PR22443, Global buffer overflow in _bfd_elf_get_symbol_version_string

Symbols like *ABS* defined in bfd/section.c:global_syms are not
elf_symbol_type.  They can appear on relocs and perhaps other places
in an ELF bfd, so a number of places in nm.c and objdump.c are wrong
to cast an asymbol based on the bfd being ELF.  I think we lose
nothing by excluding all section symbols, not just the global_syms.

	PR 22443
	* nm.c (sort_symbols_by_size): Don't attempt to access
	section symbol internal_elf_sym.
	(print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
	for section symbols.
	* objdump.c (compare_symbols): Don't attempt to access
	section symbol internal_elf_sym.
	(objdump_print_symname): Don't call bfd_get_symbol_version_string
	for section symbols.

diff --git a/binutils/ChangeLog b/binutils/ChangeLog
index 3c9973fbe2f47fdff62d580afdaf8416864c316f..2f4c0d80a5b7c1e7d8b7af40ed361c26e436800f 100644 (file)
--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
@@ -1,3 +1,15 @@
+2017-11-18  Alan Modra  <amodra@gmail.com>
+
+       PR 22443
+       * nm.c (sort_symbols_by_size): Don't attempt to access
+       section symbol internal_elf_sym.
+       (print_symbol): Likewise.  Don't call bfd_get_symbol_version_string
+       for section symbols.
+       * objdump.c (compare_symbols): Don't attempt to access
+       section symbol internal_elf_sym.
+       (objdump_print_symname): Don't call bfd_get_symbol_version_string
+       for section symbols.
+
 2017-11-17  Jim Wilson  <jimw@sifive.com>
 
        * readelf.c (elf/riscv.h): Alphabetize include.

diff --git a/binutils/nm.c b/binutils/nm.c
index 5b421785e5e07817bc6806fb239d9fc608987a46..dd49f09696db30c7ac871e7b31abecf1ad194e0e 100644 (file)
--- a/binutils/nm.c
+++ b/binutils/nm.c
@@ -763,7 +763,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,
       asection *sec;
       bfd_vma sz;
       asymbol *temp;
-      int synthetic = (sym->flags & BSF_SYNTHETIC);
 
       if (from + size < fromend)
        {
@@ -780,10 +779,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms,
       sec = bfd_get_section (sym);
 
       /* Synthetic symbols don't have a full type set of data available, thus
-        we can't rely on that information for the symbol size.  */
-      if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
+        we can't rely on that information for the symbol size.  Ditto for
+        bfd/section.c:global_syms like *ABS*.  */
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+         && bfd_get_flavour (abfd) == bfd_target_elf_flavour)
        sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size;
-      else if (!synthetic && bfd_is_com_section (sec))
+      else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0
+              && bfd_is_com_section (sec))
        sz = sym->value;
       else
        {
@@ -872,8 +874,9 @@ print_symbol (bfd *        abfd,
 
   info.sinfo = &syminfo;
   info.ssize = ssize;
-  /* Synthetic symbols do not have a full symbol type set of data available.  */
-  if ((sym->flags & BSF_SYNTHETIC) != 0)
+  /* Synthetic symbols do not have a full symbol type set of data available.
+     Nor do bfd/section.c:global_syms like *ABS*.  */
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0)
     {
       info.elfinfo = NULL;
       info.coffinfo = NULL;
@@ -891,7 +894,7 @@ print_symbol (bfd *        abfd,
       const char *  version_string = NULL;
       bfd_boolean   hidden = FALSE;
 
-      if ((sym->flags & BSF_SYNTHETIC) == 0)
+      if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
        version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
       if (bfd_is_und_section (bfd_get_section (sym)))

diff --git a/binutils/objdump.c b/binutils/objdump.c
index 1a1e32f6c5244d4991f4600645dbf48b11ee0eea..40b4acf49fd9531ef1abd1dc9ebb2808ffd2169e 100644 (file)
--- a/binutils/objdump.c
+++ b/binutils/objdump.c
@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const void *bp)
       bfd_vma asz, bsz;
 
       asz = 0;
-      if ((a->flags & BSF_SYNTHETIC) == 0)
+      if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
        asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size;
       bsz = 0;
-      if ((b->flags & BSF_SYNTHETIC) == 0)
+      if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
        bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size;
       if (asz != bsz)
        return asz > bsz ? -1 : 1;
@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct disassemble_info *inf,
        name = alloc;
     }
 
-  if ((sym->flags & BSF_SYNTHETIC) == 0)
+  if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0)
     version_string = bfd_get_symbol_version_string (abfd, sym, &hidden);
 
   if (bfd_is_und_section (bfd_get_section (sym)))