Change-Id: Ib2c2ddbe4c0a6c651e3b802d0176dee74221ea61
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4548
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,337 @@ |
0 |
+From b23dc97fe237a1d9e850d7cbeee066183a00630b Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Tue, 28 Nov 2017 13:20:31 +0000 |
|
3 |
+Subject: [PATCH] Fix a memory access violation when attempting to parse a |
|
4 |
+ corrupt COFF binary with a relocation that points beyond the end of the |
|
5 |
+ section to be relocated. |
|
6 |
+ |
|
7 |
+ PR 22506 |
|
8 |
+ * reloc.c (reloc_offset_in_range): Rename to |
|
9 |
+ bfd_reloc_offset_in_range and export. |
|
10 |
+ (bfd_perform_relocation): Rename function invocation. |
|
11 |
+ (bfd_install_relocation): Likewise. |
|
12 |
+ (bfd_final_link_relocate): Likewise. |
|
13 |
+ * bfd-in2.h: Regenerate. |
|
14 |
+ * coff-arm.c (coff_arm_reloc): Use bfd_reloc_offset_in_range. |
|
15 |
+ * coff-i386.c (coff_i386_reloc): Likewise. |
|
16 |
+ * coff-i860.c (coff_i860_reloc): Likewise. |
|
17 |
+ * coff-m68k.c (mk68kcoff_common_addend_special_fn): Likewise. |
|
18 |
+ * coff-m88k.c (m88k_special_reloc): Likewise. |
|
19 |
+ * coff-mips.c (mips_reflo_reloc): Likewise. |
|
20 |
+ * coff-x86_64.c (coff_amd64_reloc): Likewise. |
|
21 |
+--- |
|
22 |
+ bfd/bfd-in2.h | 6 +++++ |
|
23 |
+ bfd/coff-arm.c | 65 ++++++++++++++++++++++++++++++------------------------- |
|
24 |
+ bfd/coff-i386.c | 5 +++++ |
|
25 |
+ bfd/coff-i860.c | 5 +++++ |
|
26 |
+ bfd/coff-m68k.c | 5 +++++ |
|
27 |
+ bfd/coff-m88k.c | 9 +++++++- |
|
28 |
+ bfd/coff-mips.c | 6 +++++ |
|
29 |
+ bfd/coff-x86_64.c | 16 +++++--------- |
|
30 |
+ bfd/reloc.c | 40 +++++++++++++++++++++++++++++----- |
|
31 |
+ |
|
32 |
+diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h |
|
33 |
+index 1b483bd..db1c480 100644 |
|
34 |
+--- a/bfd/bfd-in2.h |
|
35 |
+@@ -2662,6 +2662,12 @@ bfd_reloc_status_type bfd_check_overflow |
|
36 |
+ unsigned int addrsize, |
|
37 |
+ bfd_vma relocation); |
|
38 |
+ |
|
39 |
++bfd_boolean bfd_reloc_offset_in_range |
|
40 |
++ (reloc_howto_type *howto, |
|
41 |
++ bfd *abfd, |
|
42 |
++ asection *section, |
|
43 |
++ bfd_size_type offset); |
|
44 |
++ |
|
45 |
+ bfd_reloc_status_type bfd_perform_relocation |
|
46 |
+ (bfd *abfd, |
|
47 |
+ arelent *reloc_entry, |
|
48 |
+diff --git a/bfd/coff-arm.c b/bfd/coff-arm.c |
|
49 |
+index 8a2fe1a..1e66cbc 100644 |
|
50 |
+--- a/bfd/coff-arm.c |
|
51 |
+@@ -109,41 +109,46 @@ coff_arm_reloc (bfd *abfd, |
|
52 |
+ x = ((x & ~howto->dst_mask) \ |
|
53 |
+ | (((x & howto->src_mask) + diff) & howto->dst_mask)) |
|
54 |
+ |
|
55 |
+- if (diff != 0) |
|
56 |
+- { |
|
57 |
+- reloc_howto_type *howto = reloc_entry->howto; |
|
58 |
+- unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
59 |
++ if (diff != 0) |
|
60 |
++ { |
|
61 |
++ reloc_howto_type *howto = reloc_entry->howto; |
|
62 |
++ unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
63 |
+ |
|
64 |
+- switch (howto->size) |
|
65 |
+- { |
|
66 |
+- case 0: |
|
67 |
+- { |
|
68 |
