1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 20 Sep 2018 18:23:17 +0930
Subject: [PATCH] PR23685, buffer overflow
PR 23685
* peXXigen.c (pe_print_edata): Correct export address table
overflow checks. Check dataoff against section size too.
CVE: CVE-2018-17360
Upstream-Status: Backport
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
bfd/ChangeLog | 6 ++++++
bfd/peXXigen.c | 11 ++++++-----
2 files changed, 12 insertions(+), 5 deletions(-)
--- a/bfd/peXXigen.c
+++ b/bfd/peXXigen.c
@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile
dataoff = addr - section->vma;
datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
- if (datasize > section->size - dataoff)
+ if (dataoff > section->size
+ || datasize > section->size - dataoff)
{
fprintf (file,
_("\nThere is an export table in %s, but it does not fit into that section\n"),
@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile
edt.base);
/* PR 17512: Handle corrupt PE binaries. */
- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize
+ /* PR 17512 file: 140-165018-0.004. */
+ if (edt.eat_addr - adj >= datasize
/* PR 17512: file: 092b1829 */
- || (edt.num_functions * 4) < edt.num_functions
- /* PR 17512 file: 140-165018-0.004. */
- || data + edt.eat_addr - adj < data)
+ || (edt.num_functions + 1) * 4 < edt.num_functions
+ || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize)
fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"),
(long) edt.eat_addr,
(long) edt.num_functions);
|
