Fix an illegal memory access when parsing a corrupt ELF file. Fix excessive memory consumption parsing corrupt DWARF information. Rebase to GNU Binutils 2.35.2.
Resolves: #1947966
This commit is contained in:
Nick Clifton
parent
fd8acae164
commit
219401fce8
1
.gitignore
vendored
1
.gitignore
vendored
@ -65,3 +65,4 @@ stamp-*
|
||||
/binutils-2.19.50.0.1-output-format.sed
|
||||
/binutils-2.35.tar.xz
|
||||
/binutils-2.35.1.tar.xz
|
||||
/binutils-2.35.2.tar.xz
|
||||
|
||||
53
binutils-CVE-2020-35448.patch
Normal file
53
binutils-CVE-2020-35448.patch
Normal file
@ -0,0 +1,53 @@
|
||||
diff -rup binutils.orig/bfd/elf.c binutils-2.35/bfd/elf.c
|
||||
--- binutils.orig/bfd/elf.c 2021-04-19 10:49:21.757290990 +0100
|
||||
+++ binutils-2.35/bfd/elf.c 2021-04-19 10:50:28.309839285 +0100
|
||||
@@ -12534,7 +12534,9 @@ _bfd_elf_slurp_secondary_reloc_section (
|
||||
Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
|
||||
|
||||
if (hdr->sh_type == SHT_SECONDARY_RELOC
|
||||
- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
|
||||
+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
|
||||
+ && (hdr->sh_entsize == ebd->s->sizeof_rel
|
||||
+ || hdr->sh_entsize == ebd->s->sizeof_rela))
|
||||
{
|
||||
bfd_byte * native_relocs;
|
||||
bfd_byte * native_reloc;
|
||||
diff -rup binutils.orig/bfd/elfcode.h binutils-2.35/bfd/elfcode.h
|
||||
--- binutils.orig/bfd/elfcode.h 2021-04-19 10:49:21.767290922 +0100
|
||||
+++ binutils-2.35/bfd/elfcode.h 2021-04-19 10:52:22.196066303 +0100
|
||||
@@ -568,7 +568,7 @@ elf_object_p (bfd *abfd)
|
||||
|
||||
/* If this is a relocatable file and there is no section header
|
||||
table, then we're hosed. */
|
||||
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
|
||||
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
/* As a simple sanity check, verify that what BFD thinks is the
|
||||
@@ -578,7 +578,7 @@ elf_object_p (bfd *abfd)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
/* Further sanity check. */
|
||||
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
|
||||
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
ebd = get_elf_backend_data (abfd);
|
||||
@@ -615,7 +615,7 @@ elf_object_p (bfd *abfd)
|
||||
&& ebd->elf_osabi != ELFOSABI_NONE)
|
||||
goto got_wrong_format_error;
|
||||
|
||||
- if (i_ehdrp->e_shoff != 0)
|
||||
+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
|
||||
{
|
||||
file_ptr where = (file_ptr) i_ehdrp->e_shoff;
|
||||
|
||||
@@ -807,7 +807,7 @@ elf_object_p (bfd *abfd)
|
||||
}
|
||||
}
|
||||
|
||||
- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
|
||||
+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
|
||||
{
|
||||
unsigned int num_sec;
|
||||
|
||||
@ -1019,40 +1019,6 @@ diff -rup binutils.orig/binutils/objcopy.c binutils-2.35.1/binutils/objcopy.c
|
||||
unlink_if_ordinary (tmpname);
|
||||
}
|
||||
|
||||
@@ -5961,26 +5949,13 @@ copy_main (int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (strip_specific_buffer)
|
||||
- free (strip_specific_buffer);
|
||||
-
|
||||
- if (strip_unneeded_buffer)
|
||||
- free (strip_unneeded_buffer);
|
||||
-
|
||||
- if (keep_specific_buffer)
|
||||
- free (keep_specific_buffer);
|
||||
-
|
||||
- if (localize_specific_buffer)
|
||||
- free (globalize_specific_buffer);
|
||||
-
|
||||
- if (globalize_specific_buffer)
