Brad Bishop | d5ae7d9 | 2018-06-14 09:52:03 -0700 | [diff] [blame] | 1 | From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Clifton <nickc@redhat.com> |
| 3 | Date: Tue, 6 Feb 2018 15:48:29 +0000 |
| 4 | Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by |
| 5 | chacking the size of debuglink sections. |
| 6 | |
| 7 | PR 22794 |
| 8 | * opncls.c (bfd_get_debug_link_info_1): Check the size of the |
| 9 | section before attempting to read it in. |
| 10 | (bfd_get_alt_debug_link_info): Likewise. |
| 11 | |
| 12 | Upstream-Status: Backport |
| 13 | Affects: Binutils <= 2.30 |
| 14 | CVE: CVE-2018-6759 |
| 15 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 16 | |
| 17 | --- |
| 18 | bfd/ChangeLog | 7 +++++++ |
| 19 | bfd/opncls.c | 22 +++++++++++++++++----- |
| 20 | 2 files changed, 24 insertions(+), 5 deletions(-) |
| 21 | |
| 22 | Index: git/bfd/opncls.c |
| 23 | =================================================================== |
| 24 | --- git.orig/bfd/opncls.c |
| 25 | +++ git/bfd/opncls.c |
| 26 | @@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| 27 | bfd_byte *contents; |
| 28 | unsigned int crc_offset; |
| 29 | char *name; |
| 30 | + bfd_size_type size; |
| 31 | |
| 32 | BFD_ASSERT (abfd); |
| 33 | BFD_ASSERT (crc32_out); |
| 34 | @@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| 35 | if (sect == NULL) |
| 36 | return NULL; |
| 37 | |
| 38 | + size = bfd_get_section_size (sect); |
| 39 | + |
| 40 | + /* PR 22794: Make sure that the section has a reasonable size. */ |
| 41 | + if (size < 8 || size >= bfd_get_size (abfd)) |
| 42 | + return NULL; |
| 43 | + |
| 44 | if (!bfd_malloc_and_get_section (abfd, sect, &contents)) |
| 45 | { |
| 46 | if (contents != NULL) |
| 47 | @@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo |
| 48 | |
| 49 | /* CRC value is stored after the filename, aligned up to 4 bytes. */ |
| 50 | name = (char *) contents; |
| 51 | - /* PR 17597: avoid reading off the end of the buffer. */ |
| 52 | - crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
| 53 | + /* PR 17597: Avoid reading off the end of the buffer. */ |
| 54 | + crc_offset = strnlen (name, size) + 1; |
| 55 | crc_offset = (crc_offset + 3) & ~3; |
| 56 | - if (crc_offset + 4 > bfd_get_section_size (sect)) |
| 57 | + if (crc_offset + 4 > size) |
| 58 | return NULL; |
| 59 | |
| 60 | *crc32 = bfd_get_32 (abfd, contents + crc_offset); |
| 61 | @@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| 62 | bfd_byte *contents; |
| 63 | unsigned int buildid_offset; |
| 64 | char *name; |
| 65 | + bfd_size_type size; |
| 66 | |
| 67 | BFD_ASSERT (abfd); |
| 68 | BFD_ASSERT (buildid_len); |
| 69 | @@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| 70 | if (sect == NULL) |
| 71 | return NULL; |
| 72 | |
| 73 | + size = bfd_get_section_size (sect); |
| 74 | + if (size < 8 || size >= bfd_get_size (abfd)) |
| 75 | + return NULL; |
| 76 | + |
| 77 | if (!bfd_malloc_and_get_section (abfd, sect, & contents)) |
| 78 | { |
| 79 | if (contents != NULL) |
| 80 | @@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, |
| 81 | |
| 82 | /* BuildID value is stored after the filename. */ |
| 83 | name = (char *) contents; |
| 84 | - buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; |
| 85 | + buildid_offset = strnlen (name, size) + 1; |
| 86 | if (buildid_offset >= bfd_get_section_size (sect)) |
| 87 | return NULL; |
| 88 | |
| 89 | - *buildid_len = bfd_get_section_size (sect) - buildid_offset; |
| 90 | + *buildid_len = size - buildid_offset; |
| 91 | *buildid_out = bfd_malloc (*buildid_len); |
| 92 | memcpy (*buildid_out, contents + buildid_offset, *buildid_len); |
| 93 | |
| 94 | Index: git/bfd/ChangeLog |
| 95 | =================================================================== |
| 96 | --- git.orig/bfd/ChangeLog |
| 97 | +++ git/bfd/ChangeLog |
| 98 | @@ -1,3 +1,10 @@ |
| 99 | +2018-02-06 Nick Clifton <nickc@redhat.com> |
| 100 | + |
| 101 | + PR 22794 |
| 102 | + * opncls.c (bfd_get_debug_link_info_1): Check the size of the |
| 103 | + section before attempting to read it in. |
| 104 | + (bfd_get_alt_debug_link_info): Likewise. |
| 105 | + |
| 106 | 2018-02-09 Nick Clifton <nickc@redhat.com> |
| 107 | |
| 108 | Import patch from mainline: |