From 4e164f3ceb81e8c70605b9d076dfcf2195b33b54 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 19 Apr 2021 11:24:45 +0100 Subject: [PATCH] Fix an illegal memory access when parsing a corrupt ELF file. Resolves: #1950481 --- binutils-CVE-2020-35448.patch | 53 +++++++++++++++++++++++++++++++++++ binutils.spec | 9 +++++- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 binutils-CVE-2020-35448.patch diff --git a/binutils-CVE-2020-35448.patch b/binutils-CVE-2020-35448.patch new file mode 100644 index 0000000..4fab54c --- /dev/null +++ b/binutils-CVE-2020-35448.patch @@ -0,0 +1,53 @@ +diff -rup binutils.orig/bfd/elf.c binutils-2.35/bfd/elf.c +--- binutils.orig/bfd/elf.c 2021-04-19 10:49:21.757290990 +0100 ++++ binutils-2.35/bfd/elf.c 2021-04-19 10:50:28.309839285 +0100 +@@ -12534,7 +12534,9 @@ _bfd_elf_slurp_secondary_reloc_section ( + Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; + + if (hdr->sh_type == SHT_SECONDARY_RELOC +- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) ++ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx ++ && (hdr->sh_entsize == ebd->s->sizeof_rel ++ || hdr->sh_entsize == ebd->s->sizeof_rela)) + { + bfd_byte * native_relocs; + bfd_byte * native_reloc; +diff -rup binutils.orig/bfd/elfcode.h binutils-2.35/bfd/elfcode.h +--- binutils.orig/bfd/elfcode.h 2021-04-19 10:49:21.767290922 +0100 ++++ binutils-2.35/bfd/elfcode.h 2021-04-19 10:52:22.196066303 +0100 +@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd) + + /* If this is a relocatable file and there is no section header + table, then we're hosed. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) + goto got_wrong_format_error; + + /* As a simple sanity check, verify that what BFD thinks is the +@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd) + goto got_wrong_format_error; + + /* Further sanity check. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) + goto got_wrong_format_error; + + ebd = get_elf_backend_data (abfd); +@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd) + && ebd->elf_osabi != ELFOSABI_NONE) + goto got_wrong_format_error; + +- if (i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + file_ptr where = (file_ptr) i_ehdrp->e_shoff; + +@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd) + } + } + +- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + unsigned int num_sec; + diff --git a/binutils.spec b/binutils.spec index e46bdcf..c413129 100644 --- a/binutils.spec +++ b/binutils.spec @@ -2,7 +2,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.35 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv3+ URL: https://sourceware.org/binutils @@ -268,6 +268,10 @@ Patch32: binutils-CVE-2021-20294.patch # Lifetime: Fixed in 2.36 Patch33: binutils-CVE-2021-3487.patch +# Purpose: Fix illegal memory access when parsing corrupt ELF files. +# Lifetime: Fixed in 2.36 +Patch34: binutils-CVE-2020-35448.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -841,6 +845,9 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Mon Apr 19 2021 Nick Clifton - 2.35-21 +- Fix an illegal memory access when parsing a corrupt ELF file. (#1950481) + * Fri Apr 09 2021 Nick Clifton - 2.35-20 - Fix excessive memory consumption parsing corrupt DWARF information. (#1947969)