Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 5b9ede0403237c7dace972affa65cf64a1aadd0e / . / poky / meta / recipes-devtools / binutils / binutils / CVE-2018-7569.patch
blob: 96c0fd2422db1acf38382623f1fa83be7c60a37e [file] [log] [blame]
From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 28 Feb 2018 11:50:49 +0000
Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
FORM blocks.
PR 22895
PR 22893
* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
pointer. Drop unused abfd parameter. Check the size of the block
before initialising the data field. Return the end pointer if the
size is invalid.
(read_attribute_value): Adjust invocations of read_n_bytes.
Upstream-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-7569
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 8 ++++++++
bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
2 files changed, 29 insertions(+), 15 deletions(-)
Index: git/bfd/dwarf2.c
===================================================================
--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
}
static bfd_byte *
-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
- bfd_byte *buf,
- bfd_byte *end,
- unsigned int size ATTRIBUTE_UNUSED)
-{
- if (buf + size > end)
- return NULL;
- return buf;
+read_n_bytes (bfd_byte * buf,
+ bfd_byte * end,
+ struct dwarf_block * block)
+{
+ unsigned int size = block->size;
+ bfd_byte * block_end = buf + size;
+
+ if (block_end > end || block_end < buf)
+ {
+ block->data = NULL;
+ block->size = 0;
+ return end;
+ }
+ else
+ {
+ block->data = buf;
+ return block_end;
+ }
}
/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 2;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block4:
@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 4;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data2:
@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block1:
@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
info_ptr += 1;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data1:
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -6,6 +6,14 @@
2018-02-28 Alan Modra <amodra@gmail.com>
+ PR 22895
+ PR 22893
+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+ pointer. Drop unused abfd parameter. Check the size of the block
+ before initialising the data field. Return the end pointer if the
+ size is invalid.
+ (read_attribute_value): Adjust invocations of read_n_bytes.
+
PR 22887
* aoutx.h (swap_std_reloc_in): Correct r_index bound check.