Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Modra <amodra@gmail.com> |
| 3 | Date: Thu, 20 Sep 2018 15:29:17 +0930 |
| 4 | Subject: [PATCH] Bug 23686, two segment faults in nm |
| 5 | |
| 6 | Fixes the bugs exposed by the testcases in the PR, plus two more bugs |
| 7 | I noticed when looking at _bfd_stab_section_find_nearest_line. |
| 8 | |
| 9 | PR 23686 |
| 10 | * dwarf2.c (read_section): Error when attempting to malloc |
| 11 | "(bfd_size_type) -1". |
| 12 | * syms.c (_bfd_stab_section_find_nearest_line): Bounds check |
| 13 | function_name. Bounds check reloc address. Formatting. Ensure |
| 14 | .stabstr zero terminated. |
| 15 | CVE: CVE-2018-17358 and CVE-2018-17359 |
| 16 | Upstream-Status: Backport |
| 17 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| 18 | --- |
| 19 | bfd/ChangeLog | 9 +++++++++ |
| 20 | bfd/dwarf2.c | 9 ++++++++- |
| 21 | bfd/syms.c | 22 ++++++++++++++++------ |
| 22 | 3 files changed, 33 insertions(+), 7 deletions(-) |
| 23 | |
| 24 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog |
| 25 | index 04c0c2a..fef5479 100644 |
| 26 | --- a/bfd/ChangeLog |
| 27 | +++ b/bfd/ChangeLog |
| 28 | @@ -1,3 +1,12 @@ |
| 29 | +2018-09-20 Alan Modra <amodra@gmail.com> |
| 30 | + |
| 31 | + PR 23686 |
| 32 | + * dwarf2.c (read_section): Error when attempting to malloc |
| 33 | + "(bfd_size_type) -1". |
| 34 | + * syms.c (_bfd_stab_section_find_nearest_line): Bounds check |
| 35 | + function_name. Bounds check reloc address. Formatting. Ensure |
| 36 | + .stabstr zero terminated. |
| 37 | + |
| 38 | 2018-08-12 H.J. Lu <hongjiu.lu@intel.com> |
| 39 | |
| 40 | PR ld/23428 |
| 41 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c |
| 42 | index 3b28855..77a7368 100644 |
| 43 | --- a/bfd/dwarf2.c |
| 44 | +++ b/bfd/dwarf2.c |
| 45 | @@ -527,6 +527,7 @@ read_section (bfd * abfd, |
| 46 | asection *msec; |
| 47 | const char *section_name = sec->uncompressed_name; |
| 48 | bfd_byte *contents = *section_buffer; |
| 49 | + bfd_size_type amt; |
| 50 | |
| 51 | /* The section may have already been read. */ |
| 52 | if (contents == NULL) |
| 53 | @@ -549,7 +550,13 @@ read_section (bfd * abfd, |
| 54 | *section_size = msec->rawsize ? msec->rawsize : msec->size; |
| 55 | /* Paranoia - alloc one extra so that we can make sure a string |
| 56 | section is NUL terminated. */ |
| 57 | - contents = (bfd_byte *) bfd_malloc (*section_size + 1); |
| 58 | + amt = *section_size + 1; |
| 59 | + if (amt == 0) |
| 60 | + { |
| 61 | + bfd_set_error (bfd_error_no_memory); |
| 62 | + return FALSE; |
| 63 | + } |
| 64 | + contents = (bfd_byte *) bfd_malloc (amt); |
| 65 | if (contents == NULL) |
| 66 | return FALSE; |
| 67 | if (syms |
| 68 | diff --git a/bfd/syms.c b/bfd/syms.c |
| 69 | index 187071f..e09640a 100644 |
| 70 | --- a/bfd/syms.c |
| 71 | +++ b/bfd/syms.c |
| 72 | @@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 73 | 0, strsize)) |
| 74 | return FALSE; |
| 75 | |
| 76 | + /* Stab strings ought to be nul terminated. Ensure the last one |
| 77 | + is, to prevent running off the end of the buffer. */ |
| 78 | + info->strs[strsize - 1] = 0; |
| 79 | + |
| 80 | /* If this is a relocatable object file, we have to relocate |
| 81 | the entries in .stab. This should always be simple 32 bit |
| 82 | relocations against symbols defined in this object file, so |
| 83 | @@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 84 | || r->howto->bitsize != 32 |
| 85 | || r->howto->pc_relative |
| 86 | || r->howto->bitpos != 0 |
| 87 | - || r->howto->dst_mask != 0xffffffff) |
| 88 | + || r->howto->dst_mask != 0xffffffff |
| 89 | + || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize) |
| 90 | { |
| 91 | _bfd_error_handler |
| 92 | (_("unsupported .stab relocation")); |
| 93 | @@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 94 | { |
| 95 | nul_fun = stab; |
| 96 | nul_str = str; |
| 97 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) |
| 98 | + if (file_name >= (char *) info->strs + strsize |
| 99 | + || file_name < (char *) str) |
| 100 | file_name = NULL; |
| 101 | if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize |
| 102 | && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO) |
| 103 | @@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 104 | directory_name = file_name; |
| 105 | file_name = ((char *) str |
| 106 | + bfd_get_32 (abfd, stab + STRDXOFF)); |
| 107 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) |
| 108 | + if (file_name >= (char *) info->strs + strsize |
| 109 | + || file_name < (char *) str) |
| 110 | file_name = NULL; |
| 111 | } |
| 112 | } |
| 113 | @@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 114 | file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); |
| 115 | /* PR 17512: file: 0c680a1f. */ |
| 116 | /* PR 17512: file: 5da8aec4. */ |
| 117 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) |
| 118 | + if (file_name >= (char *) info->strs + strsize |
| 119 | + || file_name < (char *) str) |
| 120 | file_name = NULL; |
| 121 | break; |
| 122 | |
| 123 | @@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 124 | function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); |
| 125 | if (function_name == (char *) str) |
| 126 | continue; |
| 127 | - if (function_name >= (char *) info->strs + strsize) |
| 128 | + if (function_name >= (char *) info->strs + strsize |
| 129 | + || function_name < (char *) str) |
| 130 | function_name = NULL; |
| 131 | |
| 132 | nul_fun = NULL; |
| 133 | @@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, |
| 134 | if (val <= offset) |
| 135 | { |
| 136 | file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); |
| 137 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) |
| 138 | + if (file_name >= (char *) info->strs + strsize |
| 139 | + || file_name < (char *) str) |
| 140 | file_name = NULL; |
| 141 | *pline = 0; |
| 142 | } |
| 143 | -- |
| 144 | 2.9.3 |