| From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Tue, 17 Apr 2018 12:35:55 +0100 |
| Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF |
| information. |
| |
| PR 23064 |
| * dwarf.c (process_cu_tu_index): Test for a potential buffer |
| overrun before copying signature pointer. |
| |
| Upstream-Status: Backport |
| Affects: Binutils <= 2.30 |
| CVE: CVE-2018-10372 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| binutils/ChangeLog | 6 ++++++ |
| binutils/dwarf.c | 13 ++++++++++++- |
| 2 files changed, 18 insertions(+), 1 deletion(-) |
| |
| Index: git/binutils/dwarf.c |
| =================================================================== |
| --- git.orig/binutils/dwarf.c |
| +++ git/binutils/dwarf.c |
| @@ -9252,7 +9252,18 @@ process_cu_tu_index (struct dwarf_sectio |
| } |
| |
| if (!do_display) |
| - memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); |
| + { |
| + size_t num_copy = sizeof (uint64_t); |
| + |
| + /* PR 23064: Beware of buffer overflow. */ |
| + if (ph + num_copy < limit) |
| + memcpy (&this_set[row - 1].signature, ph, num_copy); |
| + else |
| + { |
| + warn (_("Signature (%p) extends beyond end of space in section\n"), ph); |
| + return 0; |
| + } |
| + } |
| |
| prow = poffsets + (row - 1) * ncols * 4; |
| /* PR 17531: file: b8ce60a8. */ |
| Index: git/binutils/ChangeLog |
| =================================================================== |
| --- git.orig/binutils/ChangeLog |
| +++ git/binutils/ChangeLog |
| @@ -1,3 +1,9 @@ |
| +2018-04-17 Nick Clifton <nickc@redhat.com> |
| + |
| + PR 23064 |
| + * dwarf.c (process_cu_tu_index): Test for a potential buffer |
| + overrun before copying signature pointer. |
| + |
| 2018-01-27 Nick Clifton <nickc@redhat.com> |
| |
| Back to development. |