poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 28 Feb 2018 10:13:54 +0000
Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
 debug information.

	PR 22894
	* dwarf1.c (parse_die): Check the length of form blocks before
	advancing the data pointer.

Upstream-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-7568
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 bfd/ChangeLog |  6 ++++++
 bfd/dwarf1.c  | 17 +++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

Index: git/bfd/dwarf1.c
===================================================================
--- git.orig/bfd/dwarf1.c
+++ git/bfd/dwarf1.c
@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
   /* Then the attributes.  */
   while (xptr + 2 <= aDiePtrEnd)
     {
+      unsigned int   block_len;
       unsigned short attr;
 
       /* Parse the attribute based on its form.  This section
@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
 	  break;
 	case FORM_BLOCK2:
 	  if (xptr + 2 <= aDiePtrEnd)
-	    xptr += bfd_get_16 (abfd, xptr);
+	    {
+	      block_len = bfd_get_16 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 2;
 	  break;
 	case FORM_BLOCK4:
 	  if (xptr + 4 <= aDiePtrEnd)
-	    xptr += bfd_get_32 (abfd, xptr);
+	    {
+	      block_len = bfd_get_32 (abfd, xptr);
+	      if (xptr + block_len > aDiePtrEnd
+		  || xptr + block_len < xptr)
+		return FALSE;
+	      xptr += block_len;
+	    }
 	  xptr += 4;
 	  break;
 	case FORM_STRING:
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -4,7 +4,11 @@
        * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
        range before converting to a symbol table pointer.
 
-2018-02-28  Alan Modra  <amodra@gmail.com>
+2018-02-28  Nick Clifton  <nickc@redhat.com>
+
+       PR 22894
+       * dwarf1.c (parse_die): Check the length of form blocks before
+       advancing the data pointer.
 
        PR 22895
        PR 22893
@@ -14,6 +18,8 @@
        size is invalid.
        (read_attribute_value): Adjust invocations of read_n_bytes.
 
+2018-02-28  Alan Modra  <amodra@gmail.com>
+
        PR 22887
        * aoutx.h (swap_std_reloc_in): Correct r_index bound check.