Change-Id: I6e09fa6448baa9c1ca3417b8056e655aaf650916
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4440
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,30 @@ |
0 |
+From a67d66eb97e7613a38ffe6622d837303b3ecd31d Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Wed, 1 Nov 2017 15:21:46 +0000 |
|
3 |
+Subject: [PATCH] Prevent illegal memory accesses when attempting to read |
|
4 |
+ excessively large COFF line number tables. |
|
5 |
+ |
|
6 |
+ PR 22376 |
|
7 |
+ * coffcode.h (coff_slurp_line_table): Check for an excessively |
|
8 |
+ large line number count. |
|
9 |
+diff --git a/bfd/coffcode.h b/bfd/coffcode.h |
|
10 |
+index 21308de..6da0afa 100644 |
|
11 |
+--- a/bfd/coffcode.h |
|
12 |
+@@ -4578,6 +4578,14 @@ coff_slurp_line_table (bfd *abfd, asection *asect) |
|
13 |
+ |
|
14 |
+ BFD_ASSERT (asect->lineno == NULL); |
|
15 |
+ |
|
16 |
++ if (asect->lineno_count > asect->size) |
|
17 |
++ { |
|
18 |
++ _bfd_error_handler |
|
19 |
++ (_("%B: warning: line number count (%#lx) exceeds section size (%#lx)"), |
|
20 |
++ abfd, (unsigned long) asect->lineno_count, (unsigned long) asect->size); |
|
21 |
++ return FALSE; |
|
22 |
++ } |
|
23 |
++ |
|
24 |
+ amt = ((bfd_size_type) asect->lineno_count + 1) * sizeof (alent); |
|
25 |
+ lineno_cache = (alent *) bfd_alloc (abfd, amt); |
|
26 |
+ if (lineno_cache == NULL) |
|
27 |
+-- |
|
28 |
+2.9.3 |
0 | 29 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,73 @@ |
0 |
+From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Alan Modra <amodra@gmail.com> |
|
2 |
+Date: Tue, 17 Oct 2017 16:43:47 +1030 |
|
3 |
+Subject: [PATCH] PR22306, Invalid free() in slurp_symtab() |
|
4 |
+ |
|
5 |
+ PR 22306 |
|
6 |
+ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, |
|
7 |
+ and error for any other size that doesn't cover the header word. |
|
8 |
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h |
|
9 |
+index 3d38fda..d096ed5 100644 |
|
10 |
+--- a/bfd/aoutx.h |
|
11 |
+@@ -1351,27 +1351,42 @@ aout_get_external_symbols (bfd *abfd) |
|
12 |
+ || bfd_bread ((void *) string_chars, amt, abfd) != amt) |
|
13 |
+ return FALSE; |
|
14 |
+ stringsize = GET_WORD (abfd, string_chars); |
|
15 |
++ if (stringsize == 0) |
|
16 |
++ stringsize = 1; |
|
17 |
++ else if (stringsize < BYTES_IN_WORD |
|
18 |
++ || (size_t) stringsize != stringsize) |
|
19 |
++ { |
|
20 |
++ bfd_set_error (bfd_error_bad_value); |
|
21 |
++ return FALSE; |
|
22 |
++ } |
|
23 |
+ |
|
24 |
+ #ifdef USE_MMAP |
|
25 |
+- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize, |
|
26 |
+- &obj_aout_string_window (abfd), TRUE)) |
|
27 |
+- return FALSE; |
|
28 |
+- strings = (char *) obj_aout_string_window (abfd).data; |
|
29 |
+-#else |
|
30 |
+- strings = (char *) bfd_malloc (stringsize + 1); |
|
31 |
+- if (strings == NULL) |
|
32 |
+- return FALSE; |
|
33 |
+- |
|
34 |
+- /* Skip space for the string count in the buffer for convenience |
|
35 |
+- when using indexes. */ |
|
36 |
+- amt = stringsize - BYTES_IN_WORD; |
