1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
commit cfd14a500e0485374596234de4db10e88ebc7618
Author: Nick Clifton <nickc@redhat.com>
Date: Mon Jun 26 15:25:08 2017 +0100
Fix address violations when atempting to parse fuzzed binaries.
PR binutils/21665
* compress.c (bfd_get_full_section_contents): Check for and reject
a section whoes size is greater than the size of the entire file.
* elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
contain a notes section.
binutils* objdump.c (disassemble_section): Skip any section that is bigger
than the entire file.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c 2017-09-21 17:32:51.645611404 +0530
+++ git/bfd/compress.c 2017-09-21 17:32:52.965622987 +0530
@@ -239,6 +239,12 @@
*ptr = NULL;
return TRUE;
}
+ else if (bfd_get_file_size (abfd) > 0
+ && sz > (bfd_size_type) bfd_get_file_size (abfd))
+ {
+ *ptr = NULL;
+ return FALSE;
+ }
switch (sec->compress_status)
{
Index: git/bfd/elf32-v850.c
===================================================================
--- git.orig/bfd/elf32-v850.c 2017-09-21 17:32:35.053465773 +0530
+++ git/bfd/elf32-v850.c 2017-09-21 17:32:52.965622987 +0530
@@ -2448,7 +2448,9 @@
BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont));
if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL)
- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont));
+ /* If the output is being stripped then it is possible for
+ the notes section to disappear. In this case do nothing. */
+ return;
/* Copy/overwrite notes from the input to the output. */
memcpy (ocont, icont, bfd_section_size (obfd, onotes));
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530
+++ git/binutils/objdump.c 2017-09-21 17:32:52.965622987 +0530
@@ -1973,7 +1973,7 @@
return;
datasize = bfd_get_section_size (section);
- if (datasize == 0)
+ if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
return;
if (start_address == (bfd_vma) -1
@@ -2839,7 +2839,7 @@
static void
dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED)
{
- bfd_byte *data = 0;
+ bfd_byte *data = NULL;
bfd_size_type datasize;
bfd_vma addr_offset;
bfd_vma start_offset;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:32:52.909622495 +0530
+++ git/bfd/ChangeLog 2017-09-21 17:35:57.863164167 +0530
@@ -11,6 +11,14 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21665
+ * compress.c (bfd_get_full_section_contents): Check for and reject
+ a section whoes size is greater than the size of the entire file.
+ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not
+ contain a notes section.
+
2017-07-24 Nick Clifton <nickc@redhat.com>
PR 21813
|