1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 10:47:13 +1030
Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
file. There are newer versions of binutils, but none of them contain the
commit fixing CVE-2019-17451, so backport it to master and zeus.
Upstream-Status: Backport
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
CVE: CVE-2019-17451
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1. Reading the first
section of course overflows the buffer and tramples on other memory.
PR 25070
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
total_size calculation.
---
bfd/dwarf2.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 0b4e485582..a91597b1d0 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
- total_size += msec->size;
+ {
+ /* Catch PR25070 testcase overflowing size calculation here. */
+ if (total_size + msec->size < total_size
+ || total_size + msec->size < msec->size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+ total_size += msec->size;
+ }
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)
--
2.23.0
|
