| From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001 |
| From: Alan Modra <amodra@gmail.com> |
| Date: Wed, 9 Oct 2019 10:47:13 +1030 |
| Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line |
| |
| Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog |
| file. There are newer versions of binutils, but none of them contain the |
| commit fixing CVE-2019-17451, so backport it to master and zeus. |
| |
| Upstream-Status: Backport |
| [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848] |
| CVE: CVE-2019-17451 |
| Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> |
| |
| |
| Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 |
| and ffffd5555453b140 result in a total size of 1. Reading the first |
| section of course overflows the buffer and tramples on other memory. |
| |
| PR 25070 |
| * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of |
| total_size calculation. |
| --- |
| bfd/dwarf2.c | 11 ++++++++++- |
| 1 file changed, 10 insertions(+), 1 deletion(-) |
| |
| diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c |
| index 0b4e485582..a91597b1d0 100644 |
| --- a/bfd/dwarf2.c |
| +++ b/bfd/dwarf2.c |
| @@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, |
| for (total_size = 0; |
| msec; |
| msec = find_debug_info (debug_bfd, debug_sections, msec)) |
| - total_size += msec->size; |
| + { |
| + /* Catch PR25070 testcase overflowing size calculation here. */ |
| + if (total_size + msec->size < total_size |
| + || total_size + msec->size < msec->size) |
| + { |
| + bfd_set_error (bfd_error_no_memory); |
| + return FALSE; |
| + } |
| + total_size += msec->size; |
| + } |
| |
| stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); |
| if (stash->info_ptr_memory == NULL) |
| -- |
| 2.23.0 |
| |