|
37 |
+- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt) |
|
38 |
++ if (stringsize >= BYTES_IN_WORD) |
|
39 |
+ { |
|
40 |
+- free (strings); |
|
41 |
+- return FALSE; |
|
42 |
++ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize, |
|
43 |
++ &obj_aout_string_window (abfd), TRUE)) |
|
44 |
++ return FALSE; |
|
45 |
++ strings = (char *) obj_aout_string_window (abfd).data; |
|
46 |
+ } |
|
47 |
++ else |
|
48 |
+ #endif |
|
49 |
++ { |
|
50 |
++ strings = (char *) bfd_malloc (stringsize); |
|
51 |
++ if (strings == NULL) |
|
52 |
++ return FALSE; |
|
53 |
+ |
|
54 |
++ if (stringsize >= BYTES_IN_WORD) |
|
55 |
++ { |
|
56 |
++ /* Keep the string count in the buffer for convenience |
|
57 |
++ when indexing with e_strx. */ |
|
58 |
++ amt = stringsize - BYTES_IN_WORD; |
|
59 |
++ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt) |
|
60 |
++ { |
|
61 |
++ free (strings); |
|
62 |
++ return FALSE; |
|
63 |
++ } |
|
64 |
++ } |
|
65 |
++ } |
|
66 |
+ /* Ensure that a zero index yields an empty string. */ |
|
67 |
+ strings[0] = '\0'; |
|
68 |
+ |
|
69 |
+-- |
|
70 |
+2.9.3 |
|
71 |
+ |
0 | 72 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,182 @@ |
0 |
+diff -rup binutils-2.29.1/binutils/dwarf.c binutils-2.29.1-new/binutils/dwarf.c |
|
1 |
+--- binutils-2.29.1/binutils/dwarf.c 2017-09-14 02:30:59.000000000 -0700 |
|
2 |
+@@ -6225,7 +6225,7 @@ typedef struct Frame_Chunk |
|
3 |
+ int data_factor; |
|
4 |
+ dwarf_vma pc_begin; |
|
5 |
+ dwarf_vma pc_range; |
|
6 |
+- int cfa_reg; |
|
7 |
++ unsigned int cfa_reg; |
|
8 |
+ dwarf_vma cfa_offset; |
|
9 |
+ unsigned int ra; |
|
10 |
+ unsigned char fde_encoding; |
|
11 |
+@@ -6568,13 +6568,13 @@ frame_display_row (Frame_Chunk *fc, int |
|
12 |
+ static unsigned char * |
|
13 |
+ read_cie (unsigned char *start, unsigned char *end, |
|
14 |
+ Frame_Chunk **p_cie, int *p_version, |
|
15 |
+- unsigned long *p_aug_len, unsigned char **p_aug) |
|
16 |
++ bfd_size_type *p_aug_len, unsigned char **p_aug) |
|
17 |
+ { |
|
18 |
+ int version; |
|
19 |
+ Frame_Chunk *fc; |
|
20 |
+ unsigned int length_return; |
|
21 |
+ unsigned char *augmentation_data = NULL; |
|
22 |
+- unsigned long augmentation_data_len = 0; |
|
23 |
++ bfd_size_type augmentation_data_len = 0; |
|
24 |
+ |
|
25 |
+ * p_cie = NULL; |
|
26 |
+ /* PR 17512: file: 001-228113-0.004. */ |
|
27 |
+@@ -6643,14 +6643,15 @@ read_cie (unsigned char *start, unsigned |
|
28 |
+ { |
|
29 |
+ READ_ULEB (augmentation_data_len); |
|
30 |
+ augmentation_data = start; |
|
31 |
+- start += augmentation_data_len; |
|
32 |
+ /* PR 17512: file: 11042-2589-0.004. */ |
|
33 |
+- if (start > end) |
|
34 |
++ if (augmentation_data_len > (bfd_size_type) (end - start)) |
|
35 |
+ { |
|
36 |
+- warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"), |
|
37 |
+- augmentation_data_len, (long)((end - start) + augmentation_data_len)); |
|
38 |
++ warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"), |
|
39 |
