From 42246e47a2abde81762fd5fd5590c3a467a3d36c Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Thu, 17 May 2018 14:40:13 +0100 Subject: [PATCH] Fix a seg-fault parsing PE format binaries. Resolves: #1560829 --- binutils-CVE-2018-8945.patch | 29 +++++++++++++++++++++++++++++ binutils.spec | 13 +++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 binutils-CVE-2018-8945.patch diff --git a/binutils-CVE-2018-8945.patch b/binutils-CVE-2018-8945.patch new file mode 100644 index 0000000..33ec9f5 --- /dev/null +++ b/binutils-CVE-2018-8945.patch @@ -0,0 +1,29 @@ +diff -rup binutils.orig/bfd/elf-attrs.c binutils-2.30/bfd/elf-attrs.c +--- binutils.orig/bfd/elf-attrs.c 2018-05-17 14:14:04.341805666 +0100 ++++ binutils-2.30/bfd/elf-attrs.c 2018-05-17 14:15:19.729952453 +0100 +@@ -438,6 +438,14 @@ _bfd_elf_parse_attributes (bfd *abfd, El + /* PR 17512: file: 2844a11d. */ + if (hdr->sh_size == 0) + return; ++ if (hdr->sh_size > bfd_get_file_size (abfd)) ++ { ++ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), ++ abfd, hdr->bfd_section, (long long) hdr->sh_size); ++ bfd_set_error (bfd_error_invalid_operation); ++ return; ++ } ++ + contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); + if (!contents) + return; +diff -rup binutils.orig/bfd/elf.c binutils-2.30/bfd/elf.c +--- binutils.orig/bfd/elf.c 2018-05-17 14:14:04.326805836 +0100 ++++ binutils-2.30/bfd/elf.c 2018-05-17 14:15:59.412503342 +0100 +@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi + /* Allocate and clear an extra byte at the end, to prevent crashes + in case the string table is not terminated. */ + if (shstrtabsize + 1 <= 1 ++ || shstrtabsize > bfd_get_file_size (abfd) + || bfd_seek (abfd, offset, SEEK_SET) != 0 + || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) + shstrtab = NULL; diff --git a/binutils.spec b/binutils.spec index 77c848f..53215eb 100644 --- a/binutils.spec +++ b/binutils.spec @@ -69,7 +69,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.30 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv3+ Group: Development/Tools URL: https://sourceware.org/binutils @@ -275,6 +275,11 @@ Patch33: binutils-x86-local-relocs.patch # Lifetime: Fixed in 2.31 Patch34: binutils-linkonce-notes.patch +# Purpose: Fix a seg-fault triggered by running objcopy on a corrupt +# PE format file. +# Lifetime: Fixed in 2.31 +Patch35: binutils-CVE-2018-8945.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -434,6 +439,7 @@ using libelf instead of BFD. %patch32 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -847,6 +853,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Thu May 17 2018 Nick Clifton 2.30-21 +- Fix a seg-fault parsing PE format binaries. (#1560829) + * Mon May 14 2018 Nick Clifton 2.30-20 - Have the x86 linker resolve relocations against the _end, _edata and __bss_start symbols locally. (#1576735) - Do not generate GNU build notes for linkonce sections. (#1576362) @@ -883,7 +892,7 @@ exit 0 * Fri Mar 09 2018 Nick Clifton 2.30-12 - Treat relocs against s390x IFUNC symbols in note sections as relocs against the FUNC symbol instead. -- Combined previous patches into one which covers all ifunc supporting architectures. +- Combined previous patches into one which covers all ifunc supporting architectures. (#1553705) - Retire binutils-s390-ifunc-relocs-in-notes.patch - Retire binutils-x86_64-ifunc-relocs-in-notes.patch