Fix a potential seg-fault in the BFD library when parsing pathalogical debug_info sections. (#1771669)

Fix a potential memory exhaustion in the BFD library when parsing corrupt DWARF debug information. (#1771678)
2019-11-13 12:11:41 +00:00 · 2019-11-13 12:11:41 +00:00 · 2ea649d73a
commit 2ea649d73a
parent 18a3e8b612
3 changed files with 99 additions and 1 deletions
--- a/binutils-CVE-2019-17450.patch
+++ b/binutils-CVE-2019-17450.patch
@ -0,0 +1,62 @@
+--- binutils.orig/bfd/dwarf2.c	2019-11-13 11:49:52.211121564 +0000
+++ binutils-2.33.1/bfd/dwarf2.c	2019-11-13 11:53:26.991423055 +0000
+@@ -2813,8 +2813,8 @@ static bfd_boolean comp_unit_maybe_decod
+ 
+ static bfd_boolean
+ find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+ 			struct attribute *   attr_ptr,
+			unsigned int         recur_count,
+ 			const char **        pname,
+ 			bfd_boolean *        is_linkage,
+ 			char **              filename_ptr,
+@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit
+   struct attribute attr;
+   const char *name = NULL;
+ 
+  if (recur_count == 100)
+    {
+      _bfd_error_handler
+       (_("DWARF error: abstract instance recursion detected"));
+      bfd_set_error (bfd_error_bad_value);
+      return FALSE;
+    }
+
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2962,15 +2970,7 @@ find_abstract_instance (struct comp_unit
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2984,7 +2984,7 @@ find_abstract_instance (struct comp_unit
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
+		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3200,7 +3200,7 @@ scan_unit_for_symbols (struct comp_unit
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
+		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
--- a/binutils-CVE-2019-17451.patch
+++ b/binutils-CVE-2019-17451.patch
@ -0,0 +1,20 @@
+--- binutils.orig/bfd/dwarf2.c	2019-11-13 11:32:09.395430104 +0000
+++ binutils-2.33.1/bfd/dwarf2.c	2019-11-13 11:33:17.272899503 +0000
+@@ -4440,7 +4440,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd,
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
+       {
+         /* Catch PR25070 testcase overflowing size calculation here.  */
+         if (total_size + msec->size < total_size
+             || total_size + msec->size < msec->size)
+           {
+             bfd_set_error (bfd_error_no_memory);
+             return FALSE;
+           }
+         total_size += msec->size;
+       }
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
--- a/binutils.spec
+++ b/binutils.spec
@ -2,7 +2,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.33.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils

@ -208,6 +208,16 @@ Patch15: binutils-CVE-2019-1010204.patch
 # Lifetime: Fixed in 2.34 
 Patch16: binutils-improved-note-merging.patch

+# Purpose:  Fix a potential seg-fault in the BFD library when parsing
+#            pathalogical debug_info sections.
+# Lifetime: Fixed in 2.34 
+Patch17: binutils-CVE-2019-17451.patch
+
+# Purpose:  Fix a memory exhaustion bug in the BFD library when parsing
+#            corrupt DWARF debug information.
+# Lifetime: Fixed in 2.34 
+Patch18: binutils-CVE-2019-17450.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -359,6 +369,8 @@ Conflicts: gcc-c++ < 4.0.0
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
+%patch18 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@ -765,6 +777,10 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Wed Nov 13 2019 Nick Clifton  <nickc@redhat.com> - 2.33-7
+- Fix a potential seg-fault in the BFD library when parsing pathalogical debug_info sections.  (#1771669)
+- Fix a potential memory exhaustion in the BFD library when parsing corrupt DWARF debug information.  (#1771678)
+
 * Wed Nov 06 2019 Nick Clifton  <nickc@redhat.com> - 2.33-6
 - Stop objcopy from creating null filled note sections when merging notes.