Brad Bishop | 64c979e | 2019-11-04 13:55:29 -0500 | [diff] [blame^] | 1 | From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Modra <amodra@gmail.com> |
| 3 | Date: Wed, 9 Oct 2019 10:47:13 +1030 |
| 4 | Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line |
| 5 | |
| 6 | Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog |
| 7 | file. There are newer versions of binutils, but none of them contain the |
| 8 | commit fixing CVE-2019-17451, so backport it to master and zeus. |
| 9 | |
| 10 | Upstream-Status: Backport |
| 11 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848] |
| 12 | CVE: CVE-2019-17451 |
| 13 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> |
| 14 | |
| 15 | |
| 16 | Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 |
| 17 | and ffffd5555453b140 result in a total size of 1. Reading the first |
| 18 | section of course overflows the buffer and tramples on other memory. |
| 19 | |
| 20 | PR 25070 |
| 21 | * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of |
| 22 | total_size calculation. |
| 23 | --- |
| 24 | bfd/dwarf2.c | 11 ++++++++++- |
| 25 | 1 file changed, 10 insertions(+), 1 deletion(-) |
| 26 | |
| 27 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c |
| 28 | index 0b4e485582..a91597b1d0 100644 |
| 29 | --- a/bfd/dwarf2.c |
| 30 | +++ b/bfd/dwarf2.c |
| 31 | @@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, |
| 32 | for (total_size = 0; |
| 33 | msec; |
| 34 | msec = find_debug_info (debug_bfd, debug_sections, msec)) |
| 35 | - total_size += msec->size; |
| 36 | + { |
| 37 | + /* Catch PR25070 testcase overflowing size calculation here. */ |
| 38 | + if (total_size + msec->size < total_size |
| 39 | + || total_size + msec->size < msec->size) |
| 40 | + { |
| 41 | + bfd_set_error (bfd_error_no_memory); |
| 42 | + return FALSE; |
| 43 | + } |
| 44 | + total_size += msec->size; |
| 45 | + } |
| 46 | |
| 47 | stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); |
| 48 | if (stash->info_ptr_memory == NULL) |
| 49 | -- |
| 50 | 2.23.0 |
| 51 | |