1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
From 60a02042bacf8d25814430080adda61ed086bca6 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Fri, 30 Jun 2017 11:03:37 +0100
Subject: [PATCH] Fix failures in MMIX linker tests introduced by fix for PR
21665.
PR binutils/21665
* objdump.c (disassemble_section): Move check for an overlarge
section to just before the allocation of memory. Do not check
section size against file size, but instead use an arbitrary 2Gb
limit. Issue a warning message if the section is too big.
Upstream-Status: Backport
CVE: CVE-2017-9955 #7
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 8 ++++++++
binutils/objdump.c | 25 ++++++++++++++++++++++++-
2 files changed, 32 insertions(+), 1 deletion(-)
Index: git/binutils/objdump.c
===================================================================
--- git.orig/binutils/objdump.c
+++ git/binutils/objdump.c
@@ -2048,7 +2048,7 @@ disassemble_section (bfd *abfd, asection
return;
datasize = bfd_get_section_size (section);
- if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd))
+ if (datasize == 0)
return;
if (start_address == (bfd_vma) -1
@@ -2112,6 +2112,29 @@ disassemble_section (bfd *abfd, asection
}
rel_ppend = rel_pp + rel_count;
+ /* PR 21665: Check for overlarge datasizes.
+ Note - we used to check for "datasize > bfd_get_file_size (abfd)" but
+ this fails when using compressed sections or compressed file formats
+ (eg MMO, tekhex).
+
+ The call to xmalloc below will fail if too much memory is requested,
+ which will catch the problem in the normal use case. But if a memory
+ checker is in use, eg valgrind or sanitize, then an exception will
+ be still generated, so we try to catch the problem first.
+
+ Unfortunately there is no simple way to determine how much memory can
+ be allocated by calling xmalloc. So instead we use a simple, arbitrary
+ limit of 2Gb. Hopefully this should be enough for most users. If
+ someone does start trying to disassemble sections larger then 2Gb in
+ size they will doubtless complain and we can increase the limit. */
+#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */
+ if (datasize > MAX_XMALLOC)
+ {
+ non_fatal (_("Reading section %s failed because it is too big (%#lx)"),
+ section->name, (unsigned long) datasize);
+ return;
+ }
+
data = (bfd_byte *) xmalloc (datasize);
bfd_get_section_contents (abfd, section, data, 0, datasize);
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2017-06-30 Nick Clifton <nickc@redhat.com>
+
+ PR binutils/21665
+ * objdump.c (disassemble_section): Move check for an overlarge
+ section to just before the allocation of memory. Do not check
+ section size against file size, but instead use an arbitrary 2Gb
+ limit. Issue a warning message if the section is too big.
+
2017-06-26 Nick Clifton <nickc@redhat.com>
PR binutils/21665
|