From 41461010eb7c79fee7a9d5f6209accdaac66cc6b Mon Sep 17 00:00:00 2001 From: "H.J. Lu" Date: Sat, 21 Jun 2025 06:52:00 +0800 Subject: [PATCH] elf: Report corrupted group section Report corrupted group section instead of trying to recover. PR binutils/33050 * elf.c (bfd_elf_set_group_contents): Report corrupted group section. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b] CVE: CVE-2025-7546 Signed-off-by: H.J. Lu Signed-off-by: Yash Shinde --- bfd/elf.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/bfd/elf.c b/bfd/elf.c index 14ce15c7254..ee894eb05f2 100644 --- a/bfd/elf.c +++ b/bfd/elf.c @@ -3971,20 +3971,17 @@ bfd_elf_set_group_contents (bfd *abfd, asection *sec, void *failedptrarg) break; } - /* We should always get here with loc == sec->contents + 4, but it is - possible to craft bogus SHT_GROUP sections that will cause segfaults - in objcopy without checking loc here and in the loop above. */ - if (loc == sec->contents) - BFD_ASSERT (0); - else + /* We should always get here with loc == sec->contents + 4. Return + an error for bogus SHT_GROUP sections. */ + loc -= 4; + if (loc != sec->contents) { - loc -= 4; - if (loc != sec->contents) - { - BFD_ASSERT (0); - memset (sec->contents + 4, 0, loc - sec->contents); - loc = sec->contents; - } + /* xgettext:c-format */ + _bfd_error_handler (_("%pB: corrupted group section: `%pA'"), + abfd, sec); + bfd_set_error (bfd_error_bad_value); + *failedptr = true; + return; } H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); -- 2.43.5