Fix buffer overrun in ihex parser.

Fix memory corruption in previous patch.
Consoldiate corrupt handling patches into just one patch.
Default strings command to using -a.
This commit is contained in:
Nick Clifton 2014-10-31 12:17:36 +00:00
parent c6c4136c20
commit f396ddc9f7
6 changed files with 554 additions and 287 deletions

View File

@ -1,8 +1,92 @@
diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 09:39:29.505064397 +0000
--- bfd/elf.c 2014-10-28 09:45:17.973958424 +0000
diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*** ../binutils-2.24.orig/bfd/elf.c 2014-10-31 11:50:20.132220820 +0000
--- bfd/elf.c 2014-10-31 11:53:23.669281197 +0000
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 608,616 ****
if (shdr->contents == NULL)
{
_bfd_error_handler
! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
! return FALSE;
}
memset (shdr->contents, 0, amt);
--- 608,617 ----
if (shdr->contents == NULL)
{
_bfd_error_handler
! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
! -- num_group;
! continue;
}
memset (shdr->contents, 0, amt);
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 618,625 ****
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
! return FALSE;
!
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
--- 619,635 ----
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
! {
! _bfd_error_handler
! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
! bfd_set_error (bfd_error_bad_value);
! -- num_group;
! /* PR 17510: If the group contents are even partially
! corrupt, do not allow any of the contents to be used. */
! memset (shdr->contents, 0, amt);
! continue;
! }
!
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 651,656 ****
--- 661,681 ----
}
}
}
+
+ /* PR 17510: Corrupt binaries might contain invalid groups. */
+ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
+ {
+ elf_tdata (abfd)->num_group = num_group;
+
+ /* If all groups are invalid then fail. */
+ if (num_group == 0)
+ {
+ elf_tdata (abfd)->group_sect_ptr = NULL;
+ elf_tdata (abfd)->num_group = num_group = -1;
+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
+ bfd_set_error (bfd_error_bad_value);
+ }
+ }
}
}
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 716,721 ****
--- 741,747 ----
{
(*_bfd_error_handler) (_("%B: no group info for section %A"),
abfd, newsect);
+ return FALSE;
}
return TRUE;
}
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1582,1619 ****
*** 1556,1593 ****
Elf_Internal_Ehdr *ehdr;
const struct elf_backend_data *bed;
const char *name;
@ -41,12 +125,13 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_link > elf_numsections (abfd))
{
/* PR 10478: Accept Solaris binaries with a sh_link
--- 1582,1648 ----
--- 1582,1655 ----
Elf_Internal_Ehdr *ehdr;
const struct elf_backend_data *bed;
const char *name;
+ bfd_boolean ret = TRUE;
+ static bfd_boolean * sections_being_created = NULL;
+ static bfd * sections_being_created_abfd = NULL;
+ static unsigned int nesting = 0;
if (shindex >= elf_numsections (abfd))
@ -59,13 +144,19 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
+ loop. Detect this here, by refusing to load a section that we are
+ already in the process of loading. We only trigger this test if
+ we have nested at least three sections deep as normal ELF binaries
+ can expect to recurse at least once. */
+ can expect to recurse at least once.
+
+ FIXME: It would be better if this array was attached to the bfd,
+ rather than being held in a static pointer. */
+
+ if (sections_being_created_abfd != abfd)
+ sections_being_created = NULL;
+ if (sections_being_created == NULL)
+ {
+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
+ sections_being_created = (bfd_boolean *)
+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
+ sections_being_created_abfd = abfd;
+ }
+ if (sections_being_created [shindex])
+ {
@ -110,7 +201,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
/* PR 10478: Accept Solaris binaries with a sh_link
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1627,1637 ****
*** 1601,1611 ****
break;
/* Otherwise fall through. */
default:
@ -122,7 +213,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
{
Elf_Internal_Shdr *dynsymhdr;
--- 1656,1666 ----
--- 1663,1673 ----
break;
/* Otherwise fall through. */
default:
@ -135,7 +226,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
Elf_Internal_Shdr *dynsymhdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1660,1683 ****
*** 1634,1657 ****
}
}
}
@ -160,7 +251,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
BFD_ASSERT (elf_onesymtab (abfd) == 0);
elf_onesymtab (abfd) = shindex;
elf_tdata (abfd)->symtab_hdr = *hdr;
--- 1689,1714 ----
--- 1696,1721 ----
}
}
}
@ -188,7 +279,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
elf_onesymtab (abfd) = shindex;
elf_tdata (abfd)->symtab_hdr = *hdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1694,1700 ****
