From 363f8f30d3f72d531653a28d098ae2b9212ec9f6 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Tue, 26 Feb 2019 11:32:46 +0000 Subject: [PATCH] Stop potential illegal memory access when parsing corrupt archives. Resolves: #1680670 --- binutils-CVE-2019-9075.patch | 73 ++++++++++++++++++++++++++++++++++++ binutils.spec | 11 +++++- 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 binutils-CVE-2019-9075.patch diff --git a/binutils-CVE-2019-9075.patch b/binutils-CVE-2019-9075.patch new file mode 100644 index 0000000..ec3e8ca --- /dev/null +++ b/binutils-CVE-2019-9075.patch @@ -0,0 +1,73 @@ +diff -rup binutils.orig/bfd/archive64.c binutils-2.31.1/bfd/archive64.c +--- binutils.orig/bfd/archive64.c 2019-02-26 11:17:11.882530151 +0000 ++++ binutils-2.31.1/bfd/archive64.c 2019-02-26 11:19:18.422488805 +0000 +@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab + return FALSE; + carsyms = ardata->symdefs; + stringbase = ((char *) ardata->symdefs) + carsym_size; +- stringbase[stringsize] = 0; +- stringend = stringbase + stringsize; + + raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); + if (raw_armap == NULL) +@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *ab + goto release_raw_armap; + } + ++ stringend = stringbase + stringsize; ++ *stringend = 0; + for (i = 0; i < nsymz; i++) + { + carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); + carsyms->name = stringbase; +- if (stringbase < stringend) +- stringbase += strlen (stringbase) + 1; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + ++carsyms; + } +- *stringbase = '\0'; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +diff -rup binutils.orig/bfd/archive.c binutils-2.31.1/bfd/archive.c +--- binutils.orig/bfd/archive.c 2019-02-26 11:17:11.884530134 +0000 ++++ binutils-2.31.1/bfd/archive.c 2019-02-26 11:18:33.354859687 +0000 +@@ -1014,6 +1014,7 @@ do_slurp_coff_armap (bfd *abfd) + int *raw_armap, *rawptr; + struct artdata *ardata = bfd_ardata (abfd); + char *stringbase; ++ char *stringend; + bfd_size_type stringsize; + bfd_size_type parsed_size; + carsym *carsyms; +@@ -1073,22 +1074,20 @@ do_slurp_coff_armap (bfd *abfd) + } + + /* OK, build the carsyms. */ +- for (i = 0; i < nsymz && stringsize > 0; i++) ++ stringend = stringbase + stringsize; ++ *stringend = 0; ++ for (i = 0; i < nsymz; i++) + { + bfd_size_type len; + + rawptr = raw_armap + i; + carsyms->file_offset = swap ((bfd_byte *) rawptr); + carsyms->name = stringbase; +- /* PR 17512: file: 4a1d50c1. */ +- len = strnlen (stringbase, stringsize); +- if (len < stringsize) +- len ++; +- stringbase += len; +- stringsize -= len; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + carsyms++; + } +- *stringbase = 0; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); diff --git a/binutils.spec b/binutils.spec index 8a3611b..8a30ec0 100644 --- a/binutils.spec +++ b/binutils.spec @@ -69,7 +69,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.31.1 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -215,6 +215,10 @@ Patch23: binutils-CVE-2019-9073.patch # Lifetime: Fixed in 2.33 Patch24: binutils-CVE-2019-9074.patch +# Purpose: Stop illegal memory access parsing corrupt archives. +# Lifetime: Fixed in 2.33 +Patch25: binutils-CVE-2019-9075.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -361,6 +365,8 @@ using libelf instead of BFD. %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 +%patch25 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -768,6 +774,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Tue Feb 26 2019 Nick Clifton - 2.31.1-22 +- Stop potential illegal memory access when parsing corrupt archives. (#1680670) + * Mon Feb 25 2019 Nick Clifton - 2.31.1-21 - Stop potential illegal memory access when parsing corrupt PE files. (#1680682)