1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 27 Sep 2017 10:42:51 +0100
Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when
encountering a CU structure with a small negative size.
PR 22219
* dwarf.c (process_debug_info): Add a check for a negative
cu_length field.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-14934
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 6 ++++++
binutils/dwarf.c | 11 ++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
Index: git/binutils/dwarf.c
===================================================================
--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section
int level, last_level, saved_level;
dwarf_vma cu_offset;
unsigned int offset_size;
- int initial_length_size;
+ unsigned int initial_length_size;
dwarf_vma signature_high = 0;
dwarf_vma signature_low = 0;
dwarf_vma type_offset = 0;
@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section
num_units = unit;
break;
}
+ else if (compunit.cu_length + initial_length_size < initial_length_size)
+ {
+ warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
+ dwarf_vmatoa ("x", cu_offset),
+ dwarf_vmatoa ("x", compunit.cu_length));
+ num_units = unit;
+ break;
+ }
+
tags = hdrptr;
start += compunit.cu_length + initial_length_size;
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-09-27 Nick Clifton <nickc@redhat.com>
+
+ PR 22219
+ * dwarf.c (process_debug_info): Add a check for a negative
+ cu_length field.
+
2017-11-01 Alan Modra <amodra@gmail.com>
Apply from master
|