*** 1668,1674 ****
&& (abfd->flags & DYNAMIC) != 0
&& ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
shindex))
@ -196,7 +287,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
can't read symbols without that section loaded as well. It
--- 1725,1731 ----
--- 1732,1738 ----
&& (abfd->flags & DYNAMIC) != 0
&& ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
shindex))
@ -205,7 +296,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
can't read symbols without that section loaded as well. It
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1720,1745 ****
*** 1694,1719 ****
break;
}
if (i != shindex)
@ -232,7 +323,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
BFD_ASSERT (elf_dynsymtab (abfd) == 0);
elf_dynsymtab (abfd) = shindex;
elf_tdata (abfd)->dynsymtab_hdr = *hdr;
--- 1751,1779 ----
--- 1758,1786 ----
break;
}
if (i != shindex)
@ -263,7 +354,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
elf_dynsymtab (abfd) = shindex;
elf_tdata (abfd)->dynsymtab_hdr = *hdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1748,1781 ****
*** 1722,1755 ****
/* Besides being a symbol table, we also treat this as a regular
section, so that objcopy can handle it. */
@ -298,7 +389,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
{
dynsymtab_strtab:
--- 1782,1819 ----
--- 1789,1826 ----
/* Besides being a symbol table, we also treat this as a regular
section, so that objcopy can handle it. */
@ -338,7 +429,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
dynsymtab_strtab:
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1784,1791 ****
*** 1758,1765 ****
elf_elfsections (abfd)[shindex] = hdr;
/* We also treat this as a regular section, so that objcopy
can handle it. */
@ -347,7 +438,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* If the string table isn't one of the above, then treat it as a
--- 1822,1830 ----
--- 1829,1837 ----
elf_elfsections (abfd)[shindex] = hdr;
/* We also treat this as a regular section, so that objcopy
can handle it. */
@ -358,7 +449,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If the string table isn't one of the above, then treat it as a
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1803,1811 ****
*** 1777,1785 ****
{
/* Prevent endless recursion on broken objects. */
if (i == shindex)
@ -368,7 +459,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (elf_onesymtab (abfd) == i)
goto symtab_strtab;
if (elf_dynsymtab (abfd) == i)
--- 1842,1850 ----
--- 1849,1857 ----
{
/* Prevent endless recursion on broken objects. */
if (i == shindex)
@ -379,7 +470,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
goto symtab_strtab;
if (elf_dynsymtab (abfd) == i)
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1813,1819 ****
*** 1787,1793 ****
}
}
}
@ -387,7 +478,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
case SHT_REL:
case SHT_RELA:
--- 1852,1859 ----
--- 1859,1866 ----
}
}
}
@ -397,7 +488,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
case SHT_REL:
case SHT_RELA:
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1828,1834 ****
*** 1802,1808 ****
if (hdr->sh_entsize
!= (bfd_size_type) (hdr->sh_type == SHT_REL
? bed->s->sizeof_rel : bed->s->sizeof_rela))
@ -405,7 +496,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Check for a bogus link to avoid crashing. */
if (hdr->sh_link >= num_sec)
--- 1868,1874 ----
--- 1875,1881 ----
if (hdr->sh_entsize
!= (bfd_size_type) (hdr->sh_type == SHT_REL
? bed->s->sizeof_rel : bed->s->sizeof_rela))
@ -414,7 +505,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Check for a bogus link to avoid crashing. */
if (hdr->sh_link >= num_sec)
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1836,1843 ****
*** 1810,1817 ****
((*_bfd_error_handler)
(_("%B: invalid link %lu for reloc section %s (index %u)"),
abfd, hdr->sh_link, name, shindex));
@ -423,7 +514,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* For some incomprehensible reason Oracle distributes
--- 1876,1884 ----
--- 1883,1891 ----
((*_bfd_error_handler)
(_("%B: invalid link %lu for reloc section %s (index %u)"),
abfd, hdr->sh_link, name, shindex));
@ -434,7 +525,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* For some incomprehensible reason Oracle distributes
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1878,1884 ****
*** 1852,1858 ****
if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
|| elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
&& ! bfd_section_from_shdr (abfd, hdr->sh_link))
@ -442,7 +533,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If this reloc section does not use the main symbol table we
don't treat it as a reloc section. BFD can't adequately
--- 1919,1925 ----
--- 1926,1932 ----
if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
|| elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
