From 20b09dd8e92b7138373a05f648284701889373ef Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 3 Jan 2019 14:54:11 +0000 Subject: [PATCH] Fix a memory leak reading minisymbols. Resolves: #1661535 --- binutils-CVE-2018-20002.patch | 56 +++++++++++++++++++++++++++++++++++ binutils.spec | 12 ++++++-- 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 binutils-CVE-2018-20002.patch diff --git a/binutils-CVE-2018-20002.patch b/binutils-CVE-2018-20002.patch new file mode 100644 index 0000000..69057c7 --- /dev/null +++ b/binutils-CVE-2018-20002.patch @@ -0,0 +1,56 @@ +diff -rup binutils.ori/bfd/syms.c binutils-2.31.1/bfd/syms.c +--- binutils.ori/bfd/syms.c 2019-01-03 13:51:05.784005438 +0000 ++++ binutils-2.31.1/bfd/syms.c 2019-01-03 13:53:43.238815129 +0000 +@@ -822,10 +822,18 @@ _bfd_generic_read_minisymbols (bfd *abfd + if (symcount < 0) + goto error_return; + +- *minisymsp = syms; +- *sizep = sizeof (asymbol *); ++ if (symcount == 0) ++ /* We return 0 above when storage is 0. Exit in the same state ++ here, so as to not complicate callers with having to deal with ++ freeing memory for zero symcount. */ ++ free (syms); ++ else ++ { ++ *minisymsp = syms; ++ *sizep = sizeof (asymbol *); ++ } + +- return symcount; ++ return symcount; + + error_return: + bfd_set_error (bfd_error_no_symbols); +diff -rup binutils.ori/binutils/nm.c binutils-2.31.1/binutils/nm.c +--- binutils.ori/binutils/nm.c 2019-01-03 13:51:06.337001258 +0000 ++++ binutils-2.31.1/binutils/nm.c 2019-01-03 13:52:37.542311774 +0000 +@@ -1162,13 +1162,11 @@ display_rel_file (bfd *abfd, bfd *archiv + if (synth_count > 0) + { + asymbol **symp; +- void *new_mini; + long i; + +- new_mini = xmalloc ((symcount + synth_count + 1) * sizeof (*symp)); +- symp = (asymbol **) new_mini; +- memcpy (symp, minisyms, symcount * sizeof (*symp)); +- symp += symcount; ++ minisyms = xrealloc (minisyms, ++ (symcount + synth_count + 1) * sizeof (*symp)); ++ symp = (asymbol **) minisyms + symcount; + for (i = 0; i < synth_count; i++) + *symp++ = synthsyms + i; + *symp = 0; +diff -rup binutils.orig/binutils/nm.c binutils-2.31.1/binutils/nm.c +--- binutils.orig/binutils/nm.c 2019-01-03 14:18:21.086458519 +0000 ++++ binutils-2.31.1/binutils/nm.c 2019-01-03 14:18:23.642438853 +0000 +@@ -1170,7 +1170,6 @@ display_rel_file (bfd *abfd, bfd *archiv + for (i = 0; i < synth_count; i++) + *symp++ = synthsyms + i; + *symp = 0; +- minisyms = new_mini; + symcount += synth_count; + } + } diff --git a/binutils.spec b/binutils.spec index f1ab6a0..01eb8ac 100644 --- a/binutils.spec +++ b/binutils.spec @@ -69,7 +69,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.31.1 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -191,6 +191,10 @@ Patch17: binutils-delay-ld-script-constant-eval.patch # Lifetime: Fixed in 2.32 Patch18: binutils-gold-discard-version-info.patch +# Purpose: Fix a memory leak reading minisymbols. +# Lifetime: Fixed in 2.32 +Patch19: binutils-CVE-2018-20002.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -332,6 +336,7 @@ using libelf instead of BFD. %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -480,7 +485,7 @@ export LDFLAGS=$RPM_LD_FLAGS %make_build %{_smp_mflags} tooldir=%{_prefix} MAKEINFO=true all %endif -# Do not use %%check as it is run after %%install where libbfd.so is rebuild +# Do not use %%check as it is run after %%install where libbfd.so is rebuilt # with -fvisibility=hidden no longer being usable in its shared form. %if %{without testsuite} echo ====================TESTSUITE DISABLED========================= @@ -739,6 +744,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Thu Jan 03 2019 Nick Clifton - 2.31.1-16 +- Fix a memory leak reading minisymbols. (#1661535) + * Wed Nov 28 2018 Nick Clifton - 2.31.1-15 - Stop gold from warning about discard version information unless explicitly requested. (#1654153)