| From 04f963fd489cae724a60140e13984415c205f4ac Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Wed, 14 Jun 2017 10:35:16 +0100 |
| Subject: [PATCH] Fix seg-faults in objdump when disassembling a corrupt |
| versados binary. |
| |
| PR binutils/21591 |
| * versados.c (versados_mkobject): Zero the allocated tdata structure. |
| (process_otr): Check for an invalid offset in the otr structure. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2017-9753 |
| CVE: CVE-2017-9754 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| bfd/ChangeLog | 6 ++++++ |
| bfd/versados.c | 12 ++++++++---- |
| 2 files changed, 14 insertions(+), 4 deletions(-) |
| |
| Index: git/bfd/versados.c |
| =================================================================== |
| --- git.orig/bfd/versados.c |
| +++ git/bfd/versados.c |
| @@ -149,7 +149,7 @@ versados_mkobject (bfd *abfd) |
| if (abfd->tdata.versados_data == NULL) |
| { |
| bfd_size_type amt = sizeof (tdata_type); |
| - tdata_type *tdata = bfd_alloc (abfd, amt); |
| + tdata_type *tdata = bfd_zalloc (abfd, amt); |
| |
| if (tdata == NULL) |
| return FALSE; |
| @@ -345,13 +345,13 @@ reloc_howto_type versados_howto_table[] |
| }; |
| |
| static int |
| -get_offset (int len, unsigned char *ptr) |
| +get_offset (unsigned int len, unsigned char *ptr) |
| { |
| int val = 0; |
| |
| if (len) |
| { |
| - int i; |
| + unsigned int i; |
| |
| val = *ptr++; |
| if (val & 0x80) |
| @@ -394,9 +394,13 @@ process_otr (bfd *abfd, struct ext_otr * |
| int flag = *srcp++; |
| int esdids = (flag >> 5) & 0x7; |
| int sizeinwords = ((flag >> 3) & 1) ? 2 : 1; |
| - int offsetlen = flag & 0x7; |
| + unsigned int offsetlen = flag & 0x7; |
| int j; |
| |
| + /* PR 21591: Check for invalid lengths. */ |
| + if (srcp + esdids + offsetlen >= endp) |
| + return; |
| + |
| if (esdids == 0) |
| { |
| /* A zero esdid means the new pc is the offset given. */ |
| Index: git/bfd/ChangeLog |
| =================================================================== |
| --- git.orig/bfd/ChangeLog |
| +++ git/bfd/ChangeLog |
| @@ -8,6 +8,10 @@ |
| (ieee_archive_p): Likewise. |
| |
| 2017-06-14 Nick Clifton <nickc@redhat.com> |
| + |
| + PR binutils/21591 |
| + * versados.c (versados_mkobject): Zero the allocated tdata structure. |
| + (process_otr): Check for an invalid offset in the otr structure. |
| |
| PR binutils/21589 |
| * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the |