| From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Wed, 28 Feb 2018 11:50:49 +0000 |
| Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF |
| FORM blocks. |
| |
| PR 22895 |
| PR 22893 |
| * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block |
| pointer. Drop unused abfd parameter. Check the size of the block |
| before initialising the data field. Return the end pointer if the |
| size is invalid. |
| (read_attribute_value): Adjust invocations of read_n_bytes. |
| |
| Upstream-Status: Backport |
| Affects: Binutils <= 2.30 |
| CVE: CVE-2018-7569 |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| --- |
| bfd/ChangeLog | 8 ++++++++ |
| bfd/dwarf2.c | 36 +++++++++++++++++++++--------------- |
| 2 files changed, 29 insertions(+), 15 deletions(-) |
| |
| Index: git/bfd/dwarf2.c |
| =================================================================== |
| --- git.orig/bfd/dwarf2.c |
| +++ git/bfd/dwarf2.c |
| @@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, |
| } |
| |
| static bfd_byte * |
| -read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED, |
| - bfd_byte *buf, |
| - bfd_byte *end, |
| - unsigned int size ATTRIBUTE_UNUSED) |
| -{ |
| - if (buf + size > end) |
| - return NULL; |
| - return buf; |
| +read_n_bytes (bfd_byte * buf, |
| + bfd_byte * end, |
| + struct dwarf_block * block) |
| +{ |
| + unsigned int size = block->size; |
| + bfd_byte * block_end = buf + size; |
| + |
| + if (block_end > end || block_end < buf) |
| + { |
| + block->data = NULL; |
| + block->size = 0; |
| + return end; |
| + } |
| + else |
| + { |
| + block->data = buf; |
| + return block_end; |
| + } |
| } |
| |
| /* Scans a NUL terminated string starting at BUF, returning a pointer to it. |
| @@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute * |
| return NULL; |
| blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end); |
| info_ptr += 2; |
| - blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
| - info_ptr += blk->size; |
| + info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
| attr->u.blk = blk; |
| break; |
| case DW_FORM_block4: |
| @@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute * |
| return NULL; |
| blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end); |
| info_ptr += 4; |
| - blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
| - info_ptr += blk->size; |
| + info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
| attr->u.blk = blk; |
| break; |
| case DW_FORM_data2: |
| @@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute * |
| blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read, |
| FALSE, info_ptr_end); |
| info_ptr += bytes_read; |
| - blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
| - info_ptr += blk->size; |
| + info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
| attr->u.blk = blk; |
| break; |
| case DW_FORM_block1: |
| @@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute * |
| return NULL; |
| blk->size = read_1_byte (abfd, info_ptr, info_ptr_end); |
| info_ptr += 1; |
| - blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size); |
| - info_ptr += blk->size; |
| + info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk); |
| attr->u.blk = blk; |
| break; |
| case DW_FORM_data1: |
| Index: git/bfd/ChangeLog |
| =================================================================== |
| --- git.orig/bfd/ChangeLog |
| +++ git/bfd/ChangeLog |
| @@ -6,6 +6,14 @@ |
| |
| 2018-02-28 Alan Modra <amodra@gmail.com> |
| |
| + PR 22895 |
| + PR 22893 |
| + * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block |
| + pointer. Drop unused abfd parameter. Check the size of the block |
| + before initialising the data field. Return the end pointer if the |
| + size is invalid. |
| + (read_attribute_value): Adjust invocations of read_n_bytes. |
| + |
| PR 22887 |
| * aoutx.h (swap_std_reloc_in): Correct r_index bound check. |
| |