Brad Bishop | d5ae7d9 | 2018-06-14 09:52:03 -0700 | [diff] [blame] | 1 | From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Clifton <nickc@redhat.com> |
| 3 | Date: Tue, 8 May 2018 12:51:06 +0100 |
| 4 | Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a |
| 5 | fuzzed input file with corrupt string and attribute sections. |
| 6 | |
| 7 | PR 22809 |
| 8 | * elf.c (bfd_elf_get_str_section): Check for an excessively large |
| 9 | string section. |
| 10 | * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the |
| 11 | attribute section is larger than the size of the file. |
| 12 | |
| 13 | Upsteram-Status: Backport |
| 14 | Affects: Binutils <= 2.30 |
| 15 | CVE: CVE-2018-8945 |
| 16 | Signed-off-by: Armin kuster <akuster@mvista.com> |
| 17 | --- |
| 18 | bfd/ChangeLog | 8 ++++++++ |
| 19 | bfd/elf-attrs.c | 9 +++++++++ |
| 20 | bfd/elf.c | 1 + |
| 21 | 3 files changed, 18 insertions(+) |
| 22 | |
| 23 | Index: git/bfd/elf-attrs.c |
| 24 | =================================================================== |
| 25 | --- git.orig/bfd/elf-attrs.c |
| 26 | +++ git/bfd/elf-attrs.c |
| 27 | @@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El |
| 28 | /* PR 17512: file: 2844a11d. */ |
| 29 | if (hdr->sh_size == 0) |
| 30 | return; |
| 31 | + if (hdr->sh_size > bfd_get_file_size (abfd)) |
| 32 | + { |
| 33 | + /* xgettext:c-format */ |
| 34 | + _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), |
| 35 | + abfd, hdr->bfd_section, (long long) hdr->sh_size); |
| 36 | + bfd_set_error (bfd_error_invalid_operation); |
| 37 | + return; |
| 38 | + } |
| 39 | + |
| 40 | contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); |
| 41 | if (!contents) |
| 42 | return; |
| 43 | Index: git/bfd/elf.c |
| 44 | =================================================================== |
| 45 | --- git.orig/bfd/elf.c |
| 46 | +++ git/bfd/elf.c |
| 47 | @@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi |
| 48 | /* Allocate and clear an extra byte at the end, to prevent crashes |
| 49 | in case the string table is not terminated. */ |
| 50 | if (shstrtabsize + 1 <= 1 |
| 51 | + || shstrtabsize > bfd_get_file_size (abfd) |
| 52 | || bfd_seek (abfd, offset, SEEK_SET) != 0 |
| 53 | || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) |
| 54 | shstrtab = NULL; |
| 55 | Index: git/bfd/ChangeLog |
| 56 | =================================================================== |
| 57 | --- git.orig/bfd/ChangeLog |
| 58 | +++ git/bfd/ChangeLog |
| 59 | @@ -1,3 +1,11 @@ |
| 60 | +2018-05-08 Nick Clifton <nickc@redhat.com> |
| 61 | + |
| 62 | + PR 22809 |
| 63 | + * elf.c (bfd_elf_get_str_section): Check for an excessively large |
| 64 | + string section. |
| 65 | + * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the |
| 66 | + attribute section is larger than the size of the file. |
| 67 | + |
| 68 | 2018-02-07 Alan Modra <amodra@gmail.com> |
| 69 | |
| 70 | Revert 2018-01-17 Alan Modra <amodra@gmail.com> |