| From ae87f7e73eba29bd38b3a9684a10b948ed715612 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Wed, 14 Jun 2017 16:50:03 +0100 |
| Subject: [PATCH] Fix address violation when disassembling a corrupt binary. |
| |
| PR binutils/21580 |
| binutils * objdump.c (disassemble_bytes): Check for buffer overrun when |
| printing out rae insns. |
| |
| ld * testsuite/ld-nds32/diff.d: Adjust expected output. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-9746 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| binutils/objdump.c | 27 +++++++++++++++------------ |
| ld/ChangeLog | 5 +++++ |
| ld/testsuite/ld-nds32/diff.d | 6 +++--- |
| 3 files changed, 23 insertions(+), 15 deletions(-) |
| |
| Index: git/binutils/objdump.c |
| =================================================================== |
| --- git.orig/binutils/objdump.c |
| +++ git/binutils/objdump.c |
| @@ -1855,20 +1855,23 @@ disassemble_bytes (struct disassemble_in |
| |
| for (j = addr_offset * opb; j < addr_offset * opb + pb; j += bpc) |
| { |
| - int k; |
| - |
| - if (bpc > 1 && inf->display_endian == BFD_ENDIAN_LITTLE) |
| - { |
| - for (k = bpc - 1; k >= 0; k--) |
| - printf ("%02x", (unsigned) data[j + k]); |
| - putchar (' '); |
| - } |
| - else |
| + /* PR 21580: Check for a buffer ending early. */ |
| + if (j + bpc <= stop_offset * opb) |
| { |
| - for (k = 0; k < bpc; k++) |
| - printf ("%02x", (unsigned) data[j + k]); |
| - putchar (' '); |
| + int k; |
| + |
| + if (inf->display_endian == BFD_ENDIAN_LITTLE) |
| + { |
| + for (k = bpc - 1; k >= 0; k--) |
| + printf ("%02x", (unsigned) data[j + k]); |
| + } |
| + else |
| + { |
| + for (k = 0; k < bpc; k++) |
| + printf ("%02x", (unsigned) data[j + k]); |
| + } |
| } |
| + putchar (' '); |
| } |
| |
| for (; pb < octets_per_line; pb += bpc) |
| Index: git/ld/testsuite/ld-nds32/diff.d |
| =================================================================== |
| --- git.orig/ld/testsuite/ld-nds32/diff.d |
| +++ git/ld/testsuite/ld-nds32/diff.d |
| @@ -7,9 +7,9 @@ |
| |
| Disassembly of section .data: |
| 00008000 <WORD> (7e 00 00 00|00 00 00 7e).* |
| -00008004 <HALF> (7e 00 7e fe|00 7e 7e fe).* |
| -00008006 <BYTE> 7e fe 00 fe.* |
| -00008007 <ULEB128> fe 00.* |
| +00008004 <HALF> (7e 00|00 7e).* |
| +00008006 <BYTE> 7e.* |
| +00008007 <ULEB128> fe.* |
| ... |
| 00008009 <ULEB128_2> fe 00.* |
| .* |
| Index: git/ld/ChangeLog |
| =================================================================== |
| --- git.orig/ld/ChangeLog |
| +++ git/ld/ChangeLog |
| @@ -1,3 +1,8 @@ |
| +2017-06-14 Nick Clifton <nickc@redhat.com> |
| + |
| + PR binutils/21580 |
| + * testsuite/ld-nds32/diff.d: Adjust expected output. |
| + |
| 2017-03-07 Alan Modra <amodra@gmail.com> |
| |
| * ldlang.c (open_input_bfds): Check that lang_assignment_statement |