&& ! bfd_section_from_shdr (abfd, hdr->sh_link))
@ -451,7 +542,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If this reloc section does not use the main symbol table we
don't treat it as a reloc section. BFD can't adequately
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1893,1906 ****
*** 1867,1880 ****
|| hdr->sh_info >= num_sec
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
@ -466,7 +557,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
esdt = elf_section_data (target_sect);
if (hdr->sh_type == SHT_RELA)
--- 1934,1951 ----
--- 1941,1958 ----
|| hdr->sh_info >= num_sec
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
@ -486,7 +577,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
esdt = elf_section_data (target_sect);
if (hdr->sh_type == SHT_RELA)
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1912,1918 ****
*** 1886,1892 ****
amt = sizeof (*hdr2);
hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (hdr2 == NULL)
@ -494,7 +585,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*hdr2 = *hdr;
*p_hdr = hdr2;
elf_elfsections (abfd)[shindex] = hdr2;
--- 1957,1963 ----
--- 1964,1970 ----
amt = sizeof (*hdr2);
hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (hdr2 == NULL)
@ -503,7 +594,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*p_hdr = hdr2;
elf_elfsections (abfd)[shindex] = hdr2;
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1928,1961 ****
*** 1902,1935 ****
target_sect->use_rela_p = 1;
}
abfd->flags |= HAS_RELOC;
@ -538,7 +629,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->contents != NULL)
{
Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
--- 1973,2012 ----
--- 1980,2019 ----
target_sect->use_rela_p = 1;
}
abfd->flags |= HAS_RELOC;
@ -580,7 +671,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1981,1987 ****
*** 1955,1961 ****
}
}
}
@ -588,7 +679,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
default:
/* Possibly an attributes section. */
--- 2032,2038 ----
--- 2039,2045 ----
}
}
}
@ -597,7 +688,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
default:
/* Possibly an attributes section. */
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1989,2002 ****
*** 1963,1976 ****
|| hdr->sh_type == bed->obj_attrs_section_type)
{
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
@ -612,7 +703,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
{
--- 2040,2053 ----
--- 2047,2060 ----
|| hdr->sh_type == bed->obj_attrs_section_type)
{
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
@ -628,7 +719,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
{
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 2008,2016 ****
*** 1982,1990 ****
"specific section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@ -638,7 +729,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
else if (hdr->sh_type >= SHT_LOPROC
&& hdr->sh_type <= SHT_HIPROC)
--- 2059,2070 ----
--- 2066,2077 ----
"specific section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@ -652,7 +743,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else if (hdr->sh_type >= SHT_LOPROC
&& hdr->sh_type <= SHT_HIPROC)
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 2031,2038 ****
*** 2005,2012 ****
"`%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@ -661,7 +752,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
else
/* FIXME: We should handle this section. */
--- 2085,2095 ----
--- 2092,2102 ----
"`%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@ -674,7 +765,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else
/* FIXME: We should handle this section. */
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 2040,2049 ****
*** 2014,2023 ****
(_("%B: don't know how to handle section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
@ -685,7 +776,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* Return the local symbol specified by ABFD, R_SYMNDX. */
--- 2097,2113 ----
--- 2104,2123 ----
(_("%B: don't know how to handle section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
@ -695,17 +786,57 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
! fail:
! ret = FALSE;
! success:
! if (sections_being_created)
! if (sections_being_created && sections_being_created_abfd == abfd)
! sections_being_created [shindex] = FALSE;
! if (-- nesting == 0)
! sections_being_created = NULL;
! {
! sections_being_created = NULL;
! sections_being_created_abfd = abfd;
! }
! return ret;
}
/* Return the local symbol specified by ABFD, R_SYMNDX. */
diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 09:39:31.656075721 +0000
--- bfd/peXXigen.c 2014-10-28 09:43:31.011370536 +0000
*************** elfcore_write_lwpstatus (bfd *abfd,
*** 9296,9302 ****
lwpstat.pr_lwpid = pid >> 16;
lwpstat.pr_cursig = cursig;
#if defined (HAVE_LWPSTATUS_T_PR_REG)
