Fix an illegal memory access when parsing a corrupt ELF file.

Resolves: #1950481
2021-04-19 11:24:45 +01:00 · 2021-04-19 11:24:45 +01:00 · 4e164f3ceb
commit 4e164f3ceb
parent 56d95751ec
2 changed files with 61 additions and 1 deletions
--- a/binutils-CVE-2020-35448.patch
+++ b/binutils-CVE-2020-35448.patch
@ -0,0 +1,53 @@
+diff -rup binutils.orig/bfd/elf.c binutils-2.35/bfd/elf.c
+--- binutils.orig/bfd/elf.c	2021-04-19 10:49:21.757290990 +0100
+++ binutils-2.35/bfd/elf.c	2021-04-19 10:50:28.309839285 +0100
+@@ -12534,7 +12534,9 @@ _bfd_elf_slurp_secondary_reloc_section (
+       Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
+ 
+       if (hdr->sh_type == SHT_SECONDARY_RELOC
+-	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+	  && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+	  && (hdr->sh_entsize == ebd->s->sizeof_rel
+	      || hdr->sh_entsize == ebd->s->sizeof_rela))
+ 	{
+ 	  bfd_byte * native_relocs;
+ 	  bfd_byte * native_reloc;
+diff -rup binutils.orig/bfd/elfcode.h binutils-2.35/bfd/elfcode.h
+--- binutils.orig/bfd/elfcode.h	2021-04-19 10:49:21.767290922 +0100
+++ binutils-2.35/bfd/elfcode.h	2021-04-19 10:52:22.196066303 +0100
+@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
+ 
+   /* If this is a relocatable file and there is no section header
+      table, then we're hosed.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
+     goto got_wrong_format_error;
+ 
+   /* As a simple sanity check, verify that what BFD thinks is the
+@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
+     goto got_wrong_format_error;
+ 
+   /* Further sanity check.  */
+-  if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+  if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
+     goto got_wrong_format_error;
+ 
+   ebd = get_elf_backend_data (abfd);
+@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
+       && ebd->elf_osabi != ELFOSABI_NONE)
+     goto got_wrong_format_error;
+ 
+-  if (i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       file_ptr where = (file_ptr) i_ehdrp->e_shoff;
+ 
+@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
+ 	}
+     }
+ 
+-  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+  if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
+     {
+       unsigned int num_sec;
+ 
--- a/binutils.spec
+++ b/binutils.spec
@ -2,7 +2,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.35
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils

@ -268,6 +268,10 @@ Patch32: binutils-CVE-2021-20294.patch
 # Lifetime: Fixed in 2.36
 Patch33: binutils-CVE-2021-3487.patch

+# Purpose:  Fix illegal memory access when parsing corrupt ELF files.
+# Lifetime: Fixed in 2.36
+Patch34: binutils-CVE-2020-35448.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -841,6 +845,9 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Mon Apr 19 2021 Nick Clifton  <nickc@redhat.com> - 2.35-21
+- Fix an illegal memory access when parsing a corrupt ELF file.  (#1950481)
+
 * Fri Apr 09 2021 Nick Clifton  <nickc@redhat.com> - 2.35-20
 - Fix excessive memory consumption parsing corrupt DWARF information. (#1947969)