Change-Id: Ieb9cd0524e6a817b4cde80e07b806d048136a82a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5418
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,40 +0,0 @@ |
1 |
-From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Tue, 17 Apr 2018 12:35:55 +0100 |
|
4 |
-Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF |
|
5 |
- information. |
|
6 |
- |
|
7 |
- PR 23064 |
|
8 |
- * dwarf.c (process_cu_tu_index): Test for a potential buffer |
|
9 |
- overrun before copying signature pointer. |
|
10 |
- binutils/ChangeLog | 6 ++++++ |
|
11 |
- binutils/dwarf.c | 13 ++++++++++++- |
|
12 |
- 2 files changed, 18 insertions(+), 1 deletion(-) |
|
13 |
- |
|
14 |
-diff --git a/binutils/dwarf.c b/binutils/dwarf.c |
|
15 |
-index 10b4e28..f94f5b2 100644 |
|
16 |
-+++ b/binutils/dwarf.c |
|
17 |
-@@ -9287,7 +9287,18 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) |
|
18 |
- } |
|
19 |
- |
|
20 |
- if (!do_display) |
|
21 |
-- memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); |
|
22 |
-+ { |
|
23 |
-+ size_t num_copy = sizeof (uint64_t); |
|
24 |
-+ |
|
25 |
-+ /* PR 23064: Beware of buffer overflow. */ |
|
26 |
-+ if (ph + num_copy < limit) |
|
27 |
-+ memcpy (&this_set[row - 1].signature, ph, num_copy); |
|
28 |
-+ else |
|
29 |
-+ { |
|
30 |
-+ warn (_("Signature (%p) extends beyond end of space in section\n"), ph); |
|
31 |
-+ return 0; |
|
32 |
-+ } |
|
33 |
-+ } |
|
34 |
- |
|
35 |
- prow = poffsets + (row - 1) * ncols * 4; |
|
36 |
- /* PR 17531: file: b8ce60a8. */ |
|
37 |
-2.9.3 |
38 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,15 +0,0 @@ |
1 |
-diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c |
|
2 |
-index ca22db7..0f8257f 100644 |
|
3 |
-+++ b/bfd/dwarf2.c |
|
4 |
-@@ -1566,7 +1566,7 @@ concat_filename (struct line_info_table *table, unsigned int file) |
|
5 |
- { |
|
6 |
- char *filename; |
|
7 |
- |
|
8 |
-- if (file - 1 >= table->num_files) |
|
9 |
-+ if (table == NULL || file - 1 >= table->num_files) |
|
10 |
- { |
|
11 |
- /* FILE == 0 means unknown. */ |
|
12 |
- if (file) |
|
13 |
-2.9.3 |
14 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,44 +0,0 @@ |
1 |
-From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Tue, 24 Apr 2018 16:57:04 +0100 |
|
4 |
-Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF |
|
5 |
- binary with corrupt section symbols. |
|
6 |
- |
|
7 |
- PR 23113 |
|
8 |
- * elf.c (ignore_section_sym): Check for the output_section pointer |
|
9 |
- being NULL before dereferencing it. |
|
10 |
- bfd/ChangeLog | 4 ++++ |
|
11 |
- bfd/elf.c | 9 ++++++++- |
|
12 |
- 2 files changed, 12 insertions(+), 1 deletion(-) |
|
13 |
- |
|
14 |
-diff --git a/bfd/elf.c b/bfd/elf.c |
|
15 |
-index 8ea5a81..092b275 100644 |
|
16 |
-+++ b/bfd/elf.c |
|
17 |
-@@ -4022,15 +4022,22 @@ ignore_section_sym (bfd *abfd, asymbol *sym) |
|
18 |
- { |
|
19 |
- elf_symbol_type *type_ptr; |
|
20 |
- |
|
21 |
-+ if (sym == NULL) |
|
22 |
-+ return FALSE; |
|
23 |
-+ |
|
24 |
- if ((sym->flags & BSF_SECTION_SYM) == 0) |
|
25 |
- return FALSE; |
|
26 |
- |
|
27 |
-+ if (sym->section == NULL) |
|
28 |
-+ return TRUE; |
|
29 |
-+ |
|
30 |
- type_ptr = elf_symbol_from (abfd, sym); |
|
31 |
- return ((type_ptr != NULL |
|
32 |
- && type_ptr->internal_elf_sym.st_shndx != 0 |
|