! memcpy (lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg));
#elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT)
#if !defined(gregs)
memcpy (lwpstat.pr_context.uc_mcontext.gregs,
--- 9396,9402 ----
lwpstat.pr_lwpid = pid >> 16;
lwpstat.pr_cursig = cursig;
#if defined (HAVE_LWPSTATUS_T_PR_REG)
! memcpy (&lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg));
#elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT)
#if !defined(gregs)
memcpy (lwpstat.pr_context.uc_mcontext.gregs,
diff -cpr ../binutils-2.24.orig/bfd/ihex.c bfd/ihex.c
*** ../binutils-2.24.orig/bfd/ihex.c 2014-10-31 11:50:20.143220890 +0000
--- bfd/ihex.c 2014-10-31 11:51:45.746721162 +0000
*************** ihex_scan (bfd *abfd)
*** 322,328 ****
{
if (! ISHEX (buf[i]))
{
! ihex_bad_byte (abfd, lineno, hdr[i], error);
goto error_return;
}
}
--- 322,328 ----
{
if (! ISHEX (buf[i]))
{
! ihex_bad_byte (abfd, lineno, buf[i], error);
goto error_return;
}
}
diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-31 11:50:20.149220928 +0000
--- bfd/peXXigen.c 2014-10-31 11:51:00.397462266 +0000
*************** _bfd_XXi_swap_aouthdr_in (bfd * abfd,
*** 460,465 ****
--- 460,476 ----
@ -760,6 +891,24 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
dataoff = addr - section->vma;
datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
*************** pe_print_edata (bfd * abfd, void * vfile
*** 1426,1431 ****
--- 1444,1458 ----
}
}
+ /* PR 17512: Handle corrupt PE binaries. */
+ if (datasize < 36)
+ {
+ fprintf (file,
+ _("\nThere is an export table in %s, but it is too small (%d)\n"),
+ section->name, (int) datasize);
+ return TRUE;
+ }
+
fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
section->name, (unsigned long) addr);
*************** pe_print_edata (bfd * abfd, void * vfile
*** 1469,1476 ****
fprintf (file,
_("Name \t\t\t\t"));
@ -769,7 +918,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
fprintf (file,
_("Ordinal Base \t\t\t%ld\n"), edt.base);
--- 1487,1497 ----
--- 1496,1506 ----
fprintf (file,
_("Name \t\t\t\t"));
bfd_fprintf_vma (abfd, file, edt.name);
@ -790,7 +939,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma eat_member = bfd_get_32 (abfd,
data + edt.eat_addr + (i * 4) - adj);
--- 1537,1548 ----
--- 1546,1557 ----
_("\nExport Address Table -- Ordinal Base %ld\n"),
edt.base);
@ -812,7 +961,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma name_ptr = bfd_get_32 (abfd,
data +
--- 1578,1593 ----
--- 1587,1602 ----
fprintf (file,
_("\n[Ordinal/Name Pointer] Table\n"));
@ -829,9 +978,9 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma name_ptr = bfd_get_32 (abfd,
data +
diff -rcp ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
*** ../binutils-2.24.orig/bfd/srec.c 2014-10-28 09:39:30.762071014 +0000
--- bfd/srec.c 2014-10-28 09:40:54.769513267 +0000
diff -cpr ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
*** ../binutils-2.24.orig/bfd/srec.c 2014-10-31 11:50:20.144220896 +0000
--- bfd/srec.c 2014-10-31 11:50:55.808436025 +0000
*************** srec_bad_byte (bfd *abfd,
*** 248,254 ****
}
@ -850,19 +999,43 @@ diff -rcp ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
if (! ISPRINT (c))
sprintf (buf, "\\%03o", (unsigned int) c);
*************** srec_scan (bfd *abfd)
*** 454,460 ****
*** 454,461 ****
case 'S':
{
file_ptr pos;
! char hdr[3];
unsigned int bytes, min_bytes;
! unsigned int bytes;
bfd_vma address;
bfd_byte *data;
--- 454,460 ----
unsigned char check_sum;
--- 454,461 ----
case 'S':
{
file_ptr pos;
! unsigned char hdr[3];
unsigned int bytes, min_bytes;
! unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
unsigned char check_sum;
*************** srec_scan (bfd *abfd)
*** 478,483 ****
--- 478,496 ----
}
check_sum = bytes = HEX (hdr + 1);
+ min_bytes = 3;
+ if (hdr[0] == '2' || hdr[0] == '8')
+ min_bytes = 4;
+ else if (hdr[0] == '3' || hdr[0] == '7')
+ min_bytes = 5;
+ if (bytes < min_bytes)
+ {
+ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
+ abfd, lineno, bytes);
+ bfd_set_error (bfd_error_bad_value);
+ goto error_return;
+ }
+
if (bytes * 2 > bufsize)
{
if (buf != NULL)

View File

@ -1,91 +0,0 @@
diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 16:02:16.233549448 +0000
--- bfd/elf.c 2014-10-28 16:02:36.754653055 +0000
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1584,1589 ****
--- 1584,1590 ----
const char *name;
bfd_boolean ret = TRUE;
static bfd_boolean * sections_being_created = NULL;
+ static bfd * sections_being_created_abfd = NULL;
static unsigned int nesting = 0;
if (shindex >= elf_numsections (abfd))
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 1596,1608 ****
loop. Detect this here, by refusing to load a section that we are
already in the process of loading. We only trigger this test if
we have nested at least three sections deep as normal ELF binaries
! can expect to recurse at least once. */
!
