1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jun 26 09:24:49 2017 -0700
Check file size before getting section contents
Don't check the section size in bfd_get_full_section_contents since
the size of a decompressed section may be larger than the file size.
Instead, check file size in _bfd_generic_get_section_contents.
PR binutils/21665
* compress.c (bfd_get_full_section_contents): Don't check the
file size here.
* libbfd.c (_bfd_generic_get_section_contents): Check for and
reject a section whoes size + offset is greater than the size
of the entire file.
(_bfd_generic_get_section_contents_in_window): Likewise.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530
+++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530
@@ -780,6 +780,7 @@
bfd_size_type count)
{
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -801,8 +802,15 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ if (filesz < 0)
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count < count
- || offset + count > sz)
+ || offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
@@ -825,6 +833,7 @@
{
#ifdef USE_MMAP
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -857,7 +866,13 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz
|| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
TRUE))
return FALSE;
Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530
@@ -239,12 +239,6 @@
*ptr = NULL;
return TRUE;
}
- else if (bfd_get_file_size (abfd) > 0
- && sz > (bfd_size_type) bfd_get_file_size (abfd))
- {
- *ptr = NULL;
- return FALSE;
- }
switch (sec->compress_status)
{
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530
@@ -11,6 +11,16 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21665
+ * compress.c (bfd_get_full_section_contents): Don't check the
+ file size here.
+ * libbfd.c (_bfd_generic_get_section_contents): Check for and
+ reject a section whoes size + offset is greater than the size
+ of the entire file.
+ (_bfd_generic_get_section_contents_in_window): Likewise.
+
2017-06-26 Nick Clifton <nickc@redhat.com>
PR binutils/21665
|