|
||||
- free (globalize_specific_buffer);
|
||||
-
|
||||
- if (keepglobal_specific_buffer)
|
||||
- free (keepglobal_specific_buffer);
|
||||
-
|
||||
- if (weaken_specific_buffer)
|
||||
- free (weaken_specific_buffer);
|
||||
+ free (strip_specific_buffer);
|
||||
+ free (strip_unneeded_buffer);
|
||||
+ free (keep_specific_buffer);
|
||||
+ free (localize_specific_buffer);
|
||||
+ free (globalize_specific_buffer);
|
||||
+ free (keepglobal_specific_buffer);
|
||||
+ free (weaken_specific_buffer);
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff -rup binutils.orig/binutils/rename.c binutils-2.35.1/binutils/rename.c
|
||||
--- binutils.orig/binutils/rename.c 2021-03-11 12:38:18.183422774 +0000
|
||||
+++ binutils-2.35.1/binutils/rename.c 2021-03-11 12:41:41.824081969 +0000
|
||||
|
||||
34
binutils-CVE-2021-3487.patch
Normal file
34
binutils-CVE-2021-3487.patch
Normal file
@ -0,0 +1,34 @@
|
||||
--- binutils.orig/bfd/dwarf2.c 2021-04-09 16:59:18.345187116 +0100
|
||||
+++ binutils-2.35/bfd/dwarf2.c 2021-04-09 17:02:03.614064723 +0100
|
||||
@@ -539,6 +539,8 @@ read_section (bfd * abfd,
|
||||
/* The section may have already been read. */
|
||||
if (contents == NULL)
|
||||
{
|
||||
+ ufile_ptr filesize;
|
||||
+
|
||||
msec = bfd_get_section_by_name (abfd, section_name);
|
||||
if (! msec)
|
||||
{
|
||||
@@ -554,10 +556,20 @@ read_section (bfd * abfd,
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- *section_size = msec->rawsize ? msec->rawsize : msec->size;
|
||||
+ amt = bfd_get_section_limit_octets (abfd, msec);
|
||||
+ filesize = bfd_get_file_size (abfd);
|
||||
+ if (amt >= filesize)
|
||||
+ {
|
||||
+ /* PR 26946 */
|
||||
+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
|
||||
+ section_name, (long) amt, (long) filesize);
|
||||
+ bfd_set_error (bfd_error_bad_value);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ *section_size = amt;
|
||||
/* Paranoia - alloc one extra so that we can make sure a string
|
||||
section is NUL terminated. */
|
||||
- amt = *section_size + 1;
|
||||
+ amt += 1;
|
||||
if (amt == 0)
|
||||
{
|
||||
bfd_set_error (bfd_error_no_memory);
|
||||
@ -1,19 +1,3 @@
|
||||
--- binutils.orig/gas/testsuite/gas/lns/lns-diag-1.l 2021-01-25 13:10:10.179338559 +0000
|
||||
+++ binutils-2.35.1/gas/testsuite/gas/lns/lns-diag-1.l 2021-01-25 13:18:04.697963105 +0000
|
||||
@@ -1,5 +1,4 @@
|
||||
.*: Assembler messages:
|
||||
-.*:2: Error: file number less than one
|
||||
.*:3: Error: missing string
|
||||
.*:4: Error: file table slot 1 is already occupied.*
|
||||
.*:8: Error: unassigned file number 3
|
||||
@@ -9,7 +8,6 @@
|
||||
.*:19: Error: bad or irreducible absolute expression
|
||||
.*:23: Error: isa number less than zero
|
||||
.*:26: Error: bad or irreducible absolute expression
|
||||
-.*:26: Error: file number less than one
|
||||
.*:27: Error: bad or irreducible absolute expression
|
||||
.*:28: Error: unknown .loc sub-directive `frobnitz'
|
||||
.*:29: Error: unknown .loc sub-directive `frobnitz'
|
||||
diff -rup binutils.orig/ld/testsuite/ld-plugin/lto.exp binutils-2.35.1/ld/testsuite/ld-plugin/lto.exp
|
||||
--- binutils.orig/ld/testsuite/ld-plugin/lto.exp 2021-01-25 13:10:09.919340409 +0000
|
||||
+++ binutils-2.35.1/ld/testsuite/ld-plugin/lto.exp 2021-01-25 13:45:30.991238686 +0000