if (sections_being_created == NULL)
{
/* FIXME: It would be more efficient to attach this array to the bfd somehow. */
sections_being_created = (bfd_boolean *)
bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
}
if (sections_being_created [shindex])
{
--- 1597,1615 ----
loop. Detect this here, by refusing to load a section that we are
already in the process of loading. We only trigger this test if
we have nested at least three sections deep as normal ELF binaries
! can expect to recurse at least once.
!
! FIXME: It would be better if this array was attached to the bfd,
! rather than being held in a static pointer. */
!
! if (sections_being_created_abfd != abfd)
! sections_being_created = NULL;
if (sections_being_created == NULL)
{
/* FIXME: It would be more efficient to attach this array to the bfd somehow. */
sections_being_created = (bfd_boolean *)
bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
+ sections_being_created_abfd = abfd;
}
if (sections_being_created [shindex])
{
*************** bfd_section_from_shdr (bfd *abfd, unsign
*** 2106,2112 ****
if (sections_being_created)
sections_being_created [shindex] = FALSE;
if (-- nesting == 0)
! sections_being_created = NULL;
return ret;
}
--- 2113,2122 ----
if (sections_being_created)
sections_being_created [shindex] = FALSE;
if (-- nesting == 0)
! {
! sections_being_created = NULL;
! sections_being_created_abfd = abfd;
! }
return ret;
}
Only in bfd: elf.c.orig
diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 16:02:16.251549538 +0000
--- bfd/peXXigen.c 2014-10-28 16:02:36.755653060 +0000
*************** pe_print_edata (bfd * abfd, void * vfile
*** 1444,1449 ****
--- 1444,1458 ----
}
}
+ /* PR 17512: Handle corrupt PE binaries. */
+ if (datasize < 36)
+ {
+ fprintf (file,
+ _("\nThere is an export table in %s, but it is too small (%d)\n"),
+ section->name, (int) datasize);
+ return TRUE;
+ }
+
fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
section->name, (unsigned long) addr);
Only in bfd: peXXigen.c.orig

View File

@ -1,86 +0,0 @@
*** ../binutils-2.24.orig/bfd/elf.c 2014-10-27 12:47:20.989181791 +0000
--- bfd/elf.c 2014-10-27 12:47:33.296248170 +0000
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 608,616 ****
if (shdr->contents == NULL)
{
_bfd_error_handler
! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
! return FALSE;
}
memset (shdr->contents, 0, amt);
--- 608,617 ----
if (shdr->contents == NULL)
{
_bfd_error_handler
! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
bfd_set_error (bfd_error_bad_value);
! -- num_group;
! continue;
}
memset (shdr->contents, 0, amt);
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 618,625 ****
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
! return FALSE;
!
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
--- 619,635 ----
if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
|| (bfd_bread (shdr->contents, shdr->sh_size, abfd)
!= shdr->sh_size))
! {
! _bfd_error_handler
! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
! bfd_set_error (bfd_error_bad_value);
! -- num_group;
! /* PR 17510: If the group contents are even partially
! corrupt, do not allow any of the contents to be used. */
! memset (shdr->contents, 0, amt);
! continue;
! }
!