++ dwarf_vmatoa ("x", augmentation_data_len), |
|
40 |
++ (unsigned long) (end - start)); |
|
41 |
+ return end; |
|
42 |
+ } |
|
43 |
++ start += augmentation_data_len; |
|
44 |
+ } |
|
45 |
+ |
|
46 |
+ if (augmentation_data_len) |
|
47 |
+@@ -6663,14 +6664,7 @@ read_cie (unsigned char *start, unsigned |
|
48 |
+ q = augmentation_data; |
|
49 |
+ qend = q + augmentation_data_len; |
|
50 |
+ |
|
51 |
+- /* PR 17531: file: 015adfaa. */ |
|
52 |
+- if (qend < q) |
|
53 |
+- { |
|
54 |
+- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len); |
|
55 |
+- augmentation_data_len = 0; |
|
56 |
+- } |
|
57 |
+- |
|
58 |
+- while (p < end && q < augmentation_data + augmentation_data_len) |
|
59 |
++ while (p < end && q < qend) |
|
60 |
+ { |
|
61 |
+ if (*p == 'L') |
|
62 |
+ q++; |
|
63 |
+@@ -6699,6 +6693,31 @@ read_cie (unsigned char *start, unsigned |
|
64 |
+ return start; |
|
65 |
+ } |
|
66 |
+ |
|
67 |
++/* Prints out the contents on the augmentation data array. |
|
68 |
++ If do_wide is not enabled, then formats the output to fit into 80 columns. */ |
|
69 |
++ |
|
70 |
++static void |
|
71 |
++display_augmentation_data (const unsigned char * data, const bfd_size_type len) |
|
72 |
++{ |
|
73 |
++ bfd_size_type i; |
|
74 |
++ |
|
75 |
++ i = printf (_(" Augmentation data: ")); |
|
76 |
++ |
|
77 |
++ if (do_wide || len < ((80 - i) / 3)) |
|
78 |
++ for (i = 0; i < len; ++i) |
|
79 |
++ printf (" %02x", data[i]); |
|
80 |
++ else |
|
81 |
++ { |
|
82 |
++ for (i = 0; i < len; ++i) |
|
83 |
++ { |
|
84 |
++ if (i % (80 / 3) == 0) |
|
85 |
++ putchar ('\n'); |
|
86 |
++ printf (" %02x", data[i]); |
|
87 |
++ } |
|
88 |
++ } |
|
89 |
++ putchar ('\n'); |
|
90 |
++} |
|
91 |
++ |
|
92 |
+ static int |
|
93 |
+ display_debug_frames (struct dwarf_section *section, |
|
94 |
+ void *file ATTRIBUTE_UNUSED) |
|
95 |
+@@ -6727,7 +6746,7 @@ display_debug_frames (struct dwarf_secti |
|
96 |
+ Frame_Chunk *cie; |
|
97 |
+ int need_col_headers = 1; |
|
98 |
+ unsigned char *augmentation_data = NULL; |
|
99 |
+- unsigned long augmentation_data_len = 0; |
|
100 |
++ bfd_size_type augmentation_data_len = 0; |
|
101 |
+ unsigned int encoded_ptr_size = saved_eh_addr_size; |
|
102 |
+ unsigned int offset_size; |
|
103 |
+ unsigned int initial_length_size; |
|
104 |
+@@ -6821,16 +6840,8 @@ display_debug_frames (struct dwarf_secti |
|
105 |
+ printf (" Return address column: %d\n", fc->ra); |
|
106 |
+ |
|
107 |
+ if (augmentation_data_len) |
|
108 |
+- { |
|
109 |
+- unsigned long i; |
|
110 |
++ display_augmentation_data (augmentation_data, augmentation_data_len); |
|
111 |
+ |
|
112 |
+- printf (" Augmentation data: "); |
|
113 |
+- for (i = 0; i < augmentation_data_len; ++i) |
|
114 |
+- /* FIXME: If do_wide is FALSE, then we should |
|
115 |
+- add carriage returns at 80 columns... */ |
|
116 |
+- printf (" %02x", augmentation_data[i]); |
|
117 |
+- putchar ('\n'); |
|
118 |
+- } |
|
119 |
+ putchar ('\n'); |
|
120 |
+ } |
|
121 |
+ } |
|
122 |