33 |
- && bfd_is_abs_section (sym->section)) |
|
34 |
- || !(sym->section->owner == abfd |
|
35 |
-- || (sym->section->output_section->owner == abfd |
|
36 |
-+ || (sym->section->output_section != NULL |
|
37 |
-+ && sym->section->output_section->owner == abfd |
|
38 |
- && sym->section->output_offset == 0) |
|
39 |
- || bfd_is_abs_section (sym->section))); |
|
40 |
- } |
|
41 |
-2.9.3 |
42 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,42 +0,0 @@ |
1 |
-From f2023ce7e8d70b0155cc6206c901e185260918f0 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Alan Modra <amodra@gmail.com> |
|
3 |
-Date: Thu, 1 Feb 2018 18:01:00 +1030 |
|
4 |
-Subject: [PATCH] PR22769, crash when running 32-bit objdump on corrupted file |
|
5 |
- |
|
6 |
- PR 22769 |
|
7 |
- * objdump.c (load_specific_debug_section): Check for overflow |
|
8 |
- when adding one to section size for a string section terminator. |
|
9 |
- binutils/ChangeLog | 6 ++++++ |
|
10 |
- binutils/objdump.c | 7 +++++-- |
|
11 |
- 2 files changed, 11 insertions(+), 2 deletions(-) |
|
12 |
- |
|
13 |
-diff --git a/binutils/objdump.c b/binutils/objdump.c |
|
14 |
-index 6c4d936..d8dca90 100644 |
|
15 |
-+++ b/binutils/objdump.c |
|
16 |
-@@ -2466,6 +2466,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, |
|
17 |
- struct dwarf_section *section = &debug_displays [debug].section; |
|
18 |
- bfd *abfd = (bfd *) file; |
|
19 |
- bfd_byte *contents; |
|
20 |
-+ bfd_size_type amt; |
|
21 |
- |
|
22 |
- if (section->start != NULL) |
|
23 |
- { |
|
24 |
-@@ -2480,9 +2481,11 @@ load_specific_debug_section (enum dwarf_section_display_enum debug, |
|
25 |
- section->num_relocs = 0; |
|
26 |
- section->address = bfd_get_section_vma (abfd, sec); |
|
27 |
- section->size = bfd_get_section_size (sec); |
|
28 |
-- section->start = contents = malloc (section->size + 1); |
|
29 |
-+ amt = section->size + 1; |
|
30 |
-+ section->start = contents = malloc (amt); |
|
31 |
- section->user_data = sec; |
|
32 |
-- if (section->start == NULL |
|
33 |
-+ if (amt == 0 |
|
34 |
-+ || section->start == NULL |
|
35 |
- || !bfd_get_full_section_contents (abfd, sec, &contents)) |
|
36 |
- { |
|
37 |
- free_debug_section (debug); |
|
38 |
-2.9.3 |
|
39 |
- |
40 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,89 +0,0 @@ |
1 |
-From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Tue, 6 Feb 2018 15:48:29 +0000 |
|
4 |
-Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by |
|
5 |
- chacking the size of debuglink sections. |
|
6 |
- |
|
7 |
- PR 22794 |
|
8 |
- * opncls.c (bfd_get_debug_link_info_1): Check the size of the |
|
9 |
- section before attempting to read it in. |
|
10 |
- (bfd_get_alt_debug_link_info): Likewise. |
|
11 |
- bfd/ChangeLog | 7 +++++++ |
|
12 |
- bfd/opncls.c | 22 +++++++++++++++++----- |
|
13 |
- 2 files changed, 24 insertions(+), 5 deletions(-) |
|
14 |
- |
|
15 |
-diff --git a/bfd/opncls.c b/bfd/opncls.c |
|
16 |
-index 458f06e..16b568c 100644 |
|
17 |
-+++ b/bfd/opncls.c |
|
18 |
-@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) |
|
19 |
- bfd_byte *contents; |
|
20 |
- unsigned int crc_offset; |
|
21 |
- char *name; |
|
22 |
-+ bfd_size_type size; |
|
23 |
- |
|
24 |
- BFD_ASSERT (abfd); |
|
25 |
- BFD_ASSERT (crc32_out); |
|
26 |
