| From f7bbc8890de45df6eda0ddef5dd04f835f54eecf Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Wed, 20 Feb 2019 17:03:47 +0000 |
| Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS |
| option section using readelf. |
| |
| PR 24243 |
| * readelf.c (process_mips_specific): Check for an options section |
| that is too small to even contain a single option. |
| |
| Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7fc0c668f2aceb8582d74db1ad2528e2bba8a921] |
| CVE: CVE-2019-9077 |
| Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> |
| --- |
| binutils/readelf.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/binutils/readelf.c b/binutils/readelf.c |
| index 9df3742..18ab806 100644 |
| --- a/binutils/readelf.c |
| +++ b/binutils/readelf.c |
| @@ -16179,6 +16179,12 @@ process_mips_specific (Filedata * filedata) |
| error (_("No MIPS_OPTIONS header found\n")); |
| return FALSE; |
| } |
| + /* PR 24243 */ |
| + if (sect->sh_size < sizeof (* eopt)) |
| + { |
| + error (_("The MIPS options section is too small.\n")); |
| + return FALSE; |
| + } |
| |
| eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1, |
| sect->sh_size, _("options")); |
| -- |
| 2.7.4 |
| |