1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001
From: "Maciej W. Rozycki" <macro@imgtec.com>
Date: Wed, 12 Apr 2017 00:03:41 +0100
Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check
Unavailable data is handled gracefully in MIPS GOT processing done by
`print_mips_got_entry', so all that is needed in special GOT[1] handling
is to verify whether data can be retrieved for the purpose of the GNU
marker check done with `byte_get'. Remove the extra error reporting
code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault
in readelf when parsing a corrupt MIPS binary.") in the course of
addressing PR binutils/21344, and defer the error case to regular local
GOT entry processing.
binutils/
* readelf.c (process_mips_specific): Remove error reporting from
GOT[1] processing.
Upstream-Status: Backport
CVE: CVE-2017-9041
VER: <= 2.28
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 5 +++++
binutils/readelf.c | 32 ++++++++++++++------------------
2 files changed, 19 insertions(+), 18 deletions(-)
Index: git/binutils/readelf.c
===================================================================
--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file)
if (ent == (bfd_vma) -1)
goto got_print_fail;
- if (data)
+ /* Check for the MSB of GOT[1] being set, denoting a GNU object.
+ This entry will be used by some runtime loaders, to store the
+ module pointer. Otherwise this is an ordinary local entry.
+ PR 21344: Check for the entry being fully available before
+ fetching it. */
+ if (data
+ && data + ent - pltgot + addr_size <= data_end
+ && (byte_get (data + ent - pltgot, addr_size)
+ >> (addr_size * 8 - 1)) != 0)
{
- /* PR 21344 */
- if (data + ent - pltgot > data_end - addr_size)
- {
- error (_("Invalid got entry - %#lx - overflows GOT table\n"),
- (long) ent);
- goto got_print_fail;
- }
-
- if (byte_get (data + ent - pltgot, addr_size)
- >> (addr_size * 8 - 1) != 0)
- {
- ent = print_mips_got_entry (data, pltgot, ent, data_end);
- printf (_(" Module pointer (GNU extension)\n"));
- if (ent == (bfd_vma) -1)
- goto got_print_fail;
- }
+ ent = print_mips_got_entry (data, pltgot, ent, data_end);
+ printf (_(" Module pointer (GNU extension)\n"));
+ if (ent == (bfd_vma) -1)
+ goto got_print_fail;
}
printf ("\n");
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,4 +1,9 @@
2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
+
+ * readelf.c (process_mips_specific): Remove error reporting from
+ GOT[1] processing.
+
+2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
* readelf.c (process_mips_specific): Remove null GOT data check.
|