/* Translate raw contents, a flag word followed by an
array of elf section indices all in target byte order,
to the flag word followed by an array of elf section
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 651,656 ****
--- 661,681 ----
}
}
}
+
+ /* PR 17510: Corrupt binaries might contain invalid groups. */
+ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
+ {
+ elf_tdata (abfd)->num_group = num_group;
+
+ /* If all groups are invalid then fail. */
+ if (num_group == 0)
+ {
+ elf_tdata (abfd)->group_sect_ptr = NULL;
+ elf_tdata (abfd)->num_group = num_group = -1;
+ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
+ bfd_set_error (bfd_error_bad_value);
+ }
+ }
}
}
*************** setup_group (bfd *abfd, Elf_Internal_Shd
*** 716,721 ****
--- 741,747 ----
{
(*_bfd_error_handler) (_("%B: no group info for section %A"),
abfd, newsect);
+ return FALSE;
}
return TRUE;
}

View File

@ -1,41 +0,0 @@
*** ../binutils-2.24.orig/bfd/srec.c 2014-10-24 15:34:34.156138230 +0100
--- bfd/srec.c 2014-10-24 15:42:41.462592601 +0100
*************** srec_scan (bfd *abfd)
*** 455,461 ****
{
file_ptr pos;
char hdr[3];
! unsigned int bytes;
bfd_vma address;
bfd_byte *data;
unsigned char check_sum;
--- 455,461 ----
{
file_ptr pos;
char hdr[3];
! unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
unsigned char check_sum;
*************** srec_scan (bfd *abfd)
*** 478,483 ****
--- 478,496 ----
}
check_sum = bytes = HEX (hdr + 1);
+ min_bytes = 3;
+ if (hdr[0] == '2' || hdr[0] == '8')
+ min_bytes = 4;
+ else if (hdr[0] == '3' || hdr[0] == '7')
+ min_bytes = 5;
+ if (bytes < min_bytes)
+ {
+ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
+ abfd, lineno, bytes);
+ bfd_set_error (bfd_error_bad_value);
+ goto error_return;
+ }
+
if (bytes * 2 > bufsize)
{
if (buf != NULL)

View File

@ -0,0 +1,310 @@
diff -cpr ../binutils-2.24.orig/binutils/config.in binutils/config.in
*** ../binutils-2.24.orig/binutils/config.in 2014-10-31 11:50:20.455222877 +0000
--- binutils/config.in 2014-10-31 11:59:05.021241036 +0000
***************
*** 18,23 ****
--- 18,26 ----
/* Should ar and ranlib use -D behavior by default? */
#undef DEFAULT_AR_DETERMINISTIC
+ /* Should strings use -a behavior by default? */
+ #undef DEFAULT_STRINGS_ALL
+
/* Define to 1 if translation of program messages to the user's native
language is requested. */
#undef ENABLE_NLS
diff -cpr ../binutils-2.24.orig/binutils/configure binutils/configure
*** ../binutils-2.24.orig/binutils/configure 2014-10-31 11:50:20.590223736 +0000
--- binutils/configure 2014-10-31 12:01:46.570102643 +0000
*************** with_gnu_ld
*** 772,777 ****
--- 772,778 ----
enable_libtool_lock
enable_targets
enable_deterministic_archives
+ enable_default_strings_all
enable_werror
enable_build_warnings
enable_nls
*************** Optional Features:
*** 1421,1426 ****
--- 1422,1429 ----
--enable-targets alternative target configurations
--enable-deterministic-archives
ar and ranlib default to -D behavior
+ --disable-default-strings-all
+ strings defaults to --data behavior
--enable-werror treat compile warnings as errors
--enable-build-warnings enable build-time compiler warnings
--disable-nls do not use Native Language Support
*************** cat >>confdefs.h <<_ACEOF
*** 11615,11620 ****
--- 11594,11618 ----
_ACEOF
+ # Check whether --enable-default-strings-all was given.
+ if test "${enable_default_strings_all+set}" = set; then :
+ enableval=$enable_default_strings_all;
+ if test "${enableval}" = no; then
+ default_strings_all=0
+ else
+ default_strings_all=1
+ fi
+ else
+ default_strings_all=1
+ fi
+
+
+
+ cat >>confdefs.h <<_ACEOF
+ #define DEFAULT_STRINGS_ALL $default_strings_all
+ _ACEOF
+
+
GCC_WARN_CFLAGS="-W -Wall -Wstrict-prototypes -Wmissing-prototypes"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
diff -cpr ../binutils-2.24.orig/binutils/configure.in binutils/configure.in
*** ../binutils-2.24.orig/binutils/configure.in 2014-10-31 11:50:20.430222717 +0000
--- binutils/configure.in 2014-10-31 12:00:48.092790946 +0000
*************** fi], [default_ar_deterministic=0])
*** 57,62 ****
--- 57,74 ----
AC_DEFINE_UNQUOTED(DEFAULT_AR_DETERMINISTIC, $default_ar_deterministic,
[Should ar and ranlib use -D behavior by default?])
+ AC_ARG_ENABLE(default-strings-all,
+ [AS_HELP_STRING([--disable-default-strings-all],
+ [strings defaults to --data behavior])], [
+ if test "${enableval}" = no; then
+ default_strings_all=0
+ else
+ default_strings_all=1
+ fi], [default_strings_all=1])
+
+ AC_DEFINE_UNQUOTED(DEFAULT_STRINGS_ALL, $default_strings_all,
+ [Should strings use -a behavior by default?])
