Stop potential illegal memory access when parsing corrupt PE files.

Resolves: #1680682
2019-02-25 17:43:37 +00:00 · 2019-02-25 17:43:37 +00:00 · d003e8dd8a
commit d003e8dd8a
parent 20ffc82c3d
2 changed files with 41 additions and 1 deletions
--- a/binutils-CVE-2019-9074.patch
+++ b/binutils-CVE-2019-9074.patch
@ -0,0 +1,32 @@
+--- binutils.orig/bfd/pei-x86_64.c	2019-02-25 16:12:29.798061414 +0000
+++ binutils-2.31.1/bfd/pei-x86_64.c	2019-02-25 17:09:02.783425236 +0000
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd
+   /* virt_size might be zero for objects.  */
+   if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+     {
+-      stop = (datasize / onaline) * onaline;
+      stop = datasize;
+       virt_size_is_zero = TRUE;
+     }
+   else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd
+ 		 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ 		 pdata_section->name, (unsigned long) datasize,
+ 		 (unsigned long) stop);
+-	/* Be sure not to read passed datasize.  */
+-	stop = datasize / onaline;
+	/* Be sure not to read past datasize.  */
+	stop = datasize;
+       }
+ 
+   /* Display functions table.  */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd
+ 	      altent += imagebase;
+ 
+ 	      if (altent >= pdata_vma
+-		  && (altent + PDATA_ROW_SIZE <= pdata_vma
+-		      + pei_section_data (abfd, pdata_section)->virt_size))
+		  && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ 		{
+ 		  pex64_get_runtime_function
+ 		    (abfd, &arf, &pdata[altent - pdata_vma]);
--- a/binutils.spec
+++ b/binutils.spec
@ -75,7 +75,7 @@
 Summary: A GNU collection of binary utilities
 Name: %{?cross}binutils%{?_with_debug:-debug}
 Version: 2.32
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv3+
 URL: https://sourceware.org/binutils

@ -176,6 +176,10 @@ Patch13: binutils-fix-testsuite-failures.patch
 # Lifetime: Fixed in 2.33
 Patch14: binutils-CVE-2019-9073.patch

+# Purpose:  Stop illegal memory access parsing corrupt PE files.
+# Lifetime: Fixed in 2.33
+Patch15: binutils-CVE-2019-9074.patch
+
 #----------------------------------------------------------------------------

 Provides: bundled(libiberty)
@ -308,6 +312,7 @@ using libelf instead of BFD.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1

 # We cannot run autotools as there is an exact requirement of autoconf-2.59.
 # FIXME - this is no longer true.  Maybe try reinstating autotool use ?
@ -709,6 +714,9 @@ exit 0

 #----------------------------------------------------------------------------
 %changelog
+* Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.32-4
+- Stop potential illegal memory access when parsing corrupt PE files.  (#1680682)
+
 * Mon Feb 25 2019 Nick Clifton  <nickc@redhat.com> - 2.32-3
 - Improve objdump's handling of corrupt input files.  (#1680663)