|
||||
|
||||
@ -38,8 +38,8 @@
|
||||
|
||||
Summary: A GNU collection of binary utilities
|
||||
Name: binutils%{?name_cross}%{?_with_debug:-debug}
|
||||
Version: 2.35.1
|
||||
Release: 43%{?dist}
|
||||
Version: 2.35.2
|
||||
Release: 1%{?dist}
|
||||
License: GPLv3+
|
||||
URL: https://sourceware.org/binutils
|
||||
|
||||
@ -154,8 +154,6 @@ Source2: binutils-2.19.50.0.1-output-format.sed
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
Patch00: binutils-2.35.1-update.patch
|
||||
|
||||
# Purpose: Use /lib64 and /usr/lib64 instead of /lib and /usr/lib in the
|
||||
# default library search path of 64-bit targets.
|
||||
# Lifetime: Permanent, but it should not be. This is a bug in the libtool
|
||||
@ -312,56 +310,56 @@ Patch29: binutils-duplicate-sections.patch
|
||||
# Lifetime: Permanent.
|
||||
Patch30: binutils-use-long-long.patch
|
||||
|
||||
# Purpose: Have the assembler automatically detect the use of DWARF-5
|
||||
# file numbers, and enable DWARF-5 support.
|
||||
# Lifetime: Fixed in 2.36.
|
||||
Patch31: binutils-gas-auto-dwarf-5.patch
|
||||
|
||||
# Purpose: Update the GOLD linker to support x86 .note.gnu.property sections.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch32: binutils-gold-gnu-properties.patch
|
||||
|
||||
# Purpose: Update the BFD library to handle DWARF-5 line number ranges.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch33: binutils-DWARF-5-line-number-parsing.patch
|
||||
Patch31: binutils-gold-gnu-properties.patch
|
||||
|
||||
# Purpose: Fix FAIL results in gas and ld testsuites.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch34: binutils-testsuite-failures.patch
|
||||
Patch32: binutils-testsuite-failures.patch
|
||||
|
||||
# Purpose: Remove a vulnerability in the smart_rename function.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch35: binutils-CVE-2021-20197.patch
|
||||
Patch33: binutils-CVE-2021-20197.patch
|
||||
|
||||
# Purpose: Add DWARF-5 sections to linker scripts.
|
||||
# Lifetime: Fixed in 2.37
|
||||
Patch36: binutils-ld-DWARF-5-sections.patch
|
||||
Patch34: binutils-ld-DWARF-5-sections.patch
|
||||
|
||||
# Purpose: Add support for Z instruction set extensions to the s390x
|
||||
# architecture.
|
||||
# Lifetime: Fixed in 2.37
|
||||
Patch37: binutils-s390-arch14-insns.patch
|
||||
Patch35: binutils-s390-arch14-insns.patch
|
||||
|
||||
# Purpose: Fix merging empty ppc64le notes.
|
||||
# Lifetime: Fixed in 2.37
|
||||
Patch38: binutils-ppc64le-note-merge.patch
|
||||
Patch36: binutils-ppc64le-note-merge.patch
|
||||
|
||||
# Purpose: Stop readelf from warning about gaps in build notes.
|
||||
# Lifetime: Fixed in 2.37 ?
|
||||
Patch39: binutils-readelf-no-warn-gaps.patch
|
||||
Patch37: binutils-readelf-no-warn-gaps.patch
|
||||
|
||||
# Purpose: Stop readelf from complaining about an unexpected form 20.
|
||||
# Lifetime: Fixed in 2.37
|
||||
Patch40: binutils-unexpected-form-20.patch
|
||||
Patch38: binutils-unexpected-form-20.patch
|
||||
|
||||
# Purpose: Prevent an illegal memory access when reading relocations
|
||||
# for secondary reloc sections.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch41: binutils-CVE-2021-20284.patch
|
||||
Patch39: binutils-CVE-2021-20284.patch
|
||||
|
||||
# Purpose: Bring in some bug fixes for Z14 support.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch42: binutils-extend-s390-arch14-support.patch
|
||||
Patch40: binutils-extend-s390-arch14-support.patch
|
||||
|
||||
# Purpose: Fix excessive memory consumption when attempting to parse corrupt
|
||||
# DWARF debug information.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch41: binutils-CVE-2021-3487.patch
|
||||
|
||||
# Purpose: Fix illegal memory access when parsing corrupt ELF files.
|
||||
# Lifetime: Fixed in 2.36
|
||||
Patch42: binutils-CVE-2020-35448.patch
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
@ -948,6 +946,14 @@ exit 0
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
%changelog
|
||||
* Fri Apr 23 2021 Nick Clifton <nickc@redhat.com> - 2.35.2-1
|
||||
- Fix an illegal memory access when parsing a corrupt ELF file. (#1950481)
|
||||
- Fix excessive memory consumption parsing corrupt DWARF information. (#1947969)
|
||||
- Rebase to GNU Binutils 2.35.2.
|
||||
- Retire: binutils-2.35.1-update.patch
|
||||
- Retire: binutils-gas-auto-dwarf-5.patch
|
||||
- Retire: binutils-DWARF-5-line-number-parsing.patch
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.35.1-43
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (binutils-2.35.1.tar.xz) = 94ff72708403413b70b247f3af4099ebaa882b6659249869f1ed9941a0f1912e313f08357d470f9fd2359e7f5e5b0eb86285e5eaf883fa8187789d6b1bd304eb
|
||||
SHA512 (binutils-2.35.2.tar.xz) = 9974ede5978d32e0d68fef23da48fa00bd06b0bff7ec45b00ca075c126d6bbe0cf2defc03ecc3f17bc6cc85b64271a13009c4049d7ba17de26e84e3a6e2c0348
|
||||
SHA512 (binutils-2.19.50.0.1-output-format.sed) = 2f8686b0c8af13c98cda056824c2820416f6e2d003f70b78ccf5314525b9ee3684d421dfa83e638a2d42d06ea4d4bdaf5226b64d6ec26f7ff59c44ffb2a23dd2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user