rpms/binutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix a seg-fault parsing corrupt DWARF information. (#1573360)

Browse Source 
Fix another seg-fault parsing corrupt DWARF information.  (#1573367)
Fix a seg-fault copying a corrupt ELF file.  (#1551788)
Fix a seg-fault parsing a large ELF files on a 32-bit host.  (#1539891)
Fix a seg-fault running nm on a corrupt ELF file.  (#15343247)
Fix a seg-fault running nm on a file containing corrupt DWARF information.  (#1551781)
Fix another seg-fault running nm on a file containing corrupt DWARF information.  (#1551763)
This commit is contained in:
Nick Clifton 2018-05-01 15:15:23 +01:00
parent c973a8f557
commit f53b235000
8 changed files with 447 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
binutils-CVE-2018-10372.patch Normal file
View File

@ -0,0 +1,22 @@
--- binutils.orig/binutils/dwarf.c 2018-05-01 11:42:02.656431736 +0100
+++ binutils-2.30/binutils/dwarf.c 2018-05-01 11:43:24.210383020 +0100
@@ -9244,7 +9244,18 @@ process_cu_tu_index (struct dwarf_sectio
}
if (!do_display)
- memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
+ {
+ size_t num_copy = sizeof (uint64_t);
+
+ /* PR 23064: Beware of buffer overflow. */
+ if (ph + num_copy < limit)
+ memcpy (&this_set[row - 1].signature, ph, num_copy);
+ else
+ {
+ warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
+ return 0;
+ }
+ }
prow = poffsets + (row - 1) * ncols * 4;
/* PR 17531: file: b8ce60a8. */

11
binutils-CVE-2018-10373.patch Normal file
View File

@ -0,0 +1,11 @@
--- binutils.orig/bfd/dwarf2.c 2018-05-01 11:42:03.152425647 +0100
+++ binutils-2.30/bfd/dwarf2.c 2018-05-01 12:03:27.533735710 +0100
@@ -1559,7 +1559,7 @@ concat_filename (struct line_info_table
{
char *filename;
- if (file - 1 >= table->num_files)
+ if (table == NULL || file - 1 >= table->num_files)
{
/* FILE == 0 means unknown. */
if (file)

20
binutils-CVE-2018-6323.patch Normal file
View File

@ -0,0 +1,20 @@
--- binutils.orig/bfd/elfcode.h 2018-05-01 11:42:03.250424443 +0100
+++ binutils-2.30/bfd/elfcode.h 2018-05-01 12:41:00.745780026 +0100
@@ -680,7 +680,7 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_shnum > ((bfd_size_type) -1) / sizeof (*i_shdrp))
goto got_wrong_format_error;
#endif
- amt = sizeof (*i_shdrp) * i_ehdrp->e_shnum;
+ amt = sizeof (*i_shdrp) * (bfd_size_type) i_ehdrp->e_shnum;
i_shdrp = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (!i_shdrp)
goto got_no_match;
@@ -776,7 +776,7 @@ elf_object_p (bfd *abfd)
if (i_ehdrp->e_phnum > ((bfd_size_type) -1) / sizeof (*i_phdr))
goto got_wrong_format_error;
#endif
- amt = i_ehdrp->e_phnum * sizeof (*i_phdr);
+ amt = (bfd_size_type) i_ehdrp->e_phnum * sizeof (*i_phdr);
elf_tdata (abfd)->phdr = (Elf_Internal_Phdr *) bfd_alloc (abfd, amt);
if (elf_tdata (abfd)->phdr == NULL)
goto got_no_match;

