if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) + if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) + || !elf_swap_shdr_in (abfd, &x_shdr, &i_shdr)) goto got_no_match; - elf_swap_shdr_in (abfd, &x_shdr, &i_shdr); /* If the section count is zero, the actual count is in the first section header. */ @@ -730,9 +734,9 @@ elf_object_p (bfd *abfd) to internal form. */ for (shindex = 1; shindex < i_ehdrp->e_shnum; shindex++) { - if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr)) + if (bfd_read (&x_shdr, sizeof x_shdr, abfd) != sizeof (x_shdr) + || !elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex)) goto got_no_match; - elf_swap_shdr_in (abfd, &x_shdr, i_shdrp + shindex); /* Sanity check sh_link and sh_info. */ if (i_shdrp[shindex].sh_link >= num_sec)