| From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 |
| From: Nick Clifton <nickc@redhat.com> |
| Date: Tue, 8 May 2018 12:51:06 +0100 |
| Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a |
| fuzzed input file with corrupt string and attribute sections. |
| |
| PR 22809 |
| * elf.c (bfd_elf_get_str_section): Check for an excessively large |
| string section. |
| * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the |
| attribute section is larger than the size of the file. |
| |
| Upsteram-Status: Backport |
| Affects: Binutils <= 2.30 |
| CVE: CVE-2018-8945 |
| Signed-off-by: Armin kuster <akuster@mvista.com> |
| --- |
| bfd/ChangeLog | 8 ++++++++ |
| bfd/elf-attrs.c | 9 +++++++++ |
| bfd/elf.c | 1 + |
| 3 files changed, 18 insertions(+) |
| |
| Index: git/bfd/elf-attrs.c |
| =================================================================== |
| --- git.orig/bfd/elf-attrs.c |
| +++ git/bfd/elf-attrs.c |
| @@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El |
| /* PR 17512: file: 2844a11d. */ |
| if (hdr->sh_size == 0) |
| return; |
| + if (hdr->sh_size > bfd_get_file_size (abfd)) |
| + { |
| + /* xgettext:c-format */ |
| + _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), |
| + abfd, hdr->bfd_section, (long long) hdr->sh_size); |
| + bfd_set_error (bfd_error_invalid_operation); |
| + return; |
| + } |
| + |
| contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); |
| if (!contents) |
| return; |
| Index: git/bfd/elf.c |
| =================================================================== |
| --- git.orig/bfd/elf.c |
| +++ git/bfd/elf.c |
| @@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi |
| /* Allocate and clear an extra byte at the end, to prevent crashes |
| in case the string table is not terminated. */ |
| if (shstrtabsize + 1 <= 1 |
| + || shstrtabsize > bfd_get_file_size (abfd) |
| || bfd_seek (abfd, offset, SEEK_SET) != 0 |
| || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) |
| shstrtab = NULL; |
| Index: git/bfd/ChangeLog |
| =================================================================== |
| --- git.orig/bfd/ChangeLog |
| +++ git/bfd/ChangeLog |
| @@ -1,3 +1,11 @@ |
| +2018-05-08 Nick Clifton <nickc@redhat.com> |
| + |
| + PR 22809 |
| + * elf.c (bfd_elf_get_str_section): Check for an excessively large |
| + string section. |
| + * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the |
| + attribute section is larger than the size of the file. |
| + |
| 2018-02-07 Alan Modra <amodra@gmail.com> |
| |
| Revert 2018-01-17 Alan Modra <amodra@gmail.com> |