From 2f7426b9bb2d2450b32cad3d79fab9abe3ec42bb Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sun, 4 Dec 2022 22:15:40 +1030 Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols Fixes a fuzzed object file problem where plt relocs were manipulated in such a way that two synthetic symbols were generated at the same plt location. Won't occur in real object files. PR 29846 PR 20337 * objdump.c (compare_symbols): Test symbol flags to exclude section and synthetic symbols before attempting to check flavour. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] CVE: CVE-2022-47695 Signed-off-by: Chaitanya Vadrevu --- binutils/objdump.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/binutils/objdump.c b/binutils/objdump.c index 08a0fe521d8..21f75f4db40 100644 --- a/binutils/objdump.c +++ b/binutils/objdump.c @@ -1165,20 +1165,17 @@ compare_symbols (const void *ap, const void *bp) return 1; } - if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour + /* Sort larger size ELF symbols before smaller. See PR20337. */ + bfd_vma asz = 0; + if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 + && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour) + asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; + bfd_vma bsz = 0; + if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour) - { - bfd_vma asz, bsz; - - asz = 0; - if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) - asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; - bsz = 0; - if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) - bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; - if (asz != bsz) - return asz > bsz ? -1 : 1; - } + bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; + if (asz != bsz) + return asz > bsz ? -1 : 1; /* Symbols that start with '.' might be section names, so sort them after symbols that don't start with '.'. */