+- char x = bfd_get_8 (abfd, addr); |
|
69 |
+- DOIT (x); |
|
70 |
+- bfd_put_8 (abfd, x, addr); |
|
71 |
+- } |
|
72 |
+- break; |
|
73 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
74 |
++ reloc_entry->address |
|
75 |
++ * bfd_octets_per_byte (abfd))) |
|
76 |
++ return bfd_reloc_outofrange; |
|
77 |
+ |
|
78 |
+- case 1: |
|
79 |
+- { |
|
80 |
+- short x = bfd_get_16 (abfd, addr); |
|
81 |
+- DOIT (x); |
|
82 |
+- bfd_put_16 (abfd, (bfd_vma) x, addr); |
|
83 |
+- } |
|
84 |
+- break; |
|
85 |
++ switch (howto->size) |
|
86 |
++ { |
|
87 |
++ case 0: |
|
88 |
++ { |
|
89 |
++ char x = bfd_get_8 (abfd, addr); |
|
90 |
++ DOIT (x); |
|
91 |
++ bfd_put_8 (abfd, x, addr); |
|
92 |
++ } |
|
93 |
++ break; |
|
94 |
+ |
|
95 |
+- case 2: |
|
96 |
+- { |
|
97 |
+- long x = bfd_get_32 (abfd, addr); |
|
98 |
+- DOIT (x); |
|
99 |
+- bfd_put_32 (abfd, (bfd_vma) x, addr); |
|
100 |
+- } |
|
101 |
+- break; |
|
102 |
++ case 1: |
|
103 |
++ { |
|
104 |
++ short x = bfd_get_16 (abfd, addr); |
|
105 |
++ DOIT (x); |
|
106 |
++ bfd_put_16 (abfd, (bfd_vma) x, addr); |
|
107 |
++ } |
|
108 |
++ break; |
|
109 |
+ |
|
110 |
+- default: |
|
111 |
+- abort (); |
|
112 |
++ case 2: |
|
113 |
++ { |
|
114 |
++ long x = bfd_get_32 (abfd, addr); |
|
115 |
++ DOIT (x); |
|
116 |
++ bfd_put_32 (abfd, (bfd_vma) x, addr); |
|
117 |
+ } |
|
118 |
+- } |
|
119 |
++ break; |
|
120 |
++ |
|
121 |
++ default: |
|
122 |
++ abort (); |
|
123 |
++ } |
|
124 |
++ } |
|
125 |
+ |
|
126 |
+ /* Now let bfd_perform_relocation finish everything up. */ |
|
127 |
+ return bfd_reloc_continue; |
|
128 |
+diff --git a/bfd/coff-i386.c b/bfd/coff-i386.c |
|
129 |
+index b6ef597..91371d8 100644 |
|
130 |
+--- a/bfd/coff-i386.c |
|
131 |
+@@ -144,6 +144,11 @@ coff_i386_reloc (bfd *abfd, |
|
132 |
+ reloc_howto_type *howto = reloc_entry->howto; |
|
133 |
+ unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
134 |
+ |
|
135 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
136 |
++ reloc_entry->address |
|
137 |
++ * bfd_octets_per_byte (abfd))) |
|
138 |
++ return bfd_reloc_outofrange; |
|
139 |
++ |
|
140 |
+ switch (howto->size) |
|
141 |
+ { |
|
142 |
+ case 0: |
|
143 |
+diff --git a/bfd/coff-i860.c b/bfd/coff-i860.c |
|
144 |
+index a3c22c6..e2e49f9 100644 |
|
145 |
+--- a/bfd/coff-i860.c |
|
146 |
+@@ -95,6 +95,11 @@ coff_i860_reloc (bfd *abfd, |
|
147 |
+ reloc_howto_type *howto = reloc_entry->howto; |
|
148 |
+ unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
149 |
+ |
|
150 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
151 |
++ reloc_entry->address |
|
152 |
++ * bfd_octets_per_byte (abfd))) |
|
153 |
++ return bfd_reloc_outofrange; |
|
154 |
++ |
|
155 |
+ switch (howto->size) |
|
156 |
+ { |
|
157 |
+ case 0: |
|
158 |
+diff --git a/bfd/coff-m68k.c b/bfd/coff-m68k.c |
|
159 |
+index dff6e1d..1730c11 100644 |
|
160 |
+--- a/bfd/coff-m68k.c |
|
161 |
+@@ -305,6 +305,11 @@ m68kcoff_common_addend_special_fn (bfd *abfd, |
|
162 |
+ reloc_howto_type *howto = reloc_entry->howto; |
|
163 |
+ unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
164 |
+ |
|
165 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
166 |
++ reloc_entry->address |
|
167 |
++ * bfd_octets_per_byte (abfd))) |
|
168 |
++ return bfd_reloc_outofrange; |
|
169 |
++ |
|
170 |
+ switch (howto->size) |
|
171 |
+ { |
|
172 |
+ case 0: |
|
173 |
+diff --git a/bfd/coff-m88k.c b/bfd/coff-m88k.c |
|
174 |
+index ebe4fd3..6314bd3 100644 |
|
175 |
+--- a/bfd/coff-m88k.c |
|
176 |
+@@ -72,10 +72,17 @@ m88k_special_reloc (bfd *abfd, |
|
177 |
+ { |
|
178 |
+ bfd_vma output_base = 0; |
|
179 |
+ bfd_vma addr = reloc_entry->address; |
|
180 |
+- bfd_vma x = bfd_get_16 (abfd, (bfd_byte *) data + addr); |
|
181 |
++ bfd_vma x; |
|
182 |
+ asection *reloc_target_output_section; |
|
183 |
+ long relocation = 0; |
|
184 |
+ |
|
185 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
186 |
++ reloc_entry->address |
|
187 |
++ * bfd_octets_per_byte (abfd))) |
|
188 |
++ return bfd_reloc_outofrange; |
|
189 |
++ |
|
190 |
++ x = bfd_get_16 (abfd, (bfd_byte *) data + addr); |
|
191 |
++ |
|
192 |
+ /* Work out which section the relocation is targeted at and the |
|
193 |
+ initial relocation command value. */ |
|
194 |
+ |
|
195 |
+diff --git a/bfd/coff-mips.c b/bfd/coff-mips.c |
|
196 |
+index c3ade62..ac2b934 100644 |
|
197 |
+--- a/bfd/coff-mips.c |
|
198 |
+@@ -504,6 +504,12 @@ mips_reflo_reloc (bfd *abfd ATTRIBUTE_UNUSED, |
|
199 |
+ unsigned long vallo; |
|
200 |
+ struct mips_hi *next; |
|
201 |
+ |
|
202 |
++ if (! bfd_reloc_offset_in_range (reloc_entry->howto, abfd, |
|
203 |
++ input_section, |
|
204 |
++ reloc_entry->address |
|
205 |
++ * bfd_octets_per_byte (abfd))) |
|
206 |
++ return bfd_reloc_outofrange; |
|
207 |
++ |
|
208 |
+ /* Do the REFHI relocation. Note that we actually don't |
|
209 |
+ need to know anything about the REFLO itself, except |
|
210 |
+ where to find the low 16 bits of the addend needed by the |
|
211 |
+diff --git a/bfd/coff-x86_64.c b/bfd/coff-x86_64.c |
|
212 |
+index de22822..4d0bf18 100644 |
|
213 |
+--- a/bfd/coff-x86_64.c |
|
214 |
+@@ -142,17 +142,11 @@ coff_amd64_reloc (bfd *abfd, |
|
215 |
+ { |
|
216 |
+ reloc_howto_type *howto = reloc_entry->howto; |
|
217 |
+ unsigned char *addr = (unsigned char *) data + reloc_entry->address; |
|
218 |
+- |
|
219 |
+- /* FIXME: We do not have an end address for data, so we cannot |
|
220 |
+- accurately range check any addresses computed against it. |
|
221 |
+- cf: PR binutils/17512: file: 1085-1761-0.004. |
|
222 |
+- For now we do the best that we can. */ |
|
223 |
+- if (addr < (unsigned char *) data |
|
224 |
+- || addr > ((unsigned char *) data) + input_section->size) |
|
225 |
+- { |
|
226 |
+- bfd_set_error (bfd_error_bad_value); |
|
227 |
+- return bfd_reloc_notsupported; |
|
228 |
+- } |
|
229 |
++ |
|
230 |
++ if (! bfd_reloc_offset_in_range (howto, abfd, input_section, |
|
231 |
++ reloc_entry->address |
|
232 |
++ * bfd_octets_per_byte (abfd))) |
|
233 |
++ return bfd_reloc_outofrange; |
|
234 |
+ |
|