+@@ -6986,11 +6997,13 @@ display_debug_frames (struct dwarf_secti |
|
123 |
+ READ_ULEB (augmentation_data_len); |
|
124 |
+ augmentation_data = start; |
|
125 |
+ start += augmentation_data_len; |
|
126 |
+- /* PR 17512: file: 722-8446-0.004. */ |
|
127 |
+- if (start >= end || ((signed long) augmentation_data_len) < 0) |
|
128 |
++ /* PR 17512 file: 722-8446-0.004 and PR 22386. */ |
|
129 |
++ if (start >= end |
|
130 |
++ || ((bfd_signed_vma) augmentation_data_len) < 0 |
|
131 |
++ || augmentation_data > start) |
|
132 |
+ { |
|
133 |
+- warn (_("Corrupt augmentation data length: %lx\n"), |
|
134 |
+- augmentation_data_len); |
|
135 |
++ warn (_("Corrupt augmentation data length: 0x%s\n"), |
|
136 |
++ dwarf_vmatoa ("x", augmentation_data_len)); |
|
137 |
+ start = end; |
|
138 |
+ augmentation_data = NULL; |
|
139 |
+ augmentation_data_len = 0; |
|
140 |
+@@ -7012,12 +7025,7 @@ display_debug_frames (struct dwarf_secti |
|
141 |
+ |
|
142 |
+ if (! do_debug_frames_interp && augmentation_data_len) |
|
143 |
+ { |
|
144 |
+- unsigned long i; |
|
145 |
+- |
|
146 |
+- printf (" Augmentation data: "); |
|
147 |
+- for (i = 0; i < augmentation_data_len; ++i) |
|
148 |
+- printf (" %02x", augmentation_data[i]); |
|
149 |
+- putchar ('\n'); |
|
150 |
++ display_augmentation_data (augmentation_data, augmentation_data_len); |
|
151 |
+ putchar ('\n'); |
|
152 |
+ } |
|
153 |
+ } |
|
154 |
+@@ -7449,7 +7457,7 @@ display_debug_frames (struct dwarf_secti |
|
155 |
+ break; |
|
156 |
+ |
|
157 |
+ case DW_CFA_def_cfa: |
|
158 |
+- READ_SLEB (fc->cfa_reg); |
|
159 |
++ READ_ULEB (fc->cfa_reg); |
|
160 |
+ READ_ULEB (fc->cfa_offset); |
|
161 |
+ fc->cfa_exp = 0; |
|
162 |
+ if (! do_debug_frames_interp) |
|
163 |
+@@ -7458,7 +7466,7 @@ display_debug_frames (struct dwarf_secti |
|
164 |
+ break; |
|
165 |
+ |
|
166 |
+ case DW_CFA_def_cfa_register: |
|
167 |
+- READ_SLEB (fc->cfa_reg); |
|
168 |
++ READ_ULEB (fc->cfa_reg); |
|
169 |
+ fc->cfa_exp = 0; |
|
170 |
+ if (! do_debug_frames_interp) |
|
171 |
+ printf (" DW_CFA_def_cfa_register: %s\n", |
|
172 |
+@@ -7577,7 +7585,7 @@ display_debug_frames (struct dwarf_secti |
|
173 |
+ break; |
|
174 |
+ |
|
175 |
+ case DW_CFA_def_cfa_sf: |
|
176 |
+- READ_SLEB (fc->cfa_reg); |
|
177 |
++ READ_ULEB (fc->cfa_reg); |
|
178 |
+ READ_ULEB (fc->cfa_offset); |
|
179 |
+ fc->cfa_offset = fc->cfa_offset * fc->data_factor; |
|
180 |
+ fc->cfa_exp = 0; |
0 | 181 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,59 @@ |
0 |
+From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Alan Modra <amodra@gmail.com> |
|
2 |
+Date: Tue, 17 Oct 2017 21:57:29 +1030 |
|
3 |
+Subject: [PATCH] PR22307, Heap out of bounds read in |
|
4 |
+ _bfd_elf_parse_gnu_properties |
|
5 |
+ |
|
6 |
+When adding an unbounded increment to a pointer, you can't just check |
|
7 |
+against the end of the buffer but also must check that overflow |
|
8 |
+doesn't result in "negative" pointer movement. Pointer comparisons |
|
9 |
