From bb781d5f31bb95e81306542508f2e2886ebe8dd2 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Fri, 27 Apr 2018 10:05:56 +0100 Subject: [PATCH] Fix for PR 22887 - crashing objdump by passing it a corrupt AOUT binary. (#1553115) Fix for PR 22905 - crashing objdump by passing it a corrupt DWARF file. (#1553122) Fix for PR 22741 - crashing objdump by passing it a corrupt COFF file. (#1571918) --- binutils-CVE-2018-7208.patch | 12 ++++++++++++ binutils-CVE-2018-7642.patch | 17 +++++++++++++++++ binutils-CVE-2018-7643.patch | 16 ++++++++++++++++ binutils.spec | 25 ++++++++++++++++++++++++- 4 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 binutils-CVE-2018-7208.patch create mode 100644 binutils-CVE-2018-7642.patch create mode 100644 binutils-CVE-2018-7643.patch diff --git a/binutils-CVE-2018-7208.patch b/binutils-CVE-2018-7208.patch new file mode 100644 index 0000000..c817edc --- /dev/null +++ b/binutils-CVE-2018-7208.patch @@ -0,0 +1,12 @@ +--- binutils.orig/bfd/coffgen.c 2018-04-27 09:23:33.449859052 +0100 ++++ binutils-2.30/bfd/coffgen.c 2018-04-27 09:34:34.530135122 +0100 +@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd, + } + /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can + generate one, so we must be careful to ignore it. */ +- if (auxent->u.auxent.x_sym.x_tagndx.l > 0) ++ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l ++ < obj_raw_syment_count (abfd)) + { + auxent->u.auxent.x_sym.x_tagndx.p = + table_base + auxent->u.auxent.x_sym.x_tagndx.l; diff --git a/binutils-CVE-2018-7642.patch b/binutils-CVE-2018-7642.patch new file mode 100644 index 0000000..62178da --- /dev/null +++ b/binutils-CVE-2018-7642.patch @@ -0,0 +1,17 @@ +--- binutils.orig/bfd/aoutx.h 2018-04-26 15:14:18.411450291 +0100 ++++ binutils-2.30/bfd/aoutx.h 2018-04-26 17:22:38.328770529 +0100 +@@ -2283,10 +2283,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abf + if (r_baserel) + r_extern = 1; + +- if (r_extern && r_index > symcount) ++ if (r_extern && r_index >= symcount) + { + /* We could arrange to return an error, but it might be useful +- to see the file even if it is bad. */ ++ to see the file even if it is bad. FIXME: Of course this ++ means that objdump -r *doesn't* see the actual reloc, and ++ objcopy silently writes a different reloc. */ + r_extern = 0; + r_index = N_ABS; + } diff --git a/binutils-CVE-2018-7643.patch b/binutils-CVE-2018-7643.patch new file mode 100644 index 0000000..6ccf257 --- /dev/null +++ b/binutils-CVE-2018-7643.patch @@ -0,0 +1,16 @@ +--- binutils.orig/binutils/dwarf.c 2018-04-27 09:22:07.402864408 +0100 ++++ binutils-2.30/binutils/dwarf.c 2018-04-27 09:24:26.794235786 +0100 +@@ -6810,6 +6810,13 @@ display_debug_ranges (struct dwarf_secti + continue; + } + ++ if (next < section_begin || next >= finish) ++ { ++ warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"), ++ (unsigned long) offset, i); ++ continue; ++ } ++ + if (dwarf_check != 0 && i > 0) + { + if (start < next) diff --git a/binutils.spec b/binutils.spec index b6b1eb1..88587e8 100644 --- a/binutils.spec +++ b/binutils.spec @@ -65,7 +65,7 @@ Summary: A GNU collection of binary utilities Name: %{?cross}binutils%{?_with_debug:-debug} Version: 2.30 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv3+ Group: Development/Tools URL: https://sourceware.org/binutils @@ -202,6 +202,21 @@ Patch19: binutils-gold-llvm-plugin.patch # Lifetime: Fixed in 2.31 Patch20: binutils-gas-build-notes.patch +# Purpose: Fix a CVE triggered by running objdump on a corrupt AOUT +# format file. +# Lifetime: Fixed in 2.31 +Patch21: binutils-CVE-2018-7642.patch + +# Purpose: Fix a CVE triggered by running objdump on a binary containing +# corrupt DWARF debug information. +# Lifetime: Fixed in 2.31 +Patch22: binutils-CVE-2018-7643.patch + +# Purpose: Fix a CVE triggered by running objdump on a corrupt COFF +# format file. +# Lifetime: Fixed in 2.31 +Patch23: binutils-CVE-2018-7208.patch + #---------------------------------------------------------------------------- Provides: bundled(libiberty) @@ -347,6 +362,9 @@ using libelf instead of BFD. %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 # We cannot run autotools as there is an exact requirement of autoconf-2.59. @@ -760,6 +778,11 @@ exit 0 #---------------------------------------------------------------------------- %changelog +* Fri Apr 27 2018 Nick Clifton 2.30-16 +- Fix for PR 22887 - crashing objdump by passing it a corrupt AOUT binary. (#1553115) +- Fix for PR 22905 - crashing objdump by passing it a corrupt DWARF file. (#1553122) +- Fix for PR 22741 - crashing objdump by passing it a corrupt COFF file. (#1571918) + * Thu Apr 26 2018 Nick Clifton 2.30-15 - Enhance the assembler to automatically generate annobin notes if none are present in the input.