235 |
+ switch (howto->size) |
|
236 |
+ { |
|
237 |
+diff --git a/bfd/reloc.c b/bfd/reloc.c |
|
238 |
+index 7ee7844..0fe93be 100644 |
|
239 |
+--- a/bfd/reloc.c |
|
240 |
+@@ -540,12 +540,31 @@ bfd_check_overflow (enum complain_overflow how, |
|
241 |
+ return flag; |
|
242 |
+ } |
|
243 |
+ |
|
244 |
++/* |
|
245 |
++FUNCTION |
|
246 |
++ bfd_reloc_offset_in_range |
|
247 |
++ |
|
248 |
++SYNOPSIS |
|
249 |
++ bfd_boolean bfd_reloc_offset_in_range |
|
250 |
++ (reloc_howto_type *howto, |
|
251 |
++ bfd *abfd, |
|
252 |
++ asection *section, |
|
253 |
++ bfd_size_type offset); |
|
254 |
++ |
|
255 |
++DESCRIPTION |
|
256 |
++ Returns TRUE if the reloc described by @var{HOWTO} can be |
|
257 |
++ applied at @var{OFFSET} octets in @var{SECTION}. |
|
258 |
++ |
|
259 |
++*/ |
|
260 |
++ |
|
261 |
+ /* HOWTO describes a relocation, at offset OCTET. Return whether the |
|
262 |
+ relocation field is within SECTION of ABFD. */ |
|
263 |
+ |
|
264 |
+-static bfd_boolean |
|
265 |
+-reloc_offset_in_range (reloc_howto_type *howto, bfd *abfd, |
|
266 |
+- asection *section, bfd_size_type octet) |
|
267 |
++bfd_boolean |
|
268 |
++bfd_reloc_offset_in_range (reloc_howto_type *howto, |
|
269 |
++ bfd *abfd, |
|
270 |
++ asection *section, |
|
271 |
++ bfd_size_type octet) |
|
272 |
+ { |
|
273 |
+ bfd_size_type octet_end = bfd_get_section_limit_octets (abfd, section); |
|
274 |
+ bfd_size_type reloc_size = bfd_get_reloc_size (howto); |
|
275 |
+@@ -619,6 +638,11 @@ bfd_perform_relocation (bfd *abfd, |
|
276 |
+ if (howto && howto->special_function) |
|
277 |
+ { |
|
278 |
+ bfd_reloc_status_type cont; |
|
279 |
++ |
|
280 |
++ /* Note - we do not call bfd_reloc_offset_in_range here as the |
|
281 |
++ reloc_entry->address field might actually be valid for the |
|
282 |
++ backend concerned. It is up to the special_function itself |
|
283 |
++ to call bfd_reloc_offset_in_range if needed. */ |
|
284 |
+ cont = howto->special_function (abfd, reloc_entry, symbol, data, |
|
285 |
+ input_section, output_bfd, |
|
286 |
+ error_message); |
|
287 |
+@@ -639,7 +663,7 @@ bfd_perform_relocation (bfd *abfd, |
|
288 |
+ |
|
289 |
+ /* Is the address of the relocation really within the section? */ |
|
290 |
+ octets = reloc_entry->address * bfd_octets_per_byte (abfd); |
|
291 |
+- if (!reloc_offset_in_range (howto, abfd, input_section, octets)) |
|
292 |
++ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets)) |
|
293 |
+ return bfd_reloc_outofrange; |
|
294 |
+ |
|
295 |
+ /* Work out which section the relocation is targeted at and the |
|
296 |
+@@ -1005,6 +1029,10 @@ bfd_install_relocation (bfd *abfd, |
|
297 |
+ { |
|
298 |
+ bfd_reloc_status_type cont; |
|
299 |
+ |
|
300 |
++ /* Note - we do not call bfd_reloc_offset_in_range here as the |
|
301 |
++ reloc_entry->address field might actually be valid for the |
|
302 |
++ backend concerned. It is up to the special_function itself |
|
303 |
++ to call bfd_reloc_offset_in_range if needed. */ |
|
304 |
+ /* XXX - The special_function calls haven't been fixed up to deal |
