1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 6 Feb 2018 15:48:29 +0000
Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
chacking the size of debuglink sections.
PR 22794
* opncls.c (bfd_get_debug_link_info_1): Check the size of the
section before attempting to read it in.
(bfd_get_alt_debug_link_info): Likewise.
Upstream-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-6759
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 7 +++++++
bfd/opncls.c | 22 +++++++++++++++++-----
2 files changed, 24 insertions(+), 5 deletions(-)
Index: git/bfd/opncls.c
===================================================================
--- git.orig/bfd/opncls.c
+++ git/bfd/opncls.c
@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
bfd_byte *contents;
unsigned int crc_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (crc32_out);
@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+
+ /* PR 22794: Make sure that the section has a reasonable size. */
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, &contents))
{
if (contents != NULL)
@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
/* CRC value is stored after the filename, aligned up to 4 bytes. */
name = (char *) contents;
- /* PR 17597: avoid reading off the end of the buffer. */
- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+ /* PR 17597: Avoid reading off the end of the buffer. */
+ crc_offset = strnlen (name, size) + 1;
crc_offset = (crc_offset + 3) & ~3;
- if (crc_offset + 4 > bfd_get_section_size (sect))
+ if (crc_offset + 4 > size)
return NULL;
*crc32 = bfd_get_32 (abfd, contents + crc_offset);
@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
bfd_byte *contents;
unsigned int buildid_offset;
char *name;
+ bfd_size_type size;
BFD_ASSERT (abfd);
BFD_ASSERT (buildid_len);
@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
if (sect == NULL)
return NULL;
+ size = bfd_get_section_size (sect);
+ if (size < 8 || size >= bfd_get_size (abfd))
+ return NULL;
+
if (!bfd_malloc_and_get_section (abfd, sect, & contents))
{
if (contents != NULL)
@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
/* BuildID value is stored after the filename. */
name = (char *) contents;
- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+ buildid_offset = strnlen (name, size) + 1;
if (buildid_offset >= bfd_get_section_size (sect))
return NULL;
- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+ *buildid_len = size - buildid_offset;
*buildid_out = bfd_malloc (*buildid_len);
memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2018-02-06 Nick Clifton <nickc@redhat.com>
+
+ PR 22794
+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
+ section before attempting to read it in.
+ (bfd_get_alt_debug_link_info): Likewise.
+
2018-02-09 Nick Clifton <nickc@redhat.com>
Import patch from mainline:
|
