| From 82156ab704b08b124d319c0decdbd48b3ca2dac5 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Mon, 3 Apr 2017 12:14:06 +0100 |
| Subject: [PATCH] readelf: Fix overlarge memory allocation when reading a |
| binary with an excessive number of program headers. |
| |
| PR binutils/21345 |
| * readelf.c (get_program_headers): Check for there being too many |
| program headers before attempting to allocate space for them. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-9039 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| binutils/ChangeLog | 6 ++++++ |
| binutils/readelf.c | 17 ++++++++++++++--- |
| 2 files changed, 20 insertions(+), 3 deletions(-) |
| |
| Index: git/binutils/readelf.c |
| =================================================================== |
| --- git.orig/binutils/readelf.c |
| +++ git/binutils/readelf.c |
| @@ -4765,9 +4765,19 @@ get_program_headers (FILE * file) |
| if (program_headers != NULL) |
| return 1; |
| |
| - phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, |
| - sizeof (Elf_Internal_Phdr)); |
| + /* Be kind to memory checkers by looking for |
| + e_phnum values which we know must be invalid. */ |
| + if (elf_header.e_phnum |
| + * (is_32bit_elf ? sizeof (Elf32_External_Phdr) : sizeof (Elf64_External_Phdr)) |
| + >= current_file_size) |
| + { |
| + error (_("Too many program headers - %#x - the file is not that big\n"), |
| + elf_header.e_phnum); |
| + return FALSE; |
| + } |
| |
| + phdrs = (Elf_Internal_Phdr *) cmalloc (elf_header.e_phnum, |
| + sizeof (Elf_Internal_Phdr)); |
| if (phdrs == NULL) |
| { |
| error (_("Out of memory reading %u program headers\n"), |
| Index: git/binutils/ChangeLog |
| =================================================================== |
| --- git.orig/binutils/ChangeLog |
| +++ git/binutils/ChangeLog |
| @@ -1,5 +1,11 @@ |
| 2017-04-03 Nick Clifton <nickc@redhat.com> |
| |
| + PR binutils/21345 |
| + * readelf.c (get_program_headers): Check for there being too many |
| + program headers before attempting to allocate space for them. |
| + |
| +2017-04-03 Nick Clifton <nickc@redhat.com> |
| + |
| PR binutils/21343 |
| * readelf.c (get_unwind_section_word): Fix snafu checking for |
| invalid word offsets in ARM unwind information. |