|
305 |
+ with creating new relocations and section contents. */ |
|
306 |
+ cont = howto->special_function (abfd, reloc_entry, symbol, |
|
307 |
+@@ -1027,7 +1055,7 @@ bfd_install_relocation (bfd *abfd, |
|
308 |
+ |
|
309 |
+ /* Is the address of the relocation really within the section? */ |
|
310 |
+ octets = reloc_entry->address * bfd_octets_per_byte (abfd); |
|
311 |
+- if (!reloc_offset_in_range (howto, abfd, input_section, octets)) |
|
312 |
++ if (!bfd_reloc_offset_in_range (howto, abfd, input_section, octets)) |
|
313 |
+ return bfd_reloc_outofrange; |
|
314 |
+ |
|
315 |
+ /* Work out which section the relocation is targeted at and the |
|
316 |
+@@ -1365,7 +1393,7 @@ _bfd_final_link_relocate (reloc_howto_type *howto, |
|
317 |
+ bfd_size_type octets = address * bfd_octets_per_byte (input_bfd); |
|
318 |
+ |
|
319 |
+ /* Sanity check the address. */ |
|
320 |
+- if (!reloc_offset_in_range (howto, input_bfd, input_section, octets)) |
|
321 |
++ if (!bfd_reloc_offset_in_range (howto, input_bfd, input_section, octets)) |
|
322 |
+ return bfd_reloc_outofrange; |
|
323 |
+ |
|
324 |
+ /* This function assumes that we are dealing with a basic relocation |
|
325 |
+-- |
|
326 |
+2.9.3 |
|
327 |
+ |
0 | 328 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,38 @@ |
0 |
+From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Wed, 29 Nov 2017 12:40:43 +0000 |
|
3 |
+Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of |
|
4 |
+ memory when parsing relocs in a corrupt file. |
|
5 |
+ |
|
6 |
+ PR 22508 |
|
7 |
+ * objdump.c (dump_relocs_in_section): Also check the section's |
|
8 |
+ relocation count to make sure that it is reasonable before |
|
9 |
+ attempting to allocate space for the relocs. |
|
10 |
+--- |
|
11 |
+ binutils/objdump.c | 11 ++++++++++- |
|
12 |
+ |
|
13 |
+diff --git a/binutils/objdump.c b/binutils/objdump.c |
|
14 |
+index 40b4acf..e7d91e8 100644 |
|
15 |
+--- a/binutils/objdump.c |
|
16 |
+@@ -3427,7 +3427,16 @@ dump_relocs_in_section (bfd *abfd, |
|
17 |
+ } |
|
18 |
+ |
|
19 |
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0 |
|
20 |
+- && (ufile_ptr) relsize > bfd_get_file_size (abfd)) |
|
21 |
++ && (((ufile_ptr) relsize > bfd_get_file_size (abfd)) |
|
22 |
++ /* Also check the section's reloc count since if this is negative |
|
23 |
++ (or very large) the computation in bfd_get_reloc_upper_bound |
|
24 |
++ may have resulted in returning a small, positive integer. |
|
25 |
++ See PR 22508 for a reproducer. |
|
26 |
++ |
|
27 |
++ Note - we check against file size rather than section size as |
|
28 |
++ it is possible for there to be more relocs that apply to a |
|
29 |
++ section than there are bytes in that section. */ |
|
30 |
++ || (section->reloc_count > bfd_get_file_size (abfd)))) |
|
31 |
+ { |
|
32 |
+ printf (" (too many: 0x%x)\n", section->reloc_count); |
|
33 |
+ bfd_set_error (bfd_error_file_truncated); |
|
34 |
+-- |
|
35 |
+2.9.3 |
|
36 |
+ |
0 | 37 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,28 @@ |