+
AM_BINUTILS_WARNINGS
AC_CONFIG_HEADERS(config.h:config.in)
diff -cpr ../binutils-2.24.orig/binutils/doc/binutils.texi binutils/doc/binutils.texi
*** ../binutils-2.24.orig/binutils/doc/binutils.texi 2014-10-31 11:50:20.579223666 +0000
--- binutils/doc/binutils.texi 2014-10-31 11:59:23.052339164 +0000
*************** strings [@option{-afovV}] [@option{-}@va
*** 2653,2667 ****
@c man begin DESCRIPTION strings
! For each @var{file} given, @sc{gnu} @command{strings} prints the printable
! character sequences that are at least 4 characters long (or the number
! given with the options below) and are followed by an unprintable
! character. By default, it only prints the strings from the initialized
! and loaded sections of object files; for other types of files, it prints
! the strings from the whole file.
! @command{strings} is mainly useful for determining the contents of non-text
! files.
@c man end
--- 2653,2676 ----
@c man begin DESCRIPTION strings
! For each @var{file} given, @sc{gnu} @command{strings} prints the
! printable character sequences that are at least 4 characters long (or
! the number given with the options below) and are followed by an
! unprintable character.
!
! Depending upon how the strings program was configured it will default
! to either displaying all the printable sequences that it can find in
! each file, or only those sequences that are in loadable, initialized
! data sections. If the file type in unrecognizable, or if strings is
! reading from stdin then it will always display all of the printable
! sequences that it can find.
!
! For backwards compatibility any file that occurs after a command line
! option of just @option{-} will also be scanned in full, regardless of
! the presence of any @option{-d} option.
! @command{strings} is mainly useful for determining the contents of
! non-text files.
@c man end
*************** files.
*** 2671,2678 ****
@item -a
@itemx --all
@itemx -
! Do not scan only the initialized and loaded sections of object files;
! scan the whole files.
@item -f
@itemx --print-file-name
--- 2680,2704 ----
@item -a
@itemx --all
@itemx -
! Scan the whole file, regardless of what sections it contains or
! whether those sections are loaded or initialized. Normally this is
! the default behaviour, but strings can be configured so that the
! @option{-d} is the default instead.
!
! The @option{-} option is position dependent and forces strings to
! perform full scans of any file that is mentioned after the @option{-}
! on the command line, even if the @option{-d} option has been
! specified.
!
! @item -d
! @itemx --data
! Only print strings from initialized, loaded data sections in the
! file. This may reduce the amount of garbage in the output, but it
! also exposes the strings program to any security flaws that may be
! present in the BFD library used to scan and load sections. Strings
! can be configured so that this option is the default behaviour. In
! such cases the @option{-a} option can be used to avoid using the BFD
! library and instead just print all of the strings found in the file.
@item -f
@itemx --print-file-name
diff -cpr ../binutils-2.24.orig/binutils/NEWS binutils/NEWS
*** ../binutils-2.24.orig/binutils/NEWS 2014-10-31 11:50:20.338222131 +0000
--- binutils/NEWS 2014-10-31 11:59:52.315493579 +0000
***************
*** 1,5 ****
--- 1,10 ----
-*- text -*-
+ * Add --data option to strings to only print strings in loadable, initialized
+ data sections. Change the default behaviour to be --all, but add a new
+ configure time option of --disable-default-strings-all to restore the old
+ default behaviour.
+
Changes in 2.24:
* Objcopy now supports wildcard characters in command line options that take
diff -cpr ../binutils-2.24.orig/binutils/strings.c binutils/strings.c
*** ../binutils-2.24.orig/binutils/strings.c 2014-10-31 11:50:20.464222934 +0000
--- binutils/strings.c 2014-10-31 12:01:33.901035485 +0000
***************
*** 23,29 ****
Options:
--all
-a
! - Do not scan only the initialized data section of object files.
--print-file-name
-f Print the name of the file before each string.
--- 23,32 ----
Options:
--all
-a
! - Scan each file in its entirety.
!
! --data
! -d Scan only the initialized data section(s) of object files.
--print-file-name
-f Print the name of the file before each string.
