1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Tue, 8 May 2018 12:51:06 +0100
Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
fuzzed input file with corrupt string and attribute sections.
PR 22809
* elf.c (bfd_elf_get_str_section): Check for an excessively large
string section.
* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
attribute section is larger than the size of the file.
Upsteram-Status: Backport
Affects: Binutils <= 2.30
CVE: CVE-2018-8945
Signed-off-by: Armin kuster <akuster@mvista.com>
---
bfd/ChangeLog | 8 ++++++++
bfd/elf-attrs.c | 9 +++++++++
bfd/elf.c | 1 +
3 files changed, 18 insertions(+)
Index: git/bfd/elf-attrs.c
===================================================================
--- git.orig/bfd/elf-attrs.c
+++ git/bfd/elf-attrs.c
@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
/* PR 17512: file: 2844a11d. */
if (hdr->sh_size == 0)
return;
+ if (hdr->sh_size > bfd_get_file_size (abfd))
+ {
+ /* xgettext:c-format */
+ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
+ abfd, hdr->bfd_section, (long long) hdr->sh_size);
+ bfd_set_error (bfd_error_invalid_operation);
+ return;
+ }
+
contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
if (!contents)
return;
Index: git/bfd/elf.c
===================================================================
--- git.orig/bfd/elf.c
+++ git/bfd/elf.c
@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
/* Allocate and clear an extra byte at the end, to prevent crashes
in case the string table is not terminated. */
if (shstrtabsize + 1 <= 1
+ || shstrtabsize > bfd_get_file_size (abfd)
|| bfd_seek (abfd, offset, SEEK_SET) != 0
|| (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
shstrtab = NULL;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,3 +1,11 @@
+2018-05-08 Nick Clifton <nickc@redhat.com>
+
+ PR 22809
+ * elf.c (bfd_elf_get_str_section): Check for an excessively large
+ string section.
+ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+ attribute section is larger than the size of the file.
+
2018-02-07 Alan Modra <amodra@gmail.com>
Revert 2018-01-17 Alan Modra <amodra@gmail.com>
|