0 |
+From 4581a1c7d304ce14e714b27522ebf3d0188d6543 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Wed, 29 Nov 2017 17:12:12 +0000 |
|
3 |
+Subject: [PATCH] Check for a NULL symbol pointer when reading relocs from a |
|
4 |
+ COFF based file. |
|
5 |
+ |
|
6 |
+ PR 22509 |
|
7 |
+ * coffcode.h (coff_slurp_reloc_table): Check for a NULL symbol |
|
8 |
+ pointer when processing relocs. |
|
9 |
+--- |
|
10 |
+ bfd/coffcode.h | 2 +- |
|
11 |
+ |
|
12 |
+diff --git a/bfd/coffcode.h b/bfd/coffcode.h |
|
13 |
+index 604ba6d..d30cd58 100644 |
|
14 |
+--- a/bfd/coffcode.h |
|
15 |
+@@ -5335,7 +5335,7 @@ coff_slurp_reloc_table (bfd * abfd, sec_ptr asect, asymbol ** symbols) |
|
16 |
+ #else |
|
17 |
+ cache_ptr->address = dst.r_vaddr; |
|
18 |
+ |
|
19 |
+- if (dst.r_symndx != -1) |
|
20 |
++ if (dst.r_symndx != -1 && symbols != NULL) |
|
21 |
+ { |
|
22 |
+ if (dst.r_symndx < 0 || dst.r_symndx >= obj_conv_table_size (abfd)) |
|
23 |
+ { |
|
24 |
+-- |
|
25 |
+2.9.3 |
|
26 |
+ |
0 | 27 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,37 @@ |
0 |
+From b0029dce6867de1a2828293177b0e030d2f0f03c Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Nick Clifton <nickc@redhat.com> |
|
2 |
+Date: Tue, 28 Nov 2017 18:00:29 +0000 |
|
3 |
+Subject: [PATCH] Prevent a memory exhaustion problem when trying to read in |
|
4 |
+ strings from a COFF binary with a corrupt string table size. |
|
5 |
+ |
|
6 |
+ PR 22507 |
|
7 |
+ * coffgen.c (_bfd_coff_read_string_table): Check for an excessive |
|
8 |
+ size of the external string table. |
|
9 |
+--- |
|
10 |
+ bfd/coffgen.c | 4 ++-- |
|
11 |
+ |
|
12 |
+diff --git a/bfd/coffgen.c b/bfd/coffgen.c |
|
13 |
+index 81efd9b..7798dfc 100644 |
|
14 |
+--- a/bfd/coffgen.c |
|
15 |
+@@ -1718,7 +1718,7 @@ _bfd_coff_read_string_table (bfd *abfd) |
|
16 |
+ #endif |
|
17 |
+ } |
|
18 |
+ |
|
19 |
+- if (strsize < STRING_SIZE_SIZE) |
|
20 |
++ if (strsize < STRING_SIZE_SIZE || strsize > bfd_get_file_size (abfd)) |
|
21 |
+ { |
|
22 |
+ _bfd_error_handler |
|
23 |
+ /* xgettext: c-format */ |
|
24 |
+@@ -1726,7 +1726,7 @@ _bfd_coff_read_string_table (bfd *abfd) |
|
25 |
+ bfd_set_error (bfd_error_bad_value); |
|
26 |
+ return NULL; |
|
27 |
+ } |
|
28 |
+- |
|
29 |
++ |
|
30 |
+ strings = (char *) bfd_malloc (strsize + 1); |
|
31 |
+ if (strings == NULL) |
|
32 |
+ return NULL; |
|
33 |
+-- |
|
34 |
+2.9.3 |
|
35 |
+ |
0 | 36 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,103 @@ |
0 |
+From 160b1a618ad94988410dc81fce9189fcda5b7ff4 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Alan Modra <amodra@gmail.com> |
|
2 |
+Date: Sat, 18 Nov 2017 23:18:22 +1030 |
|
3 |
+Subject: [PATCH] PR22443, Global buffer overflow in |
|
4 |
+ _bfd_elf_get_symbol_version_string |
|
5 |
+ |
|
6 |
+Symbols like *ABS* defined in bfd/section.c:global_syms are not |
|
7 |
+elf_symbol_type. They can appear on relocs and perhaps other places |
|
8 |
+in an ELF bfd, so a number of places in nm.c and objdump.c are wrong |
|
9 |