+are signed. Better, check the increment against the space left using |
|
10 |
+an unsigned comparison. |
|
11 |
+ |
|
12 |
+ PR 22307 |
|
13 |
+ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz |
|
14 |
+ against size left rather than comparing pointers. Reorganise loop. |
|
15 |
+diff --git a/bfd/elf-properties.c b/bfd/elf-properties.c |
|
16 |
+index f367aa6..bfb106e 100644 |
|
17 |
+--- a/bfd/elf-properties.c |
|
18 |
+@@ -93,15 +93,20 @@ bad_size: |
|
19 |
+ return FALSE; |
|
20 |
+ } |
|
21 |
+ |
|
22 |
+- while (1) |
|
23 |
++ while (ptr != ptr_end) |
|
24 |
+ { |
|
25 |
+- unsigned int type = bfd_h_get_32 (abfd, ptr); |
|
26 |
+- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4); |
|
27 |
++ unsigned int type; |
|
28 |
++ unsigned int datasz; |
|
29 |
+ elf_property *prop; |
|
30 |
+ |
|
31 |
++ if ((size_t) (ptr_end - ptr) < 8) |
|
32 |
++ goto bad_size; |
|
33 |
++ |
|
34 |
++ type = bfd_h_get_32 (abfd, ptr); |
|
35 |
++ datasz = bfd_h_get_32 (abfd, ptr + 4); |
|
36 |
+ ptr += 8; |
|
37 |
+ |
|
38 |
+- if ((ptr + datasz) > ptr_end) |
|
39 |
++ if (datasz > (size_t) (ptr_end - ptr)) |
|
40 |
+ { |
|
41 |
+ _bfd_error_handler |
|
42 |
+ (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"), |
|
43 |
+@@ -183,11 +188,6 @@ bad_size: |
|
44 |
+ |
|
45 |
+ next: |
|
46 |
+ ptr += (datasz + (align_size - 1)) & ~ (align_size - 1); |
|
47 |
+- if (ptr == ptr_end) |
|
48 |
+- break; |
|
49 |
+- |
|
50 |
+- if (ptr > (ptr_end - 8)) |
|
51 |
+- goto bad_size; |
|
52 |
+ } |
|
53 |
+ |
|
54 |
+ return TRUE; |
|
55 |
+-- |
|
56 |
+2.9.3 |
|
57 |
+ |
0 | 58 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,69 @@ |
0 |
+From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Mingi Cho <mgcho.minic@gmail.com> |
|
2 |
+Date: Thu, 2 Nov 2017 17:01:08 +0000 |
|
3 |
+Subject: [PATCH] Work around integer overflows when readelf is checking for |
|
4 |
+ corrupt ELF notes when run on a 32-bit host. |
|
5 |
+ |
|
6 |
+ PR 22384 |
|
7 |
+ * readelf.c (print_gnu_property_note): Improve overflow checks so |
|
8 |
+ that they will work on a 32-bit host. |
|
9 |
+diff --git a/binutils/readelf.c b/binutils/readelf.c |
|
10 |
+index 9af5d42..cfd37eb 100644 |
|
11 |
+--- a/binutils/readelf.c |
|
12 |
+@@ -16519,15 +16519,24 @@ print_gnu_property_note (Elf_Internal_Note * pnote) |
|
13 |
+ return; |
|
14 |
+ } |
|
15 |
+ |
|
16 |
+- while (1) |
|
17 |
++ while (ptr < ptr_end) |
|
18 |
+ { |
|
19 |
+ unsigned int j; |
|
20 |
+- unsigned int type = byte_get (ptr, 4); |
|
21 |
+- unsigned int datasz = byte_get (ptr + 4, 4); |
|
22 |
++ unsigned int type; |
|
23 |
++ unsigned int datasz; |
|
24 |
++ |
|
25 |
++ if ((size_t) (ptr_end - ptr) < 8) |
|
26 |
++ { |
|
27 |
++ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); |
|
28 |
++ break; |
|
29 |
++ } |
|
30 |
++ |
|
31 |
++ type = byte_get (ptr, 4); |
|
32 |
++ datasz = byte_get (ptr + 4, 4); |
|
33 |
+ |
|
34 |
+ ptr += 8; |
|
35 |
+ |
|
36 |
+- if ((ptr + datasz) > ptr_end) |
|
37 |
++ if (datasz > (size_t) (ptr_end - ptr)) |
