| From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Tue, 6 Feb 2018 15:48:29 +0000 |
| Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by |
| chacking the size of debuglink sections. |
| |
| PR 22794 |
| * opncls.c (bfd_get_debug_link_info_1): Check the size of the |
| section before attempting to read it in. |
| (bfd_get_alt_debug_link_info): Likewise. |
| |
| Upstream-Status: Backport |
| Affects: Binutils <= 2.30 |
| CVE: CVE-2018-6759 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| bfd/ChangeLog | 7 +++++++ |
| bfd/opncls.c | 22 +++++++++++++++++----- |
| 2 files changed, 24 insertions(+), 5 deletions(-) |
| |
| Index: git/bfd/opncls.c |
| =================================================================== |
| --- git.orig/bfd/opncls.c |
| +++ git/bfd/opncls.c |
| @@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| bfd_byte *contents; |
| unsigned int crc_offset; |
| char *name; |
| + bfd_size_type size; |
| |
| BFD_ASSERT (abfd); |
| BFD_ASSERT (crc32_out); |
| @@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| if (sect == NULL) |
| return NULL; |
| |
| + size = bfd_get_section_size (sect); |
| + |
| + /* PR 22794: Make sure that the section has a reasonable size. */ |
| + if (size < 8 || size >= bfd_get_size (abfd)) |
| + return NULL; |
| + |
| if (!bfd_malloc_and_get_section (abfd, sect, &contents)) |
| { |
| if (contents != NULL) |
| @@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| |
| /* CRC value is stored after the filename, aligned up to 4 bytes. */ |
| name = (char *) contents; |
| - /* PR 17597: avoid reading off the end of the buffer. */ |
| - crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
| + /* PR 17597: Avoid reading off the end of the buffer. */ |
| + crc_offset = strnlen (name, size) + 1; |
| crc_offset = (crc_offset + 3) & ~3; |
| - if (crc_offset + 4 > bfd_get_section_size (sect)) |
| + if (crc_offset + 4 > size) |
| return NULL; |
| |
| *crc32 = bfd_get_32 (abfd, contents + crc_offset); |
| @@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| bfd_byte *contents; |
| unsigned int buildid_offset; |
| char *name; |
| + bfd_size_type size; |
| |
| BFD_ASSERT (abfd); |
| BFD_ASSERT (buildid_len); |
| @@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| if (sect == NULL) |
| return NULL; |
| |
| + size = bfd_get_section_size (sect); |
| + if (size < 8 || size >= bfd_get_size (abfd)) |
| + return NULL; |
| + |
| if (!bfd_malloc_and_get_section (abfd, sect, & contents)) |
| { |
| if (contents != NULL) |
| @@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| |
| /* BuildID value is stored after the filename. */ |
| name = (char *) contents; |
| - buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
| + buildid_offset = strnlen (name, size) + 1; |
| if (buildid_offset >= bfd_get_section_size (sect)) |
| return NULL; |
| |
| - *buildid_len = bfd_get_section_size (sect) - buildid_offset; |
| + *buildid_len = size - buildid_offset; |
| *buildid_out = bfd_malloc (*buildid_len); |
| memcpy (*buildid_out, contents + buildid_offset, *buildid_len); |
| |
| Index: git/bfd/ChangeLog |
| =================================================================== |
| --- git.orig/bfd/ChangeLog |
| +++ git/bfd/ChangeLog |
| @@ -1,3 +1,10 @@ |
| +2018-02-06 Nick Clifton <nickc@redhat.com> |
| + |
| + PR 22794 |
| + * opncls.c (bfd_get_debug_link_info_1): Check the size of the |
| + section before attempting to read it in. |
| + (bfd_get_alt_debug_link_info): Likewise. |
| + |
| 2018-02-09 Nick Clifton <nickc@redhat.com> |
| |
| Import patch from mainline: |