readelf: fix out-of-bounds error

Tue, 23 Oct 2018 14:51:01 -0700 

I ran across this:

  $ readelf -h /usr/local/bin/w3m
  ...
  readelf(71968) in free(): bogus pointer (double free?) 0x1
  Abort trap (core dumped)

In readelf.c there's a static arrary:

  static bfd_vma dynamic_info[DT_JMPREL + 1];

Later this array is written to like this:

  switch (entry->d_tag)
    {
      ...
      case DT_TEXTREL :
      case DT_JMPREL  :
      case DT_RUNPATH :
        dynamic_info[entry->d_tag] = entry->d_un.d_val;
        ...

Alas, DT_RUNPATH > DT_JMPREL, so we have an out-of-bounds write
that splats somewhere into memory.  In my case it mangled an unrelated
pointer.

I checked that DT_RUNPATH is the numerically highest value used to
index dynamic_info[], so let's size the array appropriately.

OK?

Index: gnu/usr.bin/binutils/binutils/readelf.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/binutils/binutils/readelf.c,v
retrieving revision 1.11
diff -u -p -r1.11 readelf.c
--- gnu/usr.bin/binutils/binutils/readelf.c     31 Aug 2014 13:40:02 -0000      
1.11
+++ gnu/usr.bin/binutils/binutils/readelf.c     23 Oct 2018 21:30:49 -0000
@@ -129,7 +129,7 @@ Elf_Internal_Syminfo *dynamic_syminfo;
 unsigned long dynamic_syminfo_offset;
 unsigned int dynamic_syminfo_nent;
 char program_interpreter[64];
-bfd_vma dynamic_info[DT_JMPREL + 1];
+bfd_vma dynamic_info[DT_RUNPATH + 1];
 bfd_vma version_info[16];
 Elf_Internal_Ehdr elf_header;
 Elf_Internal_Shdr *section_headers;
Index: gnu/usr.bin/binutils-2.17/binutils/readelf.c
===================================================================
RCS file: /cvs/src/gnu/usr.bin/binutils-2.17/binutils/readelf.c,v
retrieving revision 1.15
diff -u -p -r1.15 readelf.c
--- gnu/usr.bin/binutils-2.17/binutils/readelf.c        23 Oct 2017 05:26:58 
-0000      1.15
+++ gnu/usr.bin/binutils-2.17/binutils/readelf.c        23 Oct 2018 21:25:53 
-0000
@@ -136,7 +136,7 @@ static Elf_Internal_Syminfo *dynamic_sym
 static unsigned long dynamic_syminfo_offset;
 static unsigned int dynamic_syminfo_nent;
 static char program_interpreter[64];
-static bfd_vma dynamic_info[DT_JMPREL + 1];
+static bfd_vma dynamic_info[DT_RUNPATH + 1];
 static bfd_vma version_info[16];
 static Elf_Internal_Ehdr elf_header;
 static Elf_Internal_Shdr *section_headers;
-- 
Christian "naddy" Weisgerber                          [email protected]

Reply via email to