*************** static int encoding_bytes;
*** 107,112 ****
--- 110,116 ----
static struct option long_options[] =
{
{"all", no_argument, NULL, 'a'},
+ {"data", no_argument, NULL, 'd'},
{"print-file-name", no_argument, NULL, 'f'},
{"bytes", required_argument, NULL, 'n'},
{"radix", required_argument, NULL, 't'},
*************** typedef struct
*** 128,134 ****
static void strings_a_section (bfd *, asection *, void *);
static bfd_boolean strings_object_file (const char *);
! static bfd_boolean strings_file (char *file);
static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
static void usage (FILE *, int);
static long get_char (FILE *, file_ptr *, int *, char **);
--- 132,138 ----
static void strings_a_section (bfd *, asection *, void *);
static bfd_boolean strings_object_file (const char *);
! static bfd_boolean strings_file (char *);
static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
static void usage (FILE *, int);
static long get_char (FILE *, file_ptr *, int *, char **);
*************** main (int argc, char **argv)
*** 158,168 ****
string_min = 4;
print_addresses = FALSE;
print_filenames = FALSE;
! datasection_only = TRUE;
target = NULL;
encoding = 's';
! while ((optc = getopt_long (argc, argv, "afhHn:ot:e:T:Vv0123456789",
long_options, (int *) 0)) != EOF)
{
switch (optc)
--- 162,175 ----
string_min = 4;
print_addresses = FALSE;
print_filenames = FALSE;
! if (DEFAULT_STRINGS_ALL)
! datasection_only = FALSE;
! else
! datasection_only = TRUE;
target = NULL;
encoding = 's';
! while ((optc = getopt_long (argc, argv, "adfhHn:ot:e:T:Vv0123456789",
long_options, (int *) 0)) != EOF)
{
switch (optc)
*************** main (int argc, char **argv)
*** 171,176 ****
--- 178,187 ----
datasection_only = FALSE;
break;
+ case 'd':
+ datasection_only = TRUE;
+ break;
+
case 'f':
print_filenames = TRUE;
break;
*************** usage (FILE *stream, int status)
*** 635,642 ****
{
fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name);
fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n"));
! fprintf (stream, _(" The options are:\n\
-a - --all Scan the entire file, not just the data section\n\
-f --print-file-name Print the name of the file before each string\n\
-n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\
-<number> least [number] characters (default 4).\n\
--- 646,663 ----
{
fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name);
fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n"));
! fprintf (stream, _(" The options are:\n"));
!
! if (DEFAULT_STRINGS_ALL)
! fprintf (stream, _("\
! -a - --all Scan the entire file, not just the data section [default]\n\
! -d --data Only scan the data sections in the file\n"));
! else
! fprintf (stream, _("\
-a - --all Scan the entire file, not just the data section\n\
+ -d --data Only scan the data sections in the file [default]\n"));
+
+ fprintf (stream, _("\
-f --print-file-name Print the name of the file before each string\n\
-n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\
-<number> least [number] characters (default 4).\n\
Only in binutils: strings.c.rej

View File

@ -19,7 +19,7 @@
Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.24
Release: 27%{?dist}
Release: 28%{?dist}
License: GPLv3+
Group: Development/Tools
URL: http://sources.redhat.com/binutils
@ -72,10 +72,8 @@ Patch27: binutils-2.24-aarch64-fix-gotplt-offset-ifunc.patch
Patch28: binutils-2.24-aarch64-fix-static-ifunc.patch
Patch29: binutils-2.24-aarch64-fix-ie-relax.patch
Patch30: binutils-HEAD-change-ld-notice-interface.patch
Patch31: binutils-2.24-corrupt-srec.patch
Patch32: binutils-2.24-corrupt-groups.patch
Patch33: binutils-2.24-corrupt-elf.patch
Patch34: binutils-2.24-corrupt-elf.2.patch
Patch31: binutils-2.24-corrupt-binaries.patch
Patch32: binutils-2.24-strings-default-all.patch
Provides: bundled(libiberty)
@ -210,10 +208,8 @@ using libelf instead of BFD.
%patch28 -p1 -b .aa64-2~
%patch29 -p1 -b .aa64-3~
%patch30 -p1 -b .ldplugin~
%patch31 -p0 -b .corrupt-srec~
%patch32 -p0 -b .corrupt-groups~
%patch33 -p0 -b .corrupt-elf~
%patch34 -p0 -b .corrupt-elf2~
%patch31 -p0 -b .corrupt-binaries~
%patch32 -p0 -b .strings-all~
# We cannot run autotools as there is an exact requirement of autoconf-2.59.
@ -528,6 +524,12 @@ exit 0
%endif # %{isnative}
%changelog
* Fri Oct 31 2014 Nick Clifton <nickc@redhat.com> - 2.24-28
- Fix buffer overrun in ihex parser.
- Fix memory corruption in previous patch.
- Consoldiate corrupt handling patches into just one patch.
- Default strings command to using -a.
* Wed Oct 29 2014 Nick Clifton <nickc@redhat.com> - 2.24-27
- Fix memory corruption bug introduced by the previous patch.