meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 20 Sep 2018 15:29:17 +0930
Subject: [PATCH] Bug 23686, two segment faults in nm

Fixes the bugs exposed by the testcases in the PR, plus two more bugs
I noticed when looking at _bfd_stab_section_find_nearest_line.

	PR 23686
	* dwarf2.c (read_section): Error when attempting to malloc
	"(bfd_size_type) -1".
	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
	function_name.  Bounds check reloc address.  Formatting.  Ensure
	.stabstr zero terminated.
CVE: CVE-2018-17358 and CVE-2018-17359
Upstream-Status: Backport
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 bfd/ChangeLog |  9 +++++++++
 bfd/dwarf2.c  |  9 ++++++++-
 bfd/syms.c    | 22 ++++++++++++++++------
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/bfd/ChangeLog b/bfd/ChangeLog
index 04c0c2a..fef5479 100644
--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
@@ -1,3 +1,12 @@
+2018-09-20  Alan Modra  <amodra@gmail.com>
+
+	PR 23686
+	* dwarf2.c (read_section): Error when attempting to malloc
+	"(bfd_size_type) -1".
+	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+	function_name.  Bounds check reloc address.  Formatting.  Ensure
+	.stabstr zero terminated.
+
 2018-08-12  H.J. Lu  <hongjiu.lu@intel.com>
 
 	PR ld/23428
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 3b28855..77a7368 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -527,6 +527,7 @@ read_section (bfd *	      abfd,
   asection *msec;
   const char *section_name = sec->uncompressed_name;
   bfd_byte *contents = *section_buffer;
+  bfd_size_type amt;
 
   /* The section may have already been read.  */
   if (contents == NULL)
@@ -549,7 +550,13 @@ read_section (bfd *	      abfd,
       *section_size = msec->rawsize ? msec->rawsize : msec->size;
       /* Paranoia - alloc one extra so that we can make sure a string
 	 section is NUL terminated.  */
-      contents = (bfd_byte *) bfd_malloc (*section_size + 1);
+      amt = *section_size + 1;
+      if (amt == 0)
+	{
+	  bfd_set_error (bfd_error_no_memory);
+	  return FALSE;
+	}
+      contents = (bfd_byte *) bfd_malloc (amt);
       if (contents == NULL)
 	return FALSE;
       if (syms
diff --git a/bfd/syms.c b/bfd/syms.c
index 187071f..e09640a 100644
--- a/bfd/syms.c
+++ b/bfd/syms.c
@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 					 0, strsize))
 	return FALSE;
 
+      /* Stab strings ought to be nul terminated.  Ensure the last one
+	 is, to prevent running off the end of the buffer.  */
+      info->strs[strsize - 1] = 0;
+
       /* If this is a relocatable object file, we have to relocate
 	 the entries in .stab.  This should always be simple 32 bit
 	 relocations against symbols defined in this object file, so
@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 		  || r->howto->bitsize != 32
 		  || r->howto->pc_relative
 		  || r->howto->bitpos != 0
-		  || r->howto->dst_mask != 0xffffffff)
+		  || r->howto->dst_mask != 0xffffffff
+		  || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
 		{
 		  _bfd_error_handler
 		    (_("unsupported .stab relocation"));
@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 		{
 		  nul_fun = stab;
 		  nul_str = str;
-		  if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+		  if (file_name >= (char *) info->strs + strsize
+		      || file_name < (char *) str)
 		    file_name = NULL;
 		  if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
 		      && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 		      directory_name = file_name;
 		      file_name = ((char *) str
 				   + bfd_get_32 (abfd, stab + STRDXOFF));
-		      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+		      if (file_name >= (char *) info->strs + strsize
+			  || file_name < (char *) str)
 			file_name = NULL;
 		    }
 		}
@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
 	      /* PR 17512: file: 0c680a1f.  */
 	      /* PR 17512: file: 5da8aec4.  */
-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+	      if (file_name >= (char *) info->strs + strsize
+		  || file_name < (char *) str)
 		file_name = NULL;
 	      break;
 
@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 	      function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
 	      if (function_name == (char *) str)
 		continue;
-	      if (function_name >= (char *) info->strs + strsize)
+	      if (function_name >= (char *) info->strs + strsize
+		  || function_name < (char *) str)
 		function_name = NULL;
 
 	      nul_fun = NULL;
@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
 	  if (val <= offset)
 	    {
 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+	      if (file_name >= (char *) info->strs + strsize
+		  || file_name < (char *) str)
 		file_name = NULL;
 	      *pline = 0;
 	    }
-- 
2.9.3