Fix a seg-fault that can occur when parsing corrupt DWARF2 information, corrupt ELF files and corrupt PE files.

Resolves: #1573359 Resolves: #1574700 Resolves: #1573365 Resolves: #1551786 Resolves: #1546624 Resolves: #1543245 Resolves: #1539888
2018-07-11 15:56:52 +01:00 · 2018-07-11 15:56:52 +01:00 · 25d3f6a8bb
parent 0e219f419b
commit 25d3f6a8bb
8 changed files with 214 additions and 2 deletions
--- a/binutils-CVE-2018-10372.patch
+++ b/binutils-CVE-2018-10372.patch
@ -0,0 +1,22 @@
+--- binutils.orig/binutils/dwarf.c	2018-07-11 11:45:09.971024884 +0100
+++ binutils-2.29/binutils/dwarf.c	2018-07-11 14:16:38.417025086 +0100
+@@ -8509,7 +8509,18 @@ process_cu_tu_index (struct dwarf_sectio
+ 		}
+ 
+ 	      if (!do_display)
+-		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
+		{
+		  size_t num_copy = sizeof (uint64_t);
+
+		  /* PR 23064: Beware of buffer overflow.  */
+		  if (ph + num_copy < limit)
+		    memcpy (&this_set[row - 1].signature, ph, num_copy);
+		  else
+		    {
+		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
+		      return 0;
+		    }
+		}
+ 
+ 	      prow = poffsets + (row - 1) * ncols * 4;
+ 	      /* PR 17531: file: b8ce60a8.  */
--- a/binutils-CVE-2018-10373.patch
+++ b/binutils-CVE-2018-10373.patch
@ -0,0 +1,11 @@
+--- binutils.orig/bfd/dwarf2.c	2018-07-11 14:28:44.557235916 +0100
+++ binutils-2.29.1/bfd/dwarf2.c	2018-07-11 14:38:37.611875790 +0100
+@@ -1593,7 +1593,7 @@ concat_filename (struct line_info_table
+ {
+   char *filename;
+ 
+-  if (file - 1 >= table->num_files)
+  if (table == NULL || file - 1 >= table->num_files)
+     {
+       /* FILE == 0 means unknown.  */
+       if (file)
--- a/binutils-CVE-2018-10535.patch
+++ b/binutils-CVE-2018-10535.patch
@ -0,0 +1,19 @@
+--- binutils.orig/bfd/peXXigen.c	2018-07-11 14:28:44.937231840 +0100
+++ binutils-2.29.1/bfd/peXXigen.c	2018-07-11 14:29:27.861771394 +0100
+@@ -2992,6 +2992,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common
+ 	      return FALSE;
+ 	    }
+ 
+	  /* PR 23110.  */
+	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
+	    {
+	      /* xgettext:c-format */
+	      _bfd_error_handler
+		(_("%pB: Data Directory size (%#lx) is negative"),
+		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
+	      return FALSE;
+	    }
+
+           for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
+ 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
+             {
--- a/binutils-CVE-2018-6323.patch
+++ b/binutils-CVE-2018-6323.patch
@ -0,0 +1,20 @@
+--- binutils.orig/bfd/elfcode.h	2018-07-11 14:28:45.439226455 +0100
+++ binutils-2.29.1/bfd/elfcode.h	2018-07-11 15:23:54.982819379 +0100
+@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd)
+       if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
+ 	goto got_wrong_format_error;
+ #endif
+-      amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
+      amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum;
+       i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
+       if (!i_shdrp)
+ 	goto got_no_match;
+@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd)
+       if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
+ 	goto got_wrong_format_error;
+ #endif
+-      amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
+      amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
+       elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
+       if (elf_tdata (abfd)->phdr == NULL)
+ 	goto got_no_match;
--- a/binutils-CVE-2018-6759.patch
+++ b/binutils-CVE-2018-6759.patch
@ -0,0 +1,68 @@
+--- binutils.orig/bfd/opncls.c	2018-07-11 14:28:44.690234489 +0100
+++ binutils-2.29.1/bfd/opncls.c	2018-07-11 15:14:54.576580916 +0100
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   bfd_byte *contents;
+   unsigned int crc_offset;
+   char *name;
+  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   if (sect == NULL)
+     return NULL;
+ 
+  size = bfd_get_section_size (sect);
+
+  /* PR 22794: Make sure that the section has a reasonable size.  */
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+     {
+       if (contents != NULL)
+@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
+   name = (char *) contents;
+   /* PR 17597: avoid reading off the end of the buffer.  */
+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  crc_offset = strnlen (name, size) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset >= bfd_get_section_size (sect))
+  if (crc_offset >= size)
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   bfd_byte *contents;
+   unsigned int buildid_offset;
+   char *name;
+  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   if (sect == NULL)
+     return NULL;
+ 
+  size = bfd_get_section_size (sect);
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+     {
+       if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ 
+   /* BuildID value is stored after the filename.  */
+   name = (char *) contents;
+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  buildid_offset = strnlen (name, size) + 1;
+   if (buildid_offset >= bfd_get_section_size (sect))
+     return NULL;
+ 
+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+  *buildid_len = size - buildid_offset;
+   *buildid_out = bfd_malloc (*buildid_len);
+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+ 
--- a/binutils-CVE-2018-7208.patch
+++ b/binutils-CVE-2018-7208.patch
@ -0,0 +1,12 @@
+--- binutils.orig/bfd/coffgen.c	2018-07-11 11:45:09.490030070 +0100
+++ binutils-2.29/bfd/coffgen.c	2018-07-11 15:02:48.863331411 +0100
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
--- a/binutils-CVE-2018-7643.patch
+++ b/binutils-CVE-2018-7643.patch
@ -0,0 +1,16 @@
+--- binutils.orig/binutils/dwarf.c	2018-04-27 09:22:07.402864408 +0100
+++ binutils-2.30/binutils/dwarf.c	2018-04-27 09:24:26.794235786 +0100
+@@ -6810,6 +6810,13 @@ display_debug_ranges (struct dwarf_secti
+ 	  continue;
+ 	}
+ 
+      if (next < section_begin || next >= finish)
+	{
+	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
+		(unsigned long) offset, i);
+	  continue;
+	}
+
+       if (dwarf_check != 0 && i > 0)
+ 	{
+ 	  if (start < next)
--- a/binutils.spec
+++ b/binutils.spec
@ -62,7 +62,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.29.1
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv3+
 Group: Development/Tools
 URL: https://sourceware.org/binutils
@ -211,6 +211,34 @@ Patch22: binutils-CVE-2018-7568.patch
 # Lifetime: Fixed in 2.30.
 Patch23: binutils-CVE-2018-7569.patch

