Brad Bishop | d5ae7d9 | 2018-06-14 09:52:03 -0700 | [diff] [blame] | 1 | From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Clifton <nickc@redhat.com> |
| 3 | Date: Tue, 17 Apr 2018 12:35:55 +0100 |
| 4 | Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF |
| 5 | information. |
| 6 | |
| 7 | PR 23064 |
| 8 | * dwarf.c (process_cu_tu_index): Test for a potential buffer |
| 9 | overrun before copying signature pointer. |
| 10 | |
| 11 | Upstream-Status: Backport |
| 12 | Affects: Binutils <= 2.30 |
| 13 | CVE: CVE-2018-10372 |
| 14 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 15 | |
| 16 | --- |
| 17 | binutils/ChangeLog | 6 ++++++ |
| 18 | binutils/dwarf.c | 13 ++++++++++++- |
| 19 | 2 files changed, 18 insertions(+), 1 deletion(-) |
| 20 | |
| 21 | Index: git/binutils/dwarf.c |
| 22 | =================================================================== |
| 23 | --- git.orig/binutils/dwarf.c |
| 24 | +++ git/binutils/dwarf.c |
| 25 | @@ -9252,7 +9252,18 @@ process_cu_tu_index (struct dwarf_sectio |
| 26 | } |
| 27 | |
| 28 | if (!do_display) |
| 29 | - memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t)); |
| 30 | + { |
| 31 | + size_t num_copy = sizeof (uint64_t); |
| 32 | + |
| 33 | + /* PR 23064: Beware of buffer overflow. */ |
| 34 | + if (ph + num_copy < limit) |
| 35 | + memcpy (&this_set[row - 1].signature, ph, num_copy); |
| 36 | + else |
| 37 | + { |
| 38 | + warn (_("Signature (%p) extends beyond end of space in section\n"), ph); |
| 39 | + return 0; |
| 40 | + } |
| 41 | + } |
| 42 | |
| 43 | prow = poffsets + (row - 1) * ncols * 4; |
| 44 | /* PR 17531: file: b8ce60a8. */ |
| 45 | Index: git/binutils/ChangeLog |
| 46 | =================================================================== |
| 47 | --- git.orig/binutils/ChangeLog |
| 48 | +++ git/binutils/ChangeLog |
| 49 | @@ -1,3 +1,9 @@ |
| 50 | +2018-04-17 Nick Clifton <nickc@redhat.com> |
| 51 | + |
| 52 | + PR 23064 |
| 53 | + * dwarf.c (process_cu_tu_index): Test for a potential buffer |
| 54 | + overrun before copying signature pointer. |
| 55 | + |
| 56 | 2018-01-27 Nick Clifton <nickc@redhat.com> |
| 57 | |
| 58 | Back to development. |