rpms
/
binutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix seg-faulta that can occur when parsing corrupt DWARF2 information, corrupt ELF files and corrupt PE files. 

Resolves: #1551779
Resolves: #1573359
Resolves: #1574700
Resolves: #1573365
Resolves: #1551786
Resolves: #1546624
Resolves: #1543245
Resolves: #1539888
This commit is contained in:
Nick Clifton 2018-07-11 15:45:35 +01:00
parent 61a9b29768
commit 9422ba635f
9 changed files with 296 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
binutils-CVE-2018-10372.patch Normal file
View File

@ -0,0 +1,22 @@
--- binutils.orig/binutils/dwarf.c 2018-07-11 11:45:09.971024884 +0100
+++ binutils-2.29/binutils/dwarf.c 2018-07-11 14:16:38.417025086 +0100
@@ -8509,7 +8509,18 @@ process_cu_tu_index (struct dwarf_sectio
}
if (!do_display)
- memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
+ {
+ size_t num_copy = sizeof (uint64_t);
+
+ /* PR 23064: Beware of buffer overflow. */
+ if (ph + num_copy < limit)
+ memcpy (&this_set[row - 1].signature, ph, num_copy);
+ else
+ {
+ warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
+ return 0;
+ }
+ }
prow = poffsets + (row - 1) * ncols * 4;
/* PR 17531: file: b8ce60a8. */

11
binutils-CVE-2018-10373.patch Normal file
View File

@ -0,0 +1,11 @@
--- binutils.orig/bfd/dwarf2.c 2018-07-11 14:28:44.557235916 +0100
+++ binutils-2.29.1/bfd/dwarf2.c 2018-07-11 14:38:37.611875790 +0100
@@ -1593,7 +1593,7 @@ concat_filename (struct line_info_table
{
char *filename;
- if (file - 1 >= table->num_files)
+ if (table == NULL || file - 1 >= table->num_files)
{
/* FILE == 0 means unknown. */
if (file)

19
binutils-CVE-2018-10535.patch Normal file
View File

@ -0,0 +1,19 @@
--- binutils.orig/bfd/peXXigen.c 2018-07-11 14:28:44.937231840 +0100
+++ binutils-2.29.1/bfd/peXXigen.c 2018-07-11 14:29:27.861771394 +0100
@@ -2992,6 +2992,16 @@ _bfd_XX_bfd_copy_private_bfd_data_common
return FALSE;
}
+ /* PR 23110. */
+ else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
+ {
+ /* xgettext:c-format */
+ _bfd_error_handler
+ (_("%pB: Data Directory size (%#lx) is negative"),
+ obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
+ return FALSE;
+ }
+
for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
/ sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
{

20
binutils-CVE-2018-6323.patch Normal file
View File

@ -0,0 +1,20 @@
--- binutils.orig/bfd/elfcode.h 2018-07-11 14:28:45.439226455 +0100
+++ binutils-2.29.1/bfd/elfcode.h 2018-07-11 15:23:54.982819379 +0100
@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
goto got_wrong_format_error;
#endif
- amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
+ amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum;
i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (!i_shdrp)
goto got_no_match;
@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
goto got_wrong_format_error;
#endif
- amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
+ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
if (elf_tdata (abfd)->phdr == NULL)
goto got_no_match;

68
binutils-CVE-2018-6759.patch Normal file
View File

@ -0,0 +1,68 @@
--- binutils.orig/bfd/opncls.c 2018-07-11 14:28:44.690234489 +0100
+++ binutils-2.29.1/bfd/opncls.c 2018-07-11 15:14:54.576580916 +0100
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
bfd_byte *contents;
unsigned int crc_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (crc32_out);
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+
+ /* PR 22794: Make sure that the section has a reasonable size. */
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, &contents))
{
if (contents != NULL)
@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
/* CRC value is stored after the filename, aligned up to 4 bytes. */
name = (char *) contents;
/* PR 17597: avoid reading off the end of the buffer. */
- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+ crc_offset = strnlen (name, size) + 1;
crc_offset = (crc_offset + 3) & ~3;
- if (crc_offset >= bfd_get_section_size (sect))
+ if (crc_offset >= size)
return NULL;
*crc32 = bfd_get_32 (abfd, contents + crc_offset);
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
bfd_byte *contents;
unsigned int buildid_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (buildid_len);
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, & contents))
{
if (contents != NULL)
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
/* BuildID value is stored after the filename. */
name = (char *) contents;
- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+ buildid_offset = strnlen (name, size) + 1;
if (buildid_offset >= bfd_get_section_size (sect))
return NULL;
- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+ *buildid_len = size - buildid_offset;
*buildid_out = bfd_malloc (*buildid_len);
memcpy (*buildid_out, contents + buildid_offset, *buildid_len);

12
binutils-CVE-2018-7208.patch Normal file
View File

@ -0,0 +1,12 @@
--- binutils.orig/bfd/coffgen.c 2018-07-11 11:45:09.490030070 +0100
+++ binutils-2.29/bfd/coffgen.c 2018-07-11 15:02:48.863331411 +0100
@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
}
/* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
generate one, so we must be careful to ignore it. */
- if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+ < obj_raw_syment_count (abfd))
{
auxent->u.auxent.x_sym.x_tagndx.p =
table_base + auxent->u.auxent.x_sym.x_tagndx.l;

