Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / 83ecb75644b3d677c274188f9ac0b2374d6f6925 / . / poky / meta / recipes-devtools / binutils / binutils / CVE-2019-9075.patch
blob: bcb1310f16b97621932250b521b582103b4b4410 [file] [log] [blame]
From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 20 Feb 2019 08:21:24 +1030
Subject: [PATCH] PR24236, Heap buffer overflow in
_bfd_archive_64_bit_slurp_armap
PR 24236
* archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
sentinel NUL to string buffer nearer to loop where it is used.
Don't go past sentinel when scanning strings, and don't write
NUL again.
* archive.c (do_slurp_coff_armap): Simplify string handling to
archive64.c style.
Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49]
CVE: CVE-2019-9075
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
bfd/ChangeLog | 10 ++++++++++
bfd/archive.c | 17 +++++++----------
bfd/archive64.c | 10 +++++-----
3 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 72c87c7..e39bb12 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,13 @@
+2019-02-20 Alan Modra <amodra@gmail.com>
+
+ PR 24236
+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+ sentinel NUL to string buffer nearer to loop where it is used.
+ Don't go past sentinel when scanning strings, and don't write
+ NUL again.
+ * archive.c (do_slurp_coff_armap): Simplify string handling to
+ archive64.c style.
+
2019-02-19 Alan Modra <amodra@gmail.com>
PR 24235
diff --git a/bfd/archive.c b/bfd/archive.c
index d2d9b72..68a92a3 100644
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
int *raw_armap, *rawptr;
struct artdata *ardata = bfd_ardata (abfd);
char *stringbase;
+ char *stringend;
bfd_size_type stringsize;
bfd_size_type parsed_size;
carsym *carsyms;
@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
}
/* OK, build the carsyms. */
- for (i = 0; i < nsymz && stringsize > 0; i++)
+ stringend = stringbase + stringsize;
+ *stringend = 0;
+ for (i = 0; i < nsymz; i++)
{
- bfd_size_type len;
-
rawptr = raw_armap + i;
carsyms->file_offset = swap ((bfd_byte *) rawptr);
carsyms->name = stringbase;
- /* PR 17512: file: 4a1d50c1. */
- len = strnlen (stringbase, stringsize);
- if (len < stringsize)
- len ++;
- stringbase += len;
- stringsize -= len;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
carsyms++;
}
- *stringbase = 0;
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);
diff --git a/bfd/archive64.c b/bfd/archive64.c
index 312bf82..42f6ed9 100644
--- a/bfd/archive64.c
+++ b/bfd/archive64.c
@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
return FALSE;
carsyms = ardata->symdefs;
stringbase = ((char *) ardata->symdefs) + carsym_size;
- stringbase[stringsize] = 0;
- stringend = stringbase + stringsize;
raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
if (raw_armap == NULL)
@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
goto release_raw_armap;
}
+ stringend = stringbase + stringsize;
+ *stringend = 0;
for (i = 0; i < nsymz; i++)
{
carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
carsyms->name = stringbase;
- if (stringbase < stringend)
- stringbase += strlen (stringbase) + 1;
+ stringbase += strlen (stringbase);
+ if (stringbase != stringend)
+ ++stringbase;
++carsyms;
}
- *stringbase = '\0';
ardata->symdef_count = nsymz;
ardata->first_file_filepos = bfd_tell (abfd);
--
2.7.4