-@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) |
|
27 |
- if (sect == NULL) |
|
28 |
- return NULL; |
|
29 |
- |
|
30 |
-+ size = bfd_get_section_size (sect); |
|
31 |
-+ |
|
32 |
-+ /* PR 22794: Make sure that the section has a reasonable size. */ |
|
33 |
-+ if (size < 8 || size >= bfd_get_size (abfd)) |
|
34 |
-+ return NULL; |
|
35 |
-+ |
|
36 |
- if (!bfd_malloc_and_get_section (abfd, sect, &contents)) |
|
37 |
- { |
|
38 |
- if (contents != NULL) |
|
39 |
-@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out) |
|
40 |
- |
|
41 |
- /* CRC value is stored after the filename, aligned up to 4 bytes. */ |
|
42 |
- name = (char *) contents; |
|
43 |
-- /* PR 17597: avoid reading off the end of the buffer. */ |
|
44 |
-- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
|
45 |
-+ /* PR 17597: Avoid reading off the end of the buffer. */ |
|
46 |
-+ crc_offset = strnlen (name, size) + 1; |
|
47 |
- crc_offset = (crc_offset + 3) & ~3; |
|
48 |
-- if (crc_offset + 4 > bfd_get_section_size (sect)) |
|
49 |
-+ if (crc_offset + 4 > size) |
|
50 |
- return NULL; |
|
51 |
- |
|
52 |
- *crc32 = bfd_get_32 (abfd, contents + crc_offset); |
|
53 |
-@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, |
|
54 |
- bfd_byte *contents; |
|
55 |
- unsigned int buildid_offset; |
|
56 |
- char *name; |
|
57 |
-+ bfd_size_type size; |
|
58 |
- |
|
59 |
- BFD_ASSERT (abfd); |
|
60 |
- BFD_ASSERT (buildid_len); |
|
61 |
-@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, |
|
62 |
- if (sect == NULL) |
|
63 |
- return NULL; |
|
64 |
- |
|
65 |
-+ size = bfd_get_section_size (sect); |
|
66 |
-+ if (size < 8 || size >= bfd_get_size (abfd)) |
|
67 |
-+ return NULL; |
|
68 |
-+ |
|
69 |
- if (!bfd_malloc_and_get_section (abfd, sect, & contents)) |
|
70 |
- { |
|
71 |
- if (contents != NULL) |
|
72 |
-@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len, |
|
73 |
- |
|
74 |
- /* BuildID value is stored after the filename. */ |
|
75 |
- name = (char *) contents; |
|
76 |
-- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
|
77 |
-+ buildid_offset = strnlen (name, size) + 1; |
|
78 |
- if (buildid_offset >= bfd_get_section_size (sect)) |
|
79 |
- return NULL; |
|
80 |
- |
|
81 |
-- *buildid_len = bfd_get_section_size (sect) - buildid_offset; |
|
82 |
-+ *buildid_len = size - buildid_offset; |
|
83 |
- *buildid_out = bfd_malloc (*buildid_len); |
|
84 |
- memcpy (*buildid_out, contents + buildid_offset, *buildid_len); |
|
85 |
- |
|
86 |
-2.9.3 |
87 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,29 +0,0 @@ |
1 |
-From ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Thu, 8 Feb 2018 10:28:25 +0000 |
|
4 |
-Subject: [PATCH 1/1] Fix a seg-fault in the ELF note parser when a note with |
|
5 |
- an excessively large alignment is encountered. |
|
6 |
- |
|
7 |
- PR 22788 |
|
8 |
- * elf.c (elf_parse_notes): Reject notes with excessuively large |
|
9 |
- alignments. |
|
10 |
- bfd/ChangeLog | 6 ++++++ |
|
11 |
- bfd/elf.c | 2 ++ |
|
12 |
- 2 files changed, 8 insertions(+) |
|
13 |
- |
|
14 |
-diff --git a/bfd/elf.c b/bfd/elf.c |
|
15 |
-index dedf35f..db1e076 100644 |
|
16 |
-+++ b/bfd/elf.c |
|
17 |
-@@ -11012,6 +11012,8 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset, |
|
18 |
- align is less than 4, we use 4 byte alignment. */ |