75
binutils-CVE-2018-7569.patch Normal file
View File

@ -0,0 +1,75 @@
--- binutils.orig/bfd/dwarf2.c 2018-07-11 11:45:09.491030059 +0100
+++ binutils-2.29/bfd/dwarf2.c 2018-07-11 12:16:12.975943400 +0100
@@ -626,14 +626,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
}
static bfd_byte *
-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
- bfd_byte *buf,
- bfd_byte *end,
- unsigned int size ATTRIBUTE_UNUSED)
-{
- if (buf + size > end)
- return NULL;
- return buf;
+read_n_bytes (bfd_byte * buf,
+ bfd_byte * end,
+ struct dwarf_block * block)
+{
+ unsigned int size = block->size;
+ bfd_byte * block_end = buf + size;
+
+ if (block_end > end || block_end < buf)
+ {
+ block->data = NULL;
+ block->size = 0;
+ return end;
+ }
+ else
+ {
+ block->data = buf;
+ return block_end;
+ }
}
/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
@@ -1131,8 +1141,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 2;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block4:
@@ -1142,8 +1151,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 4;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data2:
@@ -1183,8 +1191,7 @@ read_attribute_value (struct attribute *
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block1:
@@ -1194,8 +1201,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
info_ptr += 1;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data1:

16
binutils-CVE-2018-7643.patch Normal file
View File

@ -0,0 +1,16 @@
--- binutils.orig/binutils/dwarf.c 2018-04-27 09:22:07.402864408 +0100
+++ binutils-2.30/binutils/dwarf.c 2018-04-27 09:24:26.794235786 +0100
@@ -6810,6 +6810,13 @@ display_debug_ranges (struct dwarf_secti
continue;
}
+ if (next < section_begin || next >= finish)
+ {
+ warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
+ (unsigned long) offset, i);
+ continue;
+ }
+
if (dwarf_check != 0 && i > 0)
{
if (start < next)

56
binutils.spec
View File

@ -54,7 +54,7 @@
Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.29
Release: 16%{?dist}
Release: 17%{?dist}
License: GPLv3+
Group: Development/Tools
URL: http://sources.redhat.com/binutils
@ -176,10 +176,42 @@ Patch18: binutils-CVE-2017-12967.patch
# Lifetime: Fixed in 2.29.1.
Patch19: binutils-CVE-2017-12799.patch
# Purpose: Fix a seg-fault induced when parsing corrupt DWARF files.
# Purpose: Fix a seg-fault induced when parsing corrupt DWARF1 files.
# Lifetime: Fixed in 2.30.
Patch20: binutils-CVE-2018-7568.patch
# Purpose: Fix a seg-fault induced when parsing corrupt DWARF2 files.
# Lifetime: Fixed in 2.30.
Patch21: binutils-CVE-2018-7569.patch
# Purpose: Fix a seg-fault induced when parsing corrupt DWARF2 files.
# Lifetime: Fixed in 2.30.
Patch22: binutils-CVE-2018-10372.patch
# Purpose: Fix a seg-fault induced when parsing corrupt PE format files.
# Lifetime: Fixed in 2.30.
Patch23: binutils-CVE-2018-10535.patch
# Purpose: Fix a seg-fault induced when parsing corrupt DWARF2 information.
# Lifetime: Fixed in 2.31.
Patch24: binutils-CVE-2018-10373.patch
# Purpose: Fix a seg-fault induced when parsing corrupt ELF format files.
# Lifetime: Fixed in 2.31.
Patch25: binutils-CVE-2018-7643.patch
# Purpose: Fix a seg-fault induced when parsing corrupt PE format files.
# Lifetime: Fixed in 2.31.
Patch26: binutils-CVE-2018-7208.patch
# Purpose: Fix a seg-fault induced when parsing corrupt ELF format files.
# Lifetime: Fixed in 2.31.
Patch27: binutils-CVE-2018-7643.patch
# Purpose: Fix a seg-fault induced when parsing corrupt ELF format files.
# Lifetime: Fixed in 2.31.
Patch28: binutils-CVE-2018-6323.patch
#----------------------------------------------------------------------------
Provides: bundled(libiberty)
@ -322,6 +354,14 @@ using libelf instead of BFD.
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
# We cannot run autotools as there is an exact requirement of autoconf-2.59.
@ -730,8 +770,18 @@ exit 0
#----------------------------------------------------------------------------
%changelog
* Wed Jul 11 2018 Nick Clifton <nickc@redhat.com> 2.29-17
- Fix a seg-fault that can occur when parsing corrupt DWARF2 information. (#1551779)
- Fix a seg-fault that can occur when parsing corrupt DWARF2 information. (#1573359)
- Fix a seg-fault that can occur when parsing corrupt PE files. (#1574700)
- Fix a seg-fault that can occur when parsing corrupt DWARF2 information. (#1573365)
- Fix a seg-fault that can occur when parsing corrupt ELF files. (#1551786)
- Fix a seg-fault that can occur when parsing corrupt PE files. (#1546624)
- Fix a seg-fault that can occur when parsing corrupt ELF files. (#1543245)
- Fix a seg-fault that can occur when parsing corrupt ELF files. (#1539888)
* Wed Jul 11 2018 Nick Clifton <nickc@redhat.com> 2.29-16
- Fix a seg-fault that can occur when parsing corrupt DWARF information. (#1551772)
- Fix a seg-fault that can occur when parsing corrupt DWARF1 information. (#1551772)
* Thu May 31 2018 Nick Clifton <nickc@redhat.com> 2.29-15
- Fix a seg-fault that can occur when parsing corrupt x86 binaries. (#1487762)