Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 1a4b7ee28bf7413af6513fb45ad0d0736048f866 / . / poky / meta / recipes-devtools / binutils / binutils / CVE-2018-17358.patch
blob: 813509160f7134443d6334ba3848cf3e30409d58 [file] [log] [blame]
Brad Bishop1a4b7ee2018-12-16 17:11:34 -0800[diff] [blame^]1From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 20 Sep 2018 15:29:17 +0930
4Subject: [PATCH] Bug 23686, two segment faults in nm
5
6Fixes the bugs exposed by the testcases in the PR, plus two more bugs
7I noticed when looking at _bfd_stab_section_find_nearest_line.
8
9 PR 23686
10 * dwarf2.c (read_section): Error when attempting to malloc
11 "(bfd_size_type) -1".
12 * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
13 function_name. Bounds check reloc address. Formatting. Ensure
14 .stabstr zero terminated.
15CVE: CVE-2018-17358 and CVE-2018-17359
16Upstream-Status: Backport
17Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
18---
19 bfd/ChangeLog | 9 +++++++++
20 bfd/dwarf2.c | 9 ++++++++-
21 bfd/syms.c | 22 ++++++++++++++++------
22 3 files changed, 33 insertions(+), 7 deletions(-)
23
24diff --git a/bfd/ChangeLog b/bfd/ChangeLog
25index 04c0c2a..fef5479 100644
26--- a/bfd/ChangeLog
27+++ b/bfd/ChangeLog
28@@ -1,3 +1,12 @@
29+2018-09-20 Alan Modra <amodra@gmail.com>
30+
31+ PR 23686
32+ * dwarf2.c (read_section): Error when attempting to malloc
33+ "(bfd_size_type) -1".
34+ * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
35+ function_name. Bounds check reloc address. Formatting. Ensure
36+ .stabstr zero terminated.
37+
38 2018-08-12 H.J. Lu <hongjiu.lu@intel.com>
39
40 PR ld/23428
41diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
42index 3b28855..77a7368 100644
43--- a/bfd/dwarf2.c
44+++ b/bfd/dwarf2.c
45@@ -527,6 +527,7 @@ read_section (bfd * abfd,
46 asection *msec;
47 const char *section_name = sec->uncompressed_name;
48 bfd_byte *contents = *section_buffer;
49+ bfd_size_type amt;
50
51 /* The section may have already been read. */
52 if (contents == NULL)
53@@ -549,7 +550,13 @@ read_section (bfd * abfd,
54 *section_size = msec->rawsize ? msec->rawsize : msec->size;
55 /* Paranoia - alloc one extra so that we can make sure a string
56 section is NUL terminated. */
57- contents = (bfd_byte *) bfd_malloc (*section_size + 1);
58+ amt = *section_size + 1;
59+ if (amt == 0)
60+ {
61+ bfd_set_error (bfd_error_no_memory);
62+ return FALSE;
63+ }
64+ contents = (bfd_byte *) bfd_malloc (amt);
65 if (contents == NULL)
66 return FALSE;
67 if (syms
68diff --git a/bfd/syms.c b/bfd/syms.c
69index 187071f..e09640a 100644
70--- a/bfd/syms.c
71+++ b/bfd/syms.c
72@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
73 0, strsize))
74 return FALSE;
75
76+ /* Stab strings ought to be nul terminated. Ensure the last one
77+ is, to prevent running off the end of the buffer. */
78+ info->strs[strsize - 1] = 0;
79+
80 /* If this is a relocatable object file, we have to relocate
81 the entries in .stab. This should always be simple 32 bit
82 relocations against symbols defined in this object file, so
83@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
84 || r->howto->bitsize != 32
85 || r->howto->pc_relative
86 || r->howto->bitpos != 0
87- || r->howto->dst_mask != 0xffffffff)
88+ || r->howto->dst_mask != 0xffffffff
89+ || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
90 {
91 _bfd_error_handler
92 (_("unsupported .stab relocation"));
93@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
94 {
95 nul_fun = stab;
96 nul_str = str;
97- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
98+ if (file_name >= (char *) info->strs + strsize
99+ || file_name < (char *) str)
100 file_name = NULL;
101 if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
102 && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
103@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
104 directory_name = file_name;
105 file_name = ((char *) str
106 + bfd_get_32 (abfd, stab + STRDXOFF));
107- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
108+ if (file_name >= (char *) info->strs + strsize
109+ || file_name < (char *) str)
110 file_name = NULL;
111 }
112 }
113@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
114 file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
115 /* PR 17512: file: 0c680a1f. */
116 /* PR 17512: file: 5da8aec4. */
117- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
118+ if (file_name >= (char *) info->strs + strsize
119+ || file_name < (char *) str)
120 file_name = NULL;
121 break;
122
123@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
124 function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
125 if (function_name == (char *) str)
126 continue;
127- if (function_name >= (char *) info->strs + strsize)
128+ if (function_name >= (char *) info->strs + strsize
129+ || function_name < (char *) str)
130 function_name = NULL;
131
132 nul_fun = NULL;
133@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
134 if (val <= offset)
135 {
136 file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
137- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
138+ if (file_name >= (char *) info->strs + strsize
139+ || file_name < (char *) str)
140 file_name = NULL;
141 *pline = 0;
142 }
143--
1442.9.3