|
19 |
- if (align < 4) |
|
20 |
- align = 4; |
|
21 |
-+ if (align != 4 && align != 8) |
|
22 |
-+ return FALSE; |
|
23 |
- |
|
24 |
- p = buf; |
|
25 |
- while (p < buf + size) |
|
26 |
-2.9.3 |
27 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,30 +0,0 @@ |
1 |
-From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Alan Modra <amodra@gmail.com> |
|
3 |
-Date: Sat, 27 Jan 2018 08:19:33 +1030 |
|
4 |
-Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object |
|
5 |
- |
|
6 |
- PR 22741 |
|
7 |
- * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in |
|
8 |
- range before converting to a symbol table pointer. |
|
9 |
- bfd/ChangeLog | 6 ++++++ |
|
10 |
- bfd/coffgen.c | 3 ++- |
|
11 |
- 2 files changed, 8 insertions(+), 1 deletion(-) |
|
12 |
- |
|
13 |
-diff --git a/bfd/coffgen.c b/bfd/coffgen.c |
|
14 |
-index b241087..4f90ead 100644 |
|
15 |
-+++ b/bfd/coffgen.c |
|
16 |
-@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd, |
|
17 |
- } |
|
18 |
- /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can |
|
19 |
- generate one, so we must be careful to ignore it. */ |
|
20 |
-- if (auxent->u.auxent.x_sym.x_tagndx.l > 0) |
|
21 |
-+ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l |
|
22 |
-+ < obj_raw_syment_count (abfd)) |
|
23 |
- { |
|
24 |
- auxent->u.auxent.x_sym.x_tagndx.p = |
|
25 |
- table_base + auxent->u.auxent.x_sym.x_tagndx.l; |
|
26 |
-2.9.3 |
|
27 |
- |
28 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,55 +0,0 @@ |
1 |
-From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Wed, 28 Feb 2018 10:13:54 +0000 |
|
4 |
-Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1 |
|
5 |
- debug information. |
|
6 |
- |
|
7 |
- PR 22894 |
|
8 |
- * dwarf1.c (parse_die): Check the length of form blocks before |
|
9 |
- advancing the data pointer. |
|
10 |
- bfd/ChangeLog | 6 ++++++ |
|
11 |
- bfd/dwarf1.c | 17 +++++++++++++++-- |
|
12 |
- 2 files changed, 21 insertions(+), 2 deletions(-) |
|
13 |
- |
|
14 |
-diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c |
|
15 |
-index 71bc57b..f272ea8 100644 |
|
16 |
-+++ b/bfd/dwarf1.c |
|
17 |
-@@ -213,6 +213,7 @@ parse_die (bfd * abfd, |
|
18 |
- /* Then the attributes. */ |
|
19 |
- while (xptr + 2 <= aDiePtrEnd) |
|
20 |
- { |
|
21 |
-+ unsigned int block_len; |
|
22 |
- unsigned short attr; |
|
23 |
- |
|
24 |
- /* Parse the attribute based on its form. This section |
|
25 |
-@@ -255,12 +256,24 @@ parse_die (bfd * abfd, |
|
26 |
- break; |
|
27 |
- case FORM_BLOCK2: |
|
28 |
- if (xptr + 2 <= aDiePtrEnd) |
|
29 |
-- xptr += bfd_get_16 (abfd, xptr); |
|
30 |
-+ { |
|
31 |
-+ block_len = bfd_get_16 (abfd, xptr); |
|
32 |
-+ if (xptr + block_len > aDiePtrEnd |
|
33 |
-+ || xptr + block_len < xptr) |
|
34 |
-+ return FALSE; |
|
35 |
-+ xptr += block_len; |
|
36 |
-+ } |
|
37 |
- xptr += 2; |
|
38 |
- break; |
|
39 |
- case FORM_BLOCK4: |
|
40 |
- if (xptr + 4 <= aDiePtrEnd) |
|
41 |
-- xptr += bfd_get_32 (abfd, xptr); |
|
42 |
-+ { |
|
43 |
-+ block_len = bfd_get_32 (abfd, xptr); |
|
44 |
-+ if (xptr + block_len > aDiePtrEnd |
|
45 |
-+ || xptr + block_len < xptr) |
|
46 |
-+ return FALSE; |
|
47 |
-+ xptr += block_len; |
|
48 |
-+ } |
|
49 |
- xptr += 4; |
|
50 |
- break; |
|
51 |
- case FORM_STRING: |
|
52 |
-2.9.3 |
