rpms/binutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix illegal memory accesses when parsing corrupt a.out format files.

Browse Source 
Resolves: RHEL-64927
This commit is contained in:
Nick Clifton 2024-10-29 15:14:32 +00:00
parent d69f0b8bf0
commit 0384c4b6b1
6 changed files with 7532 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1238
binutils-CVE-2018-12699-part1-PR22955.patch Normal file
View File

File diff suppressed because it is too large Load Diff

1210
binutils-CVE-2018-12699-part2-PR87861.patch Normal file
View File

File diff suppressed because it is too large Load Diff

13
binutils-CVE-2018-12699-part3-PR22957.patch Normal file
View File

@ -0,0 +1,13 @@
diff -rup binutils.orig.2/binutils/stabs.c binutils-2.30/binutils/stabs.c
--- binutils.orig.2/binutils/stabs.c 2024-10-29 14:21:27.910212960 +0000
+++ binutils-2.30/binutils/stabs.c 2024-10-29 14:22:14.304336367 +0000
@@ -3364,6 +3363,9 @@ pop_bincl (struct stab_handle *info)
return info->main_filename;
info->bincl_stack = o->next_stack;
+ if (o->file >= info->files)
+ return info->main_filename;
+
o->file_types = info->file_types[o->file];
if (info->bincl_stack == NULL)

4809
binutils-CVE-2018-12699-part4-PR16615.patch Normal file
View File

File diff suppressed because it is too large Load Diff

232
binutils-CVE-2018-12699-part5-PR28694.patch Normal file
View File

@ -0,0 +1,232 @@
diff -rup binutils.orig.4/binutils/stabs.c binutils-2.30/binutils/stabs.c
--- binutils.orig.4/binutils/stabs.c 2024-10-29 14:31:49.044040165 +0000
+++ binutils-2.30/binutils/stabs.c 2024-10-29 14:35:01.106616133 +0000
@@ -202,7 +202,7 @@ static debug_type stab_find_type (void *
static bfd_boolean stab_record_type
(void *, struct stab_handle *, const int *, debug_type);
static debug_type stab_xcoff_builtin_type
- (void *, struct stab_handle *, int);
+ (void *, struct stab_handle *, unsigned int);
static debug_type stab_find_tagged_type
(void *, struct stab_handle *, const char *, int, enum debug_type_kind);
static debug_type *stab_demangle_argtypes
@@ -3538,166 +3538,168 @@ stab_record_type (void *dhandle ATTRIBUT
static debug_type
stab_xcoff_builtin_type (void *dhandle, struct stab_handle *info,
- int typenum)
+ unsigned int typenum)
{
debug_type rettype;
const char *name;
- if (typenum >= 0 || typenum < -XCOFF_TYPE_COUNT)
+ typenum = -typenum - 1;
+ if (typenum >= XCOFF_TYPE_COUNT)
{
- fprintf (stderr, _("Unrecognized XCOFF type %d\n"), typenum);
+ fprintf (stderr, _("Unrecognized XCOFF type %d\n"), -typenum - 1);
return DEBUG_TYPE_NULL;
}
- if (info->xcoff_types[-typenum] != NULL)
- return info->xcoff_types[-typenum];
- switch (-typenum)
+ if (info->xcoff_types[typenum] != NULL)
+ return info->xcoff_types[typenum];
+
+ switch (typenum)
{
- case 1:
+ case 0:
/* The size of this and all the other types are fixed, defined
by the debugging format. */
name = "int";
rettype = debug_make_int_type (dhandle, 4, FALSE);
break;
- case 2:
+ case 1:
name = "char";
rettype = debug_make_int_type (dhandle, 1, FALSE);
break;
- case 3:
+ case 2:
name = "short";
rettype = debug_make_int_type (dhandle, 2, FALSE);
break;
- case 4:
+ case 3:
name = "long";
rettype = debug_make_int_type (dhandle, 4, FALSE);
break;
- case 5:
+ case 4:
name = "unsigned char";
rettype = debug_make_int_type (dhandle, 1, TRUE);
break;
- case 6:
+ case 5:
name = "signed char";
rettype = debug_make_int_type (dhandle, 1, FALSE);
break;
- case 7:
+ case 6:
name = "unsigned short";
rettype = debug_make_int_type (dhandle, 2, TRUE);
break;
- case 8:
+ case 7:
name = "unsigned int";
rettype = debug_make_int_type (dhandle, 4, TRUE);
break;
- case 9:
+ case 8:
name = "unsigned";
rettype = debug_make_int_type (dhandle, 4, TRUE);
break;
- case 10:
+ case 9:
name = "unsigned long";
rettype = debug_make_int_type (dhandle, 4, TRUE);
break;
- case 11:
+ case 10:
name = "void";
rettype = debug_make_void_type (dhandle);
break;
- case 12:
+ case 11:
/* IEEE single precision (32 bit). */
name = "float";
rettype = debug_make_float_type (dhandle, 4);
break;
- case 13:
+ case 12:
/* IEEE double precision (64 bit). */
name = "double";
rettype = debug_make_float_type (dhandle, 8);
break;
- case 14:
+ case 13:
/* This is an IEEE double on the RS/6000, and different machines
with different sizes for "long double" should use different
negative type numbers. See stabs.texinfo. */
name = "long double";
rettype = debug_make_float_type (dhandle, 8);
break;
- case 15:
+ case 14:
name = "integer";
rettype = debug_make_int_type (dhandle, 4, FALSE);
break;
- case 16:
+ case 15:
name = "boolean";
rettype = debug_make_bool_type (dhandle, 4);
break;
- case 17:
+ case 16:
name = "short real";
rettype = debug_make_float_type (dhandle, 4);
break;
- case 18:
+ case 17:
name = "real";
rettype = debug_make_float_type (dhandle, 8);
break;
- case 19:
+ case 18:
/* FIXME */
name = "stringptr";
rettype = NULL;
break;
- case 20:
+ case 19:
/* FIXME */
name = "character";
rettype = debug_make_int_type (dhandle, 1, TRUE);
break;
- case 21:
+ case 20:
name = "logical*1";
rettype = debug_make_bool_type (dhandle, 1);
break;
- case 22:
+ case 21:
name = "logical*2";
rettype = debug_make_bool_type (dhandle, 2);
break;
- case 23:
+ case 22:
name = "logical*4";
rettype = debug_make_bool_type (dhandle, 4);
break;
- case 24:
+ case 23:
name = "logical";
rettype = debug_make_bool_type (dhandle, 4);
break;
- case 25:
+ case 24:
/* Complex type consisting of two IEEE single precision values. */
name = "complex";
rettype = debug_make_complex_type (dhandle, 8);
break;
- case 26:
+ case 25:
/* Complex type consisting of two IEEE double precision values. */
name = "double complex";
rettype = debug_make_complex_type (dhandle, 16);
break;
- case 27:
+ case 26:
name = "integer*1";
rettype = debug_make_int_type (dhandle, 1, FALSE);
break;
- case 28:
+ case 27:
name = "integer*2";
rettype = debug_make_int_type (dhandle, 2, FALSE);
break;
- case 29:
+ case 28:
name = "integer*4";
rettype = debug_make_int_type (dhandle, 4, FALSE);
break;
- case 30:
+ case 29:
/* FIXME */
name = "wchar";
rettype = debug_make_int_type (dhandle, 2, FALSE);
break;
- case 31:
+ case 30:
name = "long long";
rettype = debug_make_int_type (dhandle, 8, FALSE);
break;
- case 32:
+ case 31:
name = "unsigned long long";
rettype = debug_make_int_type (dhandle, 8, TRUE);
break;
- case 33:
+ case 32:
name = "logical*8";
rettype = debug_make_bool_type (dhandle, 8);
break;
- case 34:
+ case 33:
name = "integer*8";
rettype = debug_make_int_type (dhandle, 8, FALSE);
break;
@@ -3706,9 +3708,7 @@ stab_xcoff_builtin_type (void *dhandle,
}
rettype = debug_name_type (dhandle, name, rettype);
-
- info->xcoff_types[-typenum] = rettype;
-
+ info->xcoff_types[typenum] = rettype;
return rettype;
}

