meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 9 Jan 2019 12:25:16 +0000
Subject: [PATCH] Fix a heap use after free memory access fault when displaying
 error messages about malformed archives.

	PR 14049
	* readelf.c (process_archive): Use arch.file_name in error
	messages until the qualified name is available.

CVE: CVE-2018-20623
Upstream-Status: Backport
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]

Signed-off-by: Dan Tran <dantran@microsoft.com>
---
 binutils/readelf.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/binutils/readelf.c b/binutils/readelf.c
index f4df697a7d..280023d8de 100644
--- a/binutils/readelf.c
+++ b/binutils/readelf.c
@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
       /* Read the next archive header.  */
       if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
         {
-          error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
+          error (_("%s: failed to seek to next archive header\n"), arch.file_name);
           return FALSE;
         }
       got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
         {
           if (got == 0)
 	    break;
-          error (_("%s: failed to read archive header\n"), filedata->file_name);
+	  /* PR 24049 - we cannot use filedata->file_name as this will
+	     have already been freed.  */
+	  error (_("%s: failed to read archive header\n"), arch.file_name);
+	    
           ret = FALSE;
           break;
         }
@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
       name = get_archive_member_name (&arch, &nested_arch);
       if (name == NULL)
 	{
-	  error (_("%s: bad archive file name\n"), filedata->file_name);
+	  error (_("%s: bad archive file name\n"), arch.file_name);
 	  ret = FALSE;
 	  break;
 	}
@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
       qualified_name = make_qualified_name (&arch, &nested_arch, name);
       if (qualified_name == NULL)
 	{
-	  error (_("%s: bad archive file name\n"), filedata->file_name);
+	  error (_("%s: bad archive file name\n"), arch.file_name);
 	  ret = FALSE;
 	  break;
 	}
@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
 	  if (nested_arch.file == NULL)
 	    {
 	      error (_("%s: contains corrupt thin archive: %s\n"),
-		     filedata->file_name, name);
+		     qualified_name, name);
 	      ret = FALSE;
 	      break;
 	    }
-- 
2.22.0.vfs.1.1.57.gbaf16c8