1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 28 Feb 2018 11:50:49 +0000
Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
FORM blocks.
PR 22895
PR 22893
* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
pointer. Drop unused abfd parameter. Check the size of the block
before initialising the data field. Return the end pointer if the
size is invalid.
(read_attribute_value): Adjust invocations of read_n_bytes.
Upstream-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-7569
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 8 ++++++++
bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
2 files changed, 29 insertions(+), 15 deletions(-)
Index: git/bfd/dwarf2.c
===================================================================
--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
}
static bfd_byte *
-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
- bfd_byte *buf,
- bfd_byte *end,
- unsigned int size ATTRIBUTE_UNUSED)
-{
- if (buf + size > end)
- return NULL;
- return buf;
+read_n_bytes (bfd_byte * buf,
+ bfd_byte * end,
+ struct dwarf_block * block)
+{
+ unsigned int size = block->size;
+ bfd_byte * block_end = buf + size;
+
+ if (block_end > end || block_end < buf)
+ {
+ block->data = NULL;
+ block->size = 0;
+ return end;
+ }
+ else
+ {
+ block->data = buf;
+ return block_end;
+ }
}
/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 2;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block4:
@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 4;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data2:
@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block1:
@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
info_ptr += 1;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data1:
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -6,6 +6,14 @@
2018-02-28 Alan Modra <amodra@gmail.com>
+ PR 22895
+ PR 22893
+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+ pointer. Drop unused abfd parameter. Check the size of the block
+ before initialising the data field. Return the end pointer if the
+ size is invalid.
+ (read_attribute_value): Adjust invocations of read_n_bytes.
+
PR 22887
* aoutx.h (swap_std_reloc_in): Correct r_index bound check.
|