53 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,96 +0,0 @@ |
1 |
-From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Wed, 28 Feb 2018 11:50:49 +0000 |
|
4 |
-Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF |
|
5 |
- FORM blocks. |
|
6 |
- |
|
7 |
- PR 22895 |
|
8 |
- PR 22893 |
|
9 |
- * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block |
|
10 |
- pointer. Drop unused abfd parameter. Check the size of the block |
|
11 |
- before initialising the data field. Return the end pointer if the |
|
12 |
- size is invalid. |
|
13 |
- (read_attribute_value): Adjust invocations of read_n_bytes. |
|
14 |
- bfd/ChangeLog | 8 ++++++++ |
|
15 |
- bfd/dwarf2.c | 36 +++++++++++++++++++++--------------- |
|
16 |
- 2 files changed, 29 insertions(+), 15 deletions(-) |
|
17 |
- |
|
18 |
-diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c |
|
19 |
-index 2413542..ca22db7 100644 |
|
20 |
-+++ b/bfd/dwarf2.c |
|
21 |
-@@ -623,14 +623,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, bfd_byte *end) |
|
22 |
- } |
|
23 |
- |
|
24 |
- static bfd_byte * |
|
25 |
--read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED, |
|
26 |
-- bfd_byte *buf, |
|
27 |
-- bfd_byte *end, |
|
28 |
-- unsigned int size ATTRIBUTE_UNUSED) |
|
29 |
-+read_n_bytes (bfd_byte * buf, |
|
30 |
-+ bfd_byte * end, |
|
31 |
-+ struct dwarf_block * block) |
|
32 |
- { |
|
33 |
-- if (buf + size > end) |
|
34 |
-- return NULL; |
|
35 |
-- return buf; |
|
36 |
-+ unsigned int size = block->size; |
|
37 |
-+ bfd_byte * block_end = buf + size; |
|
38 |
-+ |
|
39 |
-+ if (block_end > end || block_end < buf) |
|
40 |
-+ { |
|
41 |
-+ block->data = NULL; |
|
42 |
-+ block->size = 0; |
|
43 |
-+ return end; |
|
44 |
-+ } |
|
45 |
-+ else |
|
46 |
-+ { |
|
47 |
-+ block->data = buf; |
|
48 |
-+ return block_end; |
|
49 |
-+ } |
|
50 |
- } |
|
51 |
- |
|
52 |
- /* Scans a NUL terminated string starting at BUF, returning a pointer to it. |
|
53 |
-@@ -1128,8 +1138,7 @@ read_attribute_value (struct attribute * attr, |
|
54 |
- return NULL; |
|
55 |
- blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end); |
|
56 |
- info_ptr += 2; |
|
57 |
-- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
|
58 |
-- info_ptr += blk->size; |
|
59 |
-+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
|
60 |
- attr->u.blk = blk; |
|
61 |
- break; |
|
62 |
- case DW_FORM_block4: |
|
63 |
-@@ -1139,8 +1148,7 @@ read_attribute_value (struct attribute * attr, |
|
64 |
- return NULL; |
|
65 |
- blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end); |
|
66 |
- info_ptr += 4; |
|
67 |
-- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
|
68 |
-- info_ptr += blk->size; |
|
69 |
-+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
|
70 |
- attr->u.blk = blk; |
|
71 |
- break; |
|
72 |
- case DW_FORM_data2: |
|
73 |
-@@ -1180,8 +1188,7 @@ read_attribute_value (struct attribute * attr, |
|
74 |
- blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read, |
|
75 |
- FALSE, info_ptr_end); |
|
76 |
- info_ptr += bytes_read; |
|
77 |
-- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
|
78 |
-- info_ptr += blk->size; |
|
79 |
-+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
|
80 |
- attr->u.blk = blk; |
|
81 |
- break; |
|
82 |
- case DW_FORM_block1: |