+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF2 files.
+# Lifetime: Fixed in 2.30.
+Patch24: binutils-CVE-2018-10372.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt PE format files.
+# Lifetime: Fixed in 2.30.
+Patch25: binutils-CVE-2018-10535.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt DWARF2 information.
+# Lifetime: Fixed in 2.31.
+Patch26: binutils-CVE-2018-10373.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch27: binutils-CVE-2018-7643.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt PE format files.
+# Lifetime: Fixed in 2.31.
+Patch28: binutils-CVE-2018-7208.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch29: binutils-CVE-2018-7643.patch
+
+# Purpose:  Fix a seg-fault induced when parsing corrupt ELF format files.
+# Lifetime: Fixed in 2.31.
+Patch30: binutils-CVE-2018-6323.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -359,6 +387,13 @@ using libelf instead of BFD.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
+%patch25 -p1
+%patch26 -p1
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.

@ -766,7 +801,16 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
-* Wed Jul 11 2018 Nick Clifton  <nickc@redhat.com> 2.29-1-26
+* Wed Jul 11 2018 Nick Clifton  <nickc@redhat.com> 2.29.1-27
+- Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1573359)
+- Fix a seg-fault that can occur when parsing corrupt PE files.  (#1574700)
+- Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1573365)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1551786)
+- Fix a seg-fault that can occur when parsing corrupt PE files.  (#1546624)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1543245)
+- Fix a seg-fault that can occur when parsing corrupt ELF files.  (#1539888)
+
+* Wed Jul 11 2018 Nick Clifton  <nickc@redhat.com> 2.29.1-26
 - Fix a seg-fault that can occur when parsing corrupt DWARF1 information.  (#1551772)
 - Fix a seg-fault that can occur when parsing corrupt DWARF2 information.  (#1551779)