69
binutils-CVE-2018-6759.patch Normal file
View File

@ -0,0 +1,69 @@
--- binutils.orig/bfd/opncls.c 2018-05-01 11:42:03.266424248 +0100
+++ binutils-2.30/bfd/opncls.c 2018-05-01 12:52:36.792579838 +0100
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
bfd_byte *contents;
unsigned int crc_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (crc32_out);
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+
+ /* PR 22794: Make sure that the section has a reasonable size. */
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, &contents))
{
if (contents != NULL)
@@ -1198,9 +1205,9 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
/* CRC value is stored after the filename, aligned up to 4 bytes. */
name = (char *) contents;
/* PR 17597: avoid reading off the end of the buffer. */
- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+ crc_offset = strnlen (name, size) + 1;
crc_offset = (crc_offset + 3) & ~3;
- if (crc_offset + 4 > bfd_get_section_size (sect))
+ if (crc_offset + 4 > size)
return NULL;
*crc32 = bfd_get_32 (abfd, contents + crc_offset);
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
bfd_byte *contents;
unsigned int buildid_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (buildid_len);
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, & contents))
{
if (contents != NULL)
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
/* BuildID value is stored after the filename. */
name = (char *) contents;
- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
- if (buildid_offset >= bfd_get_section_size (sect))
+ buildid_offset = strnlen (name, size) + 1;
+ if (buildid_offset >= size)
return NULL;
- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+ *buildid_len = size - buildid_offset;
*buildid_out = bfd_malloc (*buildid_len);
memcpy (*buildid_out, contents + buildid_offset, *buildid_len);

37
binutils-CVE-2018-7568.patch Normal file
View File

@ -0,0 +1,37 @@
--- binutils.orig/bfd/dwarf1.c 2018-05-01 13:04:35.060041875 +0100
+++ binutils-2.30/bfd/dwarf1.c 2018-05-01 13:24:17.943833855 +0100
@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
/* Then the attributes. */
while (xptr + 2 <= aDiePtrEnd)
{
+ unsigned int block_len;
unsigned short attr;
/* Parse the attribute based on its form. This section
@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
break;
case FORM_BLOCK2:
if (xptr + 2 <= aDiePtrEnd)
- xptr += bfd_get_16 (abfd, xptr);
+ {
+ block_len = bfd_get_16 (abfd, xptr);
+ if (xptr + block_len > aDiePtrEnd
+ || xptr + block_len < xptr)
+ return FALSE;
+ xptr += block_len;
+ }
xptr += 2;
break;
case FORM_BLOCK4:
if (xptr + 4 <= aDiePtrEnd)
- xptr += bfd_get_32 (abfd, xptr);
+ {
+ block_len = bfd_get_32 (abfd, xptr);
+ if (xptr + block_len > aDiePtrEnd
+ || xptr + block_len < xptr)
+ return FALSE;
+ xptr += block_len;
+ }
xptr += 4;
break;
case FORM_STRING:

75
binutils-CVE-2018-7569.patch Normal file
View File

@ -0,0 +1,75 @@
--- binutils.orig/bfd/dwarf2.c 2018-05-01 13:04:35.055041935 +0100
+++ binutils-2.30/bfd/dwarf2.c 2018-05-01 13:31:32.882624448 +0100
@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
}
static bfd_byte *
-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
- bfd_byte *buf,
- bfd_byte *end,
- unsigned int size ATTRIBUTE_UNUSED)
-{
- if (buf + size > end)
- return NULL;
- return buf;
+read_n_bytes (bfd_byte * buf,
+ bfd_byte * end,
+ struct dwarf_block * block)
+{
+ unsigned int size = block->size;
+ bfd_byte * block_end = buf + size;
+
+ if (block_end > end || block_end < buf)
+ {
+ block->data = NULL;
+ block->size = 0;
+ return end;
+ }
+ else
+ {
+ block->data = buf;
+ return block_end;
+ }
}
/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 2;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block4:
@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 4;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data2:
@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block1:
@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
info_ptr += 1;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data1:

156
binutils-CVE-2018-7570.patch Normal file
View File

@ -0,0 +1,156 @@
--- binutils.orig/bfd/elf.c 2018-05-01 11:42:03.151425659 +0100
+++ binutils-2.30/bfd/elf.c 2018-05-01 12:30:42.129206856 +0100
@@ -5713,6 +5713,9 @@ assign_file_positions_for_load_sections
return TRUE;
}
+#define IS_TBSS(s) \
+ ((s->flags & (SEC_THREAD_LOCAL | SEC_LOAD)) == SEC_THREAD_LOCAL)
+
/* Assign file positions for the other sections. */
static bfd_boolean
@@ -5862,65 +5865,100 @@ assign_file_positions_for_non_load_secti
{
if (p->p_type == PT_GNU_RELRO)
{
- const Elf_Internal_Phdr *lp;
- struct elf_segment_map *lm;
+ bfd_vma start, end;
+ bfd_boolean ok;
if (link_info != NULL)
{
/* During linking the range of the RELRO segment is passed
- in link_info. */
+ in link_info. Note that there may be padding between
+ relro_start and the first RELRO section. */
+ start = link_info->relro_start;
+ end = link_info->relro_end;
+ }
+ else if (m->count != 0)
+ {
+ if (!m->p_size_valid)
+ abort ();
+ start = m->sections[0]->vma;
+ end = start + m->p_size;
+ }
+ else
+ {
+ start = 0;
+ end = 0;
+ }
+
+ ok = FALSE;
+ if (start < end)
+ {
+ struct elf_segment_map *lm;
+ const Elf_Internal_Phdr *lp;
+ unsigned int i;
+
+ /* Find a LOAD segment containing a section in the RELRO
+ segment. */
for (lm = elf_seg_map (abfd), lp = phdrs;
lm != NULL;
lm = lm->next, lp++)
{
if (lp->p_type == PT_LOAD
- && lp->p_vaddr < link_info->relro_end
&& lm->count != 0
- && lm->sections[0]->vma >= link_info->relro_start)
+ && (lm->sections[lm->count - 1]->vma
+ + (!IS_TBSS (lm->sections[lm->count - 1])
+ ? lm->sections[lm->count - 1]->size
+ : 0)) > start
+ && lm->sections[0]->vma < end)
break;
}
- BFD_ASSERT (lm != NULL);
- }
- else
- {
- /* Otherwise we are copying an executable or shared
- library, but we need to use the same linker logic. */
- for (lp = phdrs; lp < phdrs + count; ++lp)
+ if (lm != NULL)
{
- if (lp->p_type == PT_LOAD
- && lp->p_paddr == p->p_paddr)
- break;
+ /* Find the section starting the RELRO segment. */
+ for (i = 0; i < lm->count; i++)
+ {
+ asection *s = lm->sections[i];
+ if (s->vma >= start
+ && s->vma < end
+ && s->size != 0)
+ break;
+ }
+
+ if (i < lm->count)
+ {
+ p->p_vaddr = lm->sections[i]->vma;
+ p->p_paddr = lm->sections[i]->lma;
+ p->p_offset = lm->sections[i]->filepos;
+ p->p_memsz = end - p->p_vaddr;
+ p->p_filesz = p->p_memsz;
+
+ /* The RELRO segment typically ends a few bytes
+ into .got.plt but other layouts are possible.
+ In cases where the end does not match any
+ loaded section (for instance is in file
+ padding), trim p_filesz back to correspond to
+ the end of loaded section contents. */
+ if (p->p_filesz > lp->p_vaddr + lp->p_filesz - p->p_vaddr)
+ p->p_filesz = lp->p_vaddr + lp->p_filesz - p->p_vaddr;
+
+ /* Preserve the alignment and flags if they are
+ valid. The gold linker generates RW/4 for
+ the PT_GNU_RELRO section. It is better for
+ objcopy/strip to honor these attributes
+ otherwise gdb will choke when using separate
+ debug files. */
+ if (!m->p_align_valid)
+ p->p_align = 1;
+ if (!m->p_flags_valid)
+ p->p_flags = PF_R;
+ ok = TRUE;
+ }
}
}
-
- if (lp < phdrs + count)
- {
- p->p_vaddr = lp->p_vaddr;
- p->p_paddr = lp->p_paddr;
- p->p_offset = lp->p_offset;
- if (link_info != NULL)
- p->p_filesz = link_info->relro_end - lp->p_vaddr;
- else if (m->p_size_valid)
- p->p_filesz = m->p_size;
- else
- abort ();
- p->p_memsz = p->p_filesz;
- /* Preserve the alignment and flags if they are valid. The
- gold linker generates RW/4 for the PT_GNU_RELRO section.
- It is better for objcopy/strip to honor these attributes
- otherwise gdb will choke when using separate debug files.
- */
- if (!m->p_align_valid)
- p->p_align = 1;
- if (!m->p_flags_valid)
- p->p_flags = PF_R;
- }
- else
- {
- memset (p, 0, sizeof *p);
- p->p_type = PT_NULL;
- }
+ if (link_info != NULL)
+ BFD_ASSERT (ok);
+ if (!ok)
+ memset (p, 0, sizeof *p);
}
else if (p->p_type == PT_GNU_STACK)
{