+to cast an asymbol based on the bfd being ELF. I think we lose |
|
10 |
+nothing by excluding all section symbols, not just the global_syms. |
|
11 |
+ |
|
12 |
+ PR 22443 |
|
13 |
+ * nm.c (sort_symbols_by_size): Don't attempt to access |
|
14 |
+ section symbol internal_elf_sym. |
|
15 |
+ (print_symbol): Likewise. Don't call bfd_get_symbol_version_string |
|
16 |
+ for section symbols. |
|
17 |
+ * objdump.c (compare_symbols): Don't attempt to access |
|
18 |
+ section symbol internal_elf_sym. |
|
19 |
+ (objdump_print_symname): Don't call bfd_get_symbol_version_string |
|
20 |
+ for section symbols. |
|
21 |
+--- |
|
22 |
+ binutils/nm.c | 17 ++++++++++------- |
|
23 |
+ binutils/objdump.c | 6 +++--- |
|
24 |
+diff --git a/binutils/nm.c b/binutils/nm.c |
|
25 |
+index 5b421785..dd49f09 100644 |
|
26 |
+--- a/binutils/nm.c |
|
27 |
+@@ -763,7 +763,6 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms, |
|
28 |
+ asection *sec; |
|
29 |
+ bfd_vma sz; |
|
30 |
+ asymbol *temp; |
|
31 |
+- int synthetic = (sym->flags & BSF_SYNTHETIC); |
|
32 |
+ |
|
33 |
+ if (from + size < fromend) |
|
34 |
+ { |
|
35 |
+@@ -780,10 +779,13 @@ sort_symbols_by_size (bfd *abfd, bfd_boolean is_dynamic, void *minisyms, |
|
36 |
+ sec = bfd_get_section (sym); |
|
37 |
+ |
|
38 |
+ /* Synthetic symbols don't have a full type set of data available, thus |
|
39 |
+- we can't rely on that information for the symbol size. */ |
|
40 |
+- if (!synthetic && bfd_get_flavour (abfd) == bfd_target_elf_flavour) |
|
41 |
++ we can't rely on that information for the symbol size. Ditto for |
|
42 |
++ bfd/section.c:global_syms like *ABS*. */ |
|
43 |
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 |
|
44 |
++ && bfd_get_flavour (abfd) == bfd_target_elf_flavour) |
|
45 |
+ sz = ((elf_symbol_type *) sym)->internal_elf_sym.st_size; |
|
46 |
+- else if (!synthetic && bfd_is_com_section (sec)) |
|
47 |
++ else if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 |
|
48 |
++ && bfd_is_com_section (sec)) |
|
49 |
+ sz = sym->value; |
|
50 |
+ else |
|
51 |
+ { |
|
52 |
+@@ -872,8 +874,9 @@ print_symbol (bfd * abfd, |
|
53 |
+ |
|
54 |
+ info.sinfo = &syminfo; |
|
55 |
+ info.ssize = ssize; |
|
56 |
+- /* Synthetic symbols do not have a full symbol type set of data available. */ |
|
57 |
+- if ((sym->flags & BSF_SYNTHETIC) != 0) |
|
58 |
++ /* Synthetic symbols do not have a full symbol type set of data available. |
|
59 |
++ Nor do bfd/section.c:global_syms like *ABS*. */ |
|
60 |
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) != 0) |
|
61 |
+ { |
|
62 |
+ info.elfinfo = NULL; |
|
63 |
+ info.coffinfo = NULL; |
|
64 |
+@@ -891,7 +894,7 @@ print_symbol (bfd * abfd, |
|
65 |
+ const char * version_string = NULL; |
|
66 |
+ bfd_boolean hidden = FALSE; |
|
67 |
+ |
|
68 |
+- if ((sym->flags & BSF_SYNTHETIC) == 0) |
|
69 |
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) |
|
70 |
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden); |
|
71 |
+ |
|
72 |
+ if (bfd_is_und_section (bfd_get_section (sym))) |
|
73 |
