From: Alan Modra <amodra@gmail.com>
Date: Sun, 17 Aug 2025 05:43:06 +0000 (+0930)
Subject: buffer overflow in process_sht_group_entries
X-Git-Tag: gdb-17-branchpoint~276
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f586f9b61d1e5d91f010e68922b8c8b86f787a27;p=thirdparty%2Fbinutils-gdb.git

buffer overflow in process_sht_group_entries

An oss-fuzz testcase with a SHT_GROUP section named .debug managed to
break objcopy --compress-debug-sections.  The underlying problem is
that SEC_DEBUGGING is set by section name tests, thus the SHT_GROUP
section gets compressed.  The compressed section data is smaller than
the original section sh_size, and process_sht_group_entries tries to
look at sh_size worth of entries.  The patch fixes this mess by simply
not setting SEC_DEBUGGING on SHT_GROUP sections.

Note that it isn't correct to restrict SEC_DEBUGGING to SHT_PROGBITS
sections, as that will break processor/os special sections for debug.
eg. SHT_MIPS_DEBUG.

	* elf.c (_bfd_elf_make_section_from_shdr): Don't set
	SEC_DEBUGGING on SEC_GROUP sections no matter their name.
---

diff --git a/bfd/elf.c b/bfd/elf.c
index 4051f2f9329..84a220f01cc 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -957,7 +957,7 @@ _bfd_elf_make_section_from_shdr (bfd *abfd,
       break;
     }
 
-  if ((flags & SEC_ALLOC) == 0)
+  if ((flags & (SEC_ALLOC | SEC_GROUP)) == 0)
     {
       /* The debugging sections appear to be recognized only by name,
 	 not any sort of flag.  Their SEC_ALLOC bits are cleared.  */