|
83 |
-@@ -1191,8 +1198,7 @@ read_attribute_value (struct attribute * attr, |
|
84 |
- return NULL; |
|
85 |
- blk->size = read_1_byte (abfd, info_ptr, info_ptr_end); |
|
86 |
- info_ptr += 1; |
|
87 |
-- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
|
88 |
-- info_ptr += blk->size; |
|
89 |
-+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
|
90 |
- attr->u.blk = blk; |
|
91 |
- break; |
|
92 |
- case DW_FORM_data1: |
|
93 |
-2.9.3 |
94 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,34 +0,0 @@ |
1 |
-From 116acb2c268c89c89186673a7c92620d21825b25 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Alan Modra <amodra@gmail.com> |
|
3 |
-Date: Wed, 28 Feb 2018 22:09:50 +1030 |
|
4 |
-Subject: [PATCH] PR22887, null pointer dereference in |
|
5 |
- aout_32_swap_std_reloc_out |
|
6 |
- |
|
7 |
- PR 22887 |
|
8 |
- * aoutx.h (swap_std_reloc_in): Correct r_index bound check. |
|
9 |
- bfd/ChangeLog | 5 +++++ |
|
10 |
- bfd/aoutx.h | 6 ++++-- |
|
11 |
- 2 files changed, 9 insertions(+), 2 deletions(-) |
|
12 |
- |
|
13 |
-diff --git a/bfd/aoutx.h b/bfd/aoutx.h |
|
14 |
-index 4cadbfb..525e560 100644 |
|
15 |
-+++ b/bfd/aoutx.h |
|
16 |
-@@ -2289,10 +2289,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abfd, |
|
17 |
- if (r_baserel) |
|
18 |
- r_extern = 1; |
|
19 |
- |
|
20 |
-- if (r_extern && r_index > symcount) |
|
21 |
-+ if (r_extern && r_index >= symcount) |
|
22 |
- { |
|
23 |
- /* We could arrange to return an error, but it might be useful |
|
24 |
-- to see the file even if it is bad. */ |
|
25 |
-+ to see the file even if it is bad. FIXME: Of course this |
|
26 |
-+ means that objdump -r *doesn't* see the actual reloc, and |
|
27 |
-+ objcopy silently writes a different reloc. */ |
|
28 |
- r_extern = 0; |
|
29 |
- r_index = N_ABS; |
|
30 |
- } |
|
31 |
-2.9.3 |
32 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,85 +0,0 @@ |
1 |
-From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Thu, 1 Mar 2018 16:14:08 +0000 |
|
4 |
-Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow |
|
5 |
- when parsing corrupt DWARF information on a 32-bit host. |
|
6 |
- |
|
7 |
- PR 22905 |
|
8 |
- * dwarf.c (display_debug_ranges): Check that the offset loaded |
|
9 |
- from the range_entry structure is valid. |
|
10 |
- binutils/ChangeLog | 6 ++++++ |
|
11 |
- binutils/dwarf.c | 15 +++++++++++++++ |
|
12 |
- 2 files changed, 21 insertions(+) |
|
13 |
- |
|
14 |
-diff --git a/binutils/dwarf.c b/binutils/dwarf.c |
|
15 |
-index 6aca9b7..17896e6 100644 |
|
16 |
-+++ b/binutils/dwarf.c |
|
17 |
-@@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data, |
|
18 |
- } \ |
|
19 |
- while (0) |
|
20 |
- |
|
21 |
-+/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value. |
|
22 |
-+ Checks to make sure that the read will not reach or pass END |
|
23 |
-+ and that VAL is big enough to hold AMOUNT bytes. */ |
|
24 |
- #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END) \ |
|
25 |
- do \ |
|
26 |
- { \ |
|
27 |
-@@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data, |
|
28 |
- } \ |
|
29 |
- while (0) |
|
30 |
- |
|
31 |
-+/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT. */ |
|
32 |
- #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \ |
|
33 |
- do \ |
|
34 |
- { \ |
|
