1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
commit 60a02042bacf8d25814430080adda61ed086bca6
Author: Nick Clifton <nickc@redhat.com>
Date: Fri Jun 30 11:03:37 2017 +0100
Fix failures in MMIX linker tests introduced by fix for PR 21665.
PR binutils/21665
* objdump.c (disassemble_section): Move check for an overlarge
section to just before the allocation of memory. Do not check
section size against file size, but instead use an arbitrary 2Gb
limit. Issue a warning message if the section is too big.
Upstream-Status: CVE-2017-9955
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c 2017-09-21 18:10:55.499217078 +0530
+++ git/binutils/objdump.c 2017-09-21 18:10:55.483216953 +0530
@@ -1973,7 +1973,7 @@
return;
datasize = bfd_get_section_size (section);
- if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+ if (datasize == 0)
return;
if (start_address == (bfd_vma) -1
@@ -2037,6 +2037,29 @@
}
rel_ppend = rel_pp + rel_count;
+ /* PR 21665: Check for overlarge datasizes.
+ Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+ this fails when using compressed sections or compressed file formats
+ (eg MMO, tekhex).
+
+ The call to xmalloc below will fail if too much memory is requested,
+ which will catch the problem in the normal use case. But if a memory
+ checker is in use, eg valgrind or sanitize, then an exception will
+ be still generated, so we try to catch the problem first.
+
+ Unfortunately there is no simple way to determine how much memory can
+ be allocated by calling xmalloc. So instead we use a simple, arbitrary
+ limit of 2Gb. Hopefully this should be enough for most users. If
+ someone does start trying to disassemble sections larger then 2Gb in
+ size they will doubtless complain and we can increase the limit. */
+#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+ if (datasize > MAX_XMALLOC)
+ {
+ non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+ section->name, (unsigned long) datasize);
+ return;
+ }
+
data = (bfd_byte *) xmalloc (datasize);
bfd_get_section_contents (abfd, section, data, 0, datasize);
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog 2017-09-21 17:57:10.448948416 +0530
+++ git/binutils/ChangeLog 2017-09-21 18:13:09.052268892 +0530
@@ -4,6 +4,14 @@
* rddbg.c (read_symbol_stabs_debugging_info): Check for an empty
string whilst concatenating symbol names.
+2017-06-30 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21665
+ * objdump.c (disassemble_section): Move check for an overlarge
+ section to just before the allocation of memory. Do not check
+ section size against file size, but instead use an arbitrary 2Gb
+ limit. Issue a warning message if the section is too big.
+
2017-05-02 Nick Clifton <nickc@redhat.com>
PR 21440
|