+diff --git a/binutils/objdump.c b/binutils/objdump.c |
|
74 |
+index 1a1e32f..40b4acf 100644 |
|
75 |
+--- a/binutils/objdump.c |
|
76 |
+@@ -799,10 +799,10 @@ compare_symbols (const void *ap, const void *bp) |
|
77 |
+ bfd_vma asz, bsz; |
|
78 |
+ |
|
79 |
+ asz = 0; |
|
80 |
+- if ((a->flags & BSF_SYNTHETIC) == 0) |
|
81 |
++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) |
|
82 |
+ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; |
|
83 |
+ bsz = 0; |
|
84 |
+- if ((b->flags & BSF_SYNTHETIC) == 0) |
|
85 |
++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) |
|
86 |
+ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; |
|
87 |
+ if (asz != bsz) |
|
88 |
+ return asz > bsz ? -1 : 1; |
|
89 |
+@@ -888,7 +888,7 @@ objdump_print_symname (bfd *abfd, struct disassemble_info *inf, |
|
90 |
+ name = alloc; |
|
91 |
+ } |
|
92 |
+ |
|
93 |
+- if ((sym->flags & BSF_SYNTHETIC) == 0) |
|
94 |
++ if ((sym->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) |
|
95 |
+ version_string = bfd_get_symbol_version_string (abfd, sym, &hidden); |
|
96 |
+ |
|
97 |
+ if (bfd_is_und_section (bfd_get_section (sym))) |
|
98 |
+-- |
|
99 |
+2.9.3 |
|
100 |
+ |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
2 | 2 |
Name: binutils |
3 | 3 |
Version: 2.29.1 |
4 |
-Release: 4%{?dist} |
|
4 |
+Release: 5%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.gnu.org/software/binutils |
7 | 7 |
Group: System Environment/Base |
... | ... |
@@ -18,7 +18,11 @@ Patch5: binutils-2.29.1-CVE-2017-16829.patch |
18 | 18 |
Patch6: binutils-2.29.1-CVE-2017-16830.patch |
19 | 19 |
Patch7: binutils-2.29.1-CVE-2017-16831.patch |
20 | 20 |
Patch8: binutils-2.29.1-CVE-2017-16832.patch |
21 |
- |
|
21 |
+Patch9: binutils-2.29.1-CVE-2017-17121.patch |
|
22 |
+Patch10: binutils-2.29.1-CVE-2017-17122.patch |
|
23 |
+Patch11: binutils-2.29.1-CVE-2017-17123.patch |
|
24 |
+Patch12: binutils-2.29.1-CVE-2017-17124.patch |
|
25 |
+Patch13: binutils-2.29.1-CVE-2017-17125.patch |
|
22 | 26 |
%description |
23 | 27 |
The Binutils package contains a linker, an assembler, |
24 | 28 |
and other tools for handling object files. |
... | ... |
@@ -39,6 +43,11 @@ for handling compiled objects. |
39 | 39 |
%patch6 -p1 |
40 | 40 |
%patch7 -p1 |
41 | 41 |
%patch8 -p1 |
42 |
+%patch9 -p1 |
|
43 |
+%patch10 -p1 |
|
44 |
+%patch11 -p1 |
|
45 |
+%patch12 -p1 |
|
46 |
+%patch13 -p1 |
|
42 | 47 |
|
43 | 48 |
%build |
44 | 49 |
install -vdm 755 ../binutils-build |
... | ... |
@@ -126,6 +135,9 @@ make %{?_smp_mflags} check |
126 | 126 |
%{_libdir}/libopcodes.so |
127 | 127 |
|
128 | 128 |
%changelog |
129 |
+* Mon Dec 18 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-5 |
|
130 |
+- Fix CVEs CVE-2017-17121, CVE-2017-17122, CVE-2017-17123, |
|
131 |
+- CVE-2017-17124, CVE-2017-17125 |
|
129 | 132 |
* Mon Dec 4 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-4 |
130 | 133 |
- Fix CVEs CVE-2017-16826, CVE-2017-16827, CVE-2017-16828, CVE-2017-16829, |
131 | 134 |
- CVE-2017-16830, CVE-2017-16831, CVE-2017-16832 |