From 75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 3 Apr 2017 11:13:21 +0100 Subject: [PATCH] Fix runtime seg-fault in readelf when parsing a corrupt MIPS binary. PR binutils/21344 * readelf.c (process_mips_specific): Check for an out of range GOT entry before reading the module pointer. Upstream-Status: Backport CVE: CVE-2017-9039 supporting patch VER: <= 2.28 Signed-off-by: Armin kuster --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 26 ++++++++++++++++++-------- 2 files changed, 24 insertions(+), 8 deletions(-) Index: git/binutils/readelf.c =================================================================== --- git.orig/binutils/readelf.c +++ git/binutils/readelf.c @@ -14987,14 +14987,24 @@ process_mips_specific (FILE * file) printf (_(" Lazy resolver\n")); if (ent == (bfd_vma) -1) goto got_print_fail; - if (data - && (byte_get (data + ent - pltgot, addr_size) - >> (addr_size * 8 - 1)) != 0) + + if (data) { - ent = print_mips_got_entry (data, pltgot, ent, data_end); - printf (_(" Module pointer (GNU extension)\n")); - if (ent == (bfd_vma) -1) - goto got_print_fail; + /* PR 21344 */ + if (data + ent - pltgot > data_end - addr_size) + { + error (_("Invalid got entry - %#lx - overflows GOT table\n"), ent); + goto got_print_fail; + } + + if (byte_get (data + ent - pltgot, addr_size) + >> (addr_size * 8 - 1) != 0) + { + ent = print_mips_got_entry (data, pltgot, ent, data_end); + printf (_(" Module pointer (GNU extension)\n")); + if (ent == (bfd_vma) -1) + goto got_print_fail; + } } printf ("\n"); Index: git/bfd/ChangeLog =================================================================== --- git.orig/bfd/ChangeLog +++ git/bfd/ChangeLog @@ -1,5 +1,11 @@ 2017-04-03 Nick Clifton + PR binutils/21344 + * readelf.c (process_mips_specific): Check for an out of range GOT + entry before reading the module pointer. + +2017-04-03 Nick Clifton + PR binutils/21343 * readelf.c (get_unwind_section_word): Fix snafu checking for invalid word offsets in ARM unwind information.