|
38 |
+ { |
|
39 |
+ printf (_("<corrupt type (%#x) datasz: %#x>\n"), |
|
40 |
+ type, datasz); |
|
41 |
+@@ -16608,19 +16617,11 @@ next: |
|
42 |
+ ptr += ((datasz + (size - 1)) & ~ (size - 1)); |
|
43 |
+ if (ptr == ptr_end) |
|
44 |
+ break; |
|
45 |
+- else |
|
46 |
+- { |
|
47 |
+- if (do_wide) |
|
48 |
+- printf (", "); |
|
49 |
+- else |
|
50 |
+- printf ("\n\t"); |
|
51 |
+- } |
|
52 |
+ |
|
53 |
+- if (ptr > (ptr_end - 8)) |
|
54 |
+- { |
|
55 |
+- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); |
|
56 |
+- break; |
|
57 |
+- } |
|
58 |
++ if (do_wide) |
|
59 |
++ printf (", "); |
|
60 |
++ else |
|
61 |
++ printf ("\n\t"); |
|
62 |
+ } |
|
63 |
+ |
|
64 |
+ printf ("\n"); |
|
65 |
+-- |
|
66 |
+2.9.3 |
|
67 |
+ |
0 | 68 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,39 @@ |
0 |
+diff -rup binutils-2.29.1/bfd/coffgen.c binutils-2.29.1-new/bfd/coffgen.c |
|
1 |
+--- binutils-2.29.1/bfd/coffgen.c 2017-07-10 02:54:41.000000000 -0700 |
|
2 |
+@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf |
|
3 |
+ size = obj_raw_syment_count (abfd) * symesz; |
|
4 |
+ if (size == 0) |
|
5 |
+ return TRUE; |
|
6 |
++ /* Check for integer overflow and for unreasonable symbol counts. */ |
|
7 |
++ if (size < obj_raw_syment_count (abfd) |
|
8 |
++ || (bfd_get_file_size (abfd) > 0 |
|
9 |
++ && size > bfd_get_file_size (abfd))) |
|
10 |
++ |
|
11 |
++ { |
|
12 |
++ _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), |
|
13 |
++ abfd, obj_raw_syment_count (abfd)); |
|
14 |
++ return FALSE; |
|
15 |
++ } |
|
16 |
+ |
|
17 |
+ syms = bfd_malloc (size); |
|
18 |
+ if (syms == NULL) |
|
19 |
+ { |
|
20 |
+ /* PR 21013: Provide an error message when the alloc fails. */ |
|
21 |
+- _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"), |
|
22 |
+- abfd, size); |
|
23 |
++ _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), |
|
24 |
++ abfd, obj_raw_syment_count (abfd), symesz); |
|
25 |
+ return FALSE; |
|
26 |
+ } |
|
27 |
+ |
|
28 |
+@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd) |
|
29 |
+ return NULL; |
|
30 |
+ |
|
31 |
+ size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); |
|
32 |
++ /* Check for integer overflow. */ |
|
33 |
++ if (size < obj_raw_syment_count (abfd)) |
|
34 |
++ return NULL; |
|
35 |
+ internal = (combined_entry_type *) bfd_zalloc (abfd, size); |
|
36 |
+ if (internal == NULL && size != 0) |
|
37 |
+ return NULL; |
0 | 38 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,39 @@ |
0 |
+From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Tue, 31 Oct 2017 14:29:40 +0000 |
|
3 |
+Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary |
|
4 |
+ with a corrupt data dictionary. |
|
5 |
+ |
|
6 |
+ PR 22373 |
|
7 |
+ * peicode.h (pe_bfd_read_buildid): Check for invalid size and data |
|
8 |
+ offset values. |
|
9 |
+diff --git a/bfd/peicode.h b/bfd/peicode.h |
|
10 |
+index 2dffb12..f3b759c 100644 |
|
11 |
+--- a/bfd/peicode.h |
|
12 |