35 |
-@@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data, |
|
36 |
- } \ |
|
37 |
- while (0) |
|
38 |
- |
|
39 |
-+/* Like SAFE_BYTE_GET, but reads a signed value. */ |
|
40 |
- #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END) \ |
|
41 |
- do \ |
|
42 |
- { \ |
|
43 |
-@@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data, |
|
44 |
- } \ |
|
45 |
- while (0) |
|
46 |
- |
|
47 |
-+/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT. */ |
|
48 |
- #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \ |
|
49 |
- do \ |
|
50 |
- { \ |
|
51 |
-@@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char *start, unsigned char *finish, |
|
52 |
- break; |
|
53 |
- SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish); |
|
54 |
- |
|
55 |
-+ |
|
56 |
- printf (" %8.8lx ", offset); |
|
57 |
- |
|
58 |
- if (begin == 0 && end == 0) |
|
59 |
-@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section, |
|
60 |
- continue; |
|
61 |
- } |
|
62 |
- |
|
63 |
-+ if (next < section_begin || next >= finish) |
|
64 |
-+ { |
|
65 |
-+ warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"), |
|
66 |
-+ (unsigned long) offset, i); |
|
67 |
-+ continue; |
|
68 |
-+ } |
|
69 |
-+ |
|
70 |
- if (dwarf_check != 0 && i > 0) |
|
71 |
- { |
|
72 |
- if (start < next) |
|
73 |
-@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section, |
|
74 |
- (unsigned long) (next - section_begin), section->name); |
|
75 |
- } |
|
76 |
- } |
|
77 |
-+ |
|
78 |
- start = next; |
|
79 |
- last_start = next; |
|
80 |
- |
|
81 |
-2.9.3 |
|
82 |
- |
83 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,51 +0,0 @@ |
1 |
-From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Nick Clifton <nickc@redhat.com> |
|
3 |
-Date: Tue, 8 May 2018 12:51:06 +0100 |
|
4 |
-Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a |
|
5 |
- fuzzed input file with corrupt string and attribute sections. |
|
6 |
- |
|
7 |
- PR 22809 |
|
8 |
- * elf.c (bfd_elf_get_str_section): Check for an excessively large |
|
9 |
- string section. |
|
10 |
- * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the |
|
11 |
- attribute section is larger than the size of the file. |
|
12 |
- bfd/ChangeLog | 8 ++++++++ |
|
13 |
- bfd/elf-attrs.c | 9 +++++++++ |
|
14 |
- bfd/elf.c | 1 + |
|
15 |
- 3 files changed, 18 insertions(+) |
|
16 |
- |
|
17 |
-diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c |
|
18 |
-index dfdf1a5..b353309 100644 |
|
19 |
-+++ b/bfd/elf-attrs.c |
|
20 |
-@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr) |
|
21 |
- /* PR 17512: file: 2844a11d. */ |
|
22 |
- if (hdr->sh_size == 0) |
|
23 |
- return; |
|
24 |
-+ if (hdr->sh_size > bfd_get_file_size (abfd)) |
|
25 |
-+ { |
|
26 |
-+ /* xgettext:c-format */ |
|
27 |
-+ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), |
|
28 |
-+ abfd, hdr->bfd_section, (long long) hdr->sh_size); |
|
29 |
-+ bfd_set_error (bfd_error_invalid_operation); |
|
30 |
-+ return; |
|
31 |
-+ } |
|
32 |
-+ |
|
33 |
- contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); |
|
34 |
- if (!contents) |
|
35 |
- return; |
|
36 |
-diff --git a/bfd/elf.c b/bfd/elf.c |
|
37 |
-index 21bc4e7..3e8d510 100644 |
|
38 |
-+++ b/bfd/elf.c |
|
39 |
-@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex) |