62
binutils.spec
View File

@ -24,6 +24,8 @@
# Disable the default generation of GNU Build notes by the assembler.
# This has turned out to be problematic for the i686 architecture.
# although the extact reason has not been determined. (See BZ 1572485)
# It also breaks building EFI binaries on AArch64, as these cannot have
# relocations against absolute symbols.
%define default_generate_notes 0
#----End of Configure Options------------------------------------------------
@ -67,7 +69,7 @@
Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.30
Release: 17%{?dist}
Release: 18%{?dist}
License: GPLv3+
Group: Development/Tools
URL: https://sourceware.org/binutils
@ -204,21 +206,55 @@ Patch19: binutils-gold-llvm-plugin.patch
# Lifetime: Fixed in 2.31
Patch20: binutils-gas-build-notes.patch
# Purpose: Fix a CVE triggered by running objdump on a corrupt AOUT
# Purpose: Fix a seg-fault triggered by running objdump on a corrupt AOUT
# format file.
# Lifetime: Fixed in 2.31
Patch21: binutils-CVE-2018-7642.patch
# Purpose: Fix a CVE triggered by running objdump on a binary containing
# corrupt DWARF debug information.
# Purpose: Fix a seg-fault triggered by running readelf or objdump on a
# file containing corrupt DWARF debug information.
# Lifetime: Fixed in 2.31
Patch22: binutils-CVE-2018-7643.patch
# Purpose: Fix a CVE triggered by running objdump on a corrupt COFF
# Purpose: Fix a seg-fault triggered by running objdump on a corrupt COFF
# format file.
# Lifetime: Fixed in 2.31
Patch23: binutils-CVE-2018-7208.patch
# Purpose: Fix a seg-fault triggered by running readelf or objdump on a
# file containing corrupt DWARF debug information.
# Lifetime: Fixed in 2.31
Patch24: binutils-CVE-2018-10372.patch
# Purpose: Fix another seg-fault triggered by running readelf or objdump on a
# file containing corrupt DWARF debug information.
# Lifetime: Fixed in 2.31
Patch25: binutils-CVE-2018-10373.patch
# Purpose: Fix a seg-fault triggered by running objcopy on a corrupt ELF
# file.
# Lifetime: Fixed in 2.31
Patch26: binutils-CVE-2018-7570.patch
# Purpose: Fix a seg-fault triggered by running objcopy on a large ELF
# file on a 32-bit host machine.
# Lifetime: Fixed in 2.31
Patch27: binutils-CVE-2018-6323.patch
# Purpose: Fix a seg-fault triggered by running nm on a corrupt ELF file.
# Lifetime: Fixed in 2.31
Patch28: binutils-CVE-2018-6759.patch
# Purpose: Fix a seg-fault triggered by running nm on a file containing
# corrupt DWARF information.
# Lifetime: Fixed in 2.31
Patch29: binutils-CVE-2018-7569.patch
# Purpose: Fix a seg-fault triggered by running nm on a file containing
# corrupt DWARF information.
# Lifetime: Fixed in 2.31
Patch30: binutils-CVE-2018-7568.patch
#----------------------------------------------------------------------------
Provides: bundled(libiberty)
@ -367,6 +403,13 @@ using libelf instead of BFD.
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
# We cannot run autotools as there is an exact requirement of autoconf-2.59.
@ -780,6 +823,15 @@ exit 0
#----------------------------------------------------------------------------
%changelog
* Tue May 01 2018 Nick Clifton <nickc@redhat.com> 2.30-18
- Fix a seg-fault parsing corrupt DWARF information. (#1573360)
- Fix another seg-fault parsing corrupt DWARF information. (#1573367)
- Fix a seg-fault copying a corrupt ELF file. (#1551788)
- Fix a seg-fault parsing a large ELF files on a 32-bit host. (#1539891)
- Fix a seg-fault running nm on a corrupt ELF file. (#15343247)
- Fix a seg-fault running nm on a file containing corrupt DWARF information. (#1551781)
- Fix another seg-fault running nm on a file containing corrupt DWARF information. (#1551763)
* Fri Apr 27 2018 Nick Clifton <nickc@redhat.com> 2.30-17
- Disable the automatic generation of annobin notes. (#1572485)