+@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd) |
|
13 |
+ bfd_byte *data = 0; |
|
14 |
+ bfd_size_type dataoff; |
|
15 |
+ unsigned int i; |
|
16 |
+- |
|
17 |
+ bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress; |
|
18 |
+ bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size; |
|
19 |
+ |
|
20 |
+@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd) |
|
21 |
+ |
|
22 |
+ dataoff = addr - section->vma; |
|
23 |
+ |
|
24 |
+- /* PR 20605: Make sure that the data is really there. */ |
|
25 |
+- if (dataoff + size > section->size) |
|
26 |
++ /* PR 20605 and 22373: Make sure that the data is really there. |
|
27 |
++ Note - since we are dealing with unsigned quantities we have |
|
28 |
++ to be careful to check for potential overflows. */ |
|
29 |
++ if (dataoff > section->size |
|
30 |
++ || size > section->size |
|
31 |
++ || dataoff + size > section->size) |
|
32 |
+ { |
|
33 |
+ _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."), |
|
34 |
+ abfd); |
|
35 |
+-- |
|
36 |
+2.9.3 |
|
37 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
2 | 2 |
Name: binutils |
3 | 3 |
Version: 2.29.1 |
4 |
-Release: 3%{?dist} |
|
4 |
+Release: 4%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.gnu.org/software/binutils |
7 | 7 |
Group: System Environment/Base |
... | ... |
@@ -11,6 +11,14 @@ Source0: http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 binutils=172244a349d07ec205c39c0321cbc354c125e78e |
12 | 12 |
Patch0: binutils-2.29.1-CVE-2017-14729.patch |
13 | 13 |
Patch1: binutils-2.29.1-CVE-2017-15020.patch |
14 |
+Patch2: binutils-2.29.1-CVE-2017-16826.patch |
|
15 |
+Patch3: binutils-2.29.1-CVE-2017-16827.patch |
|
16 |
+Patch4: binutils-2.29.1-CVE-2017-16828.patch |
|
17 |
+Patch5: binutils-2.29.1-CVE-2017-16829.patch |
|
18 |
+Patch6: binutils-2.29.1-CVE-2017-16830.patch |
|
19 |
+Patch7: binutils-2.29.1-CVE-2017-16831.patch |
|
20 |
+Patch8: binutils-2.29.1-CVE-2017-16832.patch |
|
21 |
+ |
|
14 | 22 |
%description |
15 | 23 |
The Binutils package contains a linker, an assembler, |
16 | 24 |
and other tools for handling object files. |
... | ... |
@@ -24,6 +32,14 @@ for handling compiled objects. |
24 | 24 |
%setup -q |
25 | 25 |
%patch0 -p1 |
26 | 26 |
%patch1 -p1 |
27 |
+%patch2 -p1 |
|
28 |
+%patch3 -p1 |
|
29 |
+%patch4 -p1 |
|
30 |
+%patch5 -p1 |
|
31 |
+%patch6 -p1 |
|
32 |
+%patch7 -p1 |
|
33 |
+%patch8 -p1 |
|
34 |
+ |
|
27 | 35 |
%build |
28 | 36 |
install -vdm 755 ../binutils-build |
29 | 37 |
cd ../binutils-build |
... | ... |
@@ -110,6 +126,9 @@ make %{?_smp_mflags} check |
110 | 110 |
%{_libdir}/libopcodes.so |
111 | 111 |
|
112 | 112 |
%changelog |
113 |
+* Mon Dec 4 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-4 |
|
114 |
+- Fix CVEs CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829, |
|
115 |
+- CVE-2017-16830, CVE-2017-16831, CVE-2017-16832 |
|
113 | 116 |
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.29.1-3 |
114 | 117 |
- Aarch64 support |
115 | 118 |
- Parallel build |