|
40 |
- /* Allocate and clear an extra byte at the end, to prevent crashes |
|
41 |
- in case the string table is not terminated. */ |
|
42 |
- if (shstrtabsize + 1 <= 1 |
|
43 |
-+ || shstrtabsize > bfd_get_file_size (abfd) |
|
44 |
- || bfd_seek (abfd, offset, SEEK_SET) != 0 |
|
45 |
- || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) |
|
46 |
- shstrtab = NULL; |
|
47 |
-2.9.3 |
... | ... |
@@ -1,26 +1,15 @@ |
1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
2 | 2 |
Name: binutils |
3 |
-Version: 2.30 |
|
4 |
-Release: 5%{?dist} |
|
3 |
+Version: 2.31 |
|
4 |
+Release: 1%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.gnu.org/software/binutils |
7 | 7 |
Group: System Environment/Base |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz |
11 |
-%define sha1 binutils=574d3b5650413d6ee65195a4f5ecbddc3a38f718 |
|
12 |
-Patch0: binutils-2.30-CVE-2018-6543.patch |
|
13 |
-Patch1: binutils-2.30-CVE-2018-7643.patch |
|
14 |
-Patch2: binutils-2.30-CVE-2018-7208.patch |
|
15 |
-Patch3: binutils-2.30-CVE-2018-10373.patch |
|
16 |
-Patch4: binutils-2.30-CVE-2018-6759.patch |
|
17 |
-Patch5: binutils-2.30-CVE-2018-6872.patch |
|
18 |
-Patch6: binutils-2.30-CVE-2018-7568.patch |
|
19 |
-Patch7: binutils-2.30-CVE-2018-7569.patch |
|
20 |
-Patch8: binutils-2.30-CVE-2018-7642.patch |
|
21 |
-Patch9: binutils-2.30-CVE-2018-8945.patch |
|
22 |
-Patch10: binutils-2.30-CVE-2018-10372.patch |
|
23 |
-Patch11: binutils-2.30-CVE-2018-10535.patch |
|
11 |
+%define sha1 binutils=e1a564cd356d2126d2e9a59e8587757634e731aa |
|
12 |
+ |
|
24 | 13 |
%description |
25 | 14 |
The Binutils package contains a linker, an assembler, |
26 | 15 |
and other tools for handling object files. |
... | ... |
@@ -34,18 +23,6 @@ for handling compiled objects. |
34 | 34 |
|
35 | 35 |
%prep |
36 | 36 |
%setup -q |
37 |
-%patch0 -p1 |
|
38 |
-%patch1 -p1 |
|
39 |
-%patch2 -p1 |
|
40 |
-%patch3 -p1 |
|
41 |
-%patch4 -p1 |
|
42 |
-%patch5 -p1 |
|
43 |
-%patch6 -p1 |
|
44 |
-%patch7 -p1 |
|
45 |
-%patch8 -p1 |
|
46 |
-%patch9 -p1 |
|
47 |
-%patch10 -p1 |
|
48 |
-%patch11 -p1 |
|
49 | 37 |
|
50 | 38 |
%build |
51 | 39 |
install -vdm 755 ../binutils-build |
... | ... |
@@ -103,7 +80,6 @@ make %{?_smp_mflags} check |
103 | 103 |
%{_mandir}/man1/windmc.1.gz |
104 | 104 |
%{_mandir}/man1/ranlib.1.gz |
105 | 105 |
%{_mandir}/man1/gprof.1.gz |
106 |
-%{_mandir}/man1/nlmconv.1.gz |
|
107 | 106 |
%{_mandir}/man1/strip.1.gz |
108 | 107 |
%{_mandir}/man1/c++filt.1.gz |
109 | 108 |
%{_mandir}/man1/as.1.gz |
... | ... |
@@ -128,12 +104,15 @@ make %{?_smp_mflags} check |
128 | 128 |
%{_includedir}/ansidecl.h |
129 | 129 |
%{_includedir}/bfdlink.h |
130 | 130 |
%{_includedir}/dis-asm.h |
131 |
+%{_includedir}/diagnostics.h |
|
131 | 132 |
%{_libdir}/libbfd.a |
132 | 133 |
%{_libdir}/libopcodes.a |
133 | 134 |
%{_libdir}/libbfd.so |
134 | 135 |
%{_libdir}/libopcodes.so |
135 | 136 |
|
136 | 137 |
%changelog |
138 |
+* Fri Jul 27 2018 Keerthana K <keerthanak@vmware.com> 2.31-1 |
|
139 |
+- Update to Version 2.31. |
|
137 | 140 |
* Mon Jun 25 2018 Keerthana K <keerthanak@vmware.com> 2.30-5 |
138 | 141 |
- Fixes for CVE-2018-6759, CVE-2018-6872, CVE-2018-7568, CVE-2018-7569, |
139 | 142 |
- CVE-2018-7642, CVE-2018-8945, CVE-2018-10372, CVE-2018-10535. |