31
binutils.spec
View File

@ -43,7 +43,7 @@
Summary: A GNU collection of binary utilities Summary: A GNU collection of binary utilities
Name: binutils%{?name_cross}%{?_with_debug:-debug} Name: binutils%{?name_cross}%{?_with_debug:-debug}
Version: 2.30 Version: 2.30
Release: 123%{?dist} Release: 124%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://sourceware.org/binutils URL: https://sourceware.org/binutils
@ -638,6 +638,27 @@ Patch103: binutils-memory-access-when-parsing-an-elf-file.patch
# Purpose: Add support for DWARF-5 offset tables. # Purpose: Add support for DWARF-5 offset tables.
# Lifetime: 2.40 # Lifetime: 2.40
Patch104: binutils-DW_FORM_strx.patch Patch104: binutils-DW_FORM_strx.patch
# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files.
# Lifetime: 2.35
Patch105: binutils-CVE-2018-12699-part1-PR22955.patch
# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files.
# Lifetime: 2.35
Patch106: binutils-CVE-2018-12699-part2-PR87861.patch
# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files.
# Lifetime: 2.35
Patch107: binutils-CVE-2018-12699-part3-PR22957.patch
# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files.
# Lifetime: 2.35
Patch108: binutils-CVE-2018-12699-part4-PR16615.patch
# Purpose: Fixes an illegal memory access parsing corrupt A.OUT files.
# Lifetime: 2.35
Patch109: binutils-CVE-2018-12699-part5-PR28694.patch
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
Provides: bundled(libiberty) Provides: bundled(libiberty)
@ -879,6 +900,11 @@ using libelf instead of BFD.
%patch102 -p1 %patch102 -p1
%patch103 -p1 %patch103 -p1
%patch104 -p1 %patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
# We cannot run autotools as there is an exact requirement of autoconf-2.59. # We cannot run autotools as there is an exact requirement of autoconf-2.59.
# FIXME - this is no longer true. Maybe try reinstating autotool use ? # FIXME - this is no longer true. Maybe try reinstating autotool use ?
@ -1328,6 +1354,9 @@ exit 0
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
%changelog %changelog
* Tue Oct 29 2024 Nick Clifton <nickc@redhat.com> - 2.30-124
- Fix illegal memory accesses when parsing corrupt a.out format files. (RHEL-64927)
* Tue Jul 25 2023 Nick Clifton <nickc@redhat.com> - 2.30-123 * Tue Jul 25 2023 Nick Clifton <nickc@redhat.com> - 2.30-123
- Extend support for DWARF-5 offset tables as generated by Clang++. (#2222697) - Extend support for DWARF-5 offset tables as generated by Clang++. (#2222697)