rpms/binutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Stop stack exhaustion when demangling corrupt rust names.

Browse Source 
Resolves: #1956424
This commit is contained in:
Nick Clifton 2021-05-07 17:42:52 +01:00
parent 4594b7d025
commit 2c147eaf06
2 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
binutils-CVE-2021-3530.patch Normal file
View File

@ -0,0 +1,69 @@
--- binutils.orig/libiberty/rust-demangle.c 2021-05-07 17:13:43.762229783 +0100
+++ binutils-2.36.1/libiberty/rust-demangle.c 2021-05-07 17:14:39.805820593 +0100
@@ -74,6 +74,12 @@ struct rust_demangler
/* Rust mangling version, with legacy mangling being -1. */
int version;
+ /* Recursion depth. */
+ uint recursion;
+ /* Maximum number of times demangle_path may be called recursively. */
+#define RUST_MAX_RECURSION_COUNT 1024
+#define RUST_NO_RECURSION_LIMIT ((uint) -1)
+
uint64_t bound_lifetime_depth;
};
@@ -671,6 +677,15 @@ demangle_path (struct rust_demangler *rd
if (rdm->errored)
return;
+ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
+ {
+ ++ rdm->recursion;
+ if (rdm->recursion > RUST_MAX_RECURSION_COUNT)
+ /* FIXME: There ought to be a way to report
+ that the recursion limit has been reached. */
+ goto fail_return;
+ }
+
switch (tag = next (rdm))
{
case 'C':
@@ -688,10 +703,7 @@ demangle_path (struct rust_demangler *rd
case 'N':
ns = next (rdm);
if (!ISLOWER (ns) && !ISUPPER (ns))
- {
- rdm->errored = 1;
- return;
- }
+ goto fail_return;
demangle_path (rdm, in_value);
@@ -776,9 +788,15 @@ demangle_path (struct rust_demangler *rd
}
break;
default:
- rdm->errored = 1;
- return;
+ goto fail_return;
}
+ goto pass_return;
+
+ fail_return:
+ rdm->errored = 1;
+ pass_return:
+ if (rdm->recursion != RUST_NO_RECURSION_LIMIT)
+ -- rdm->recursion;
}
static void
@@ -1317,6 +1335,7 @@ rust_demangle_callback (const char *mang
rdm.skipping_printing = 0;
rdm.verbose = (options & DMGL_VERBOSE) != 0;
rdm.version = 0;
+ rdm.recursion = (options & DMGL_NO_RECURSE_LIMIT) ? RUST_NO_RECURSION_LIMIT : 0;
rdm.bound_lifetime_depth = 0;
/* Rust symbols always start with _R (v0) or _ZN (legacy). */

9
binutils.spec
View File

@ -39,7 +39,7 @@
Summary: A GNU collection of binary utilities Summary: A GNU collection of binary utilities
Name: binutils%{?name_cross}%{?_with_debug:-debug} Name: binutils%{?name_cross}%{?_with_debug:-debug}
Version: 2.36.1 Version: 2.36.1
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://sourceware.org/binutils URL: https://sourceware.org/binutils
@ -273,6 +273,10 @@ Patch19: binutils-s390-arch14-insns.patch
# Lifetime: Fixed in 2.37 # Lifetime: Fixed in 2.37
Patch20: binutils-CVE-2021-20197.patch Patch20: binutils-CVE-2021-20197.patch
# Purpose: Avoid stack exhaustion whilst demangling rust names
# Lifetime: Fixed in 2.37
Patch21: binutils-CVE-2021-3530.patch
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
Provides: bundled(libiberty) Provides: bundled(libiberty)
@ -858,6 +862,9 @@ exit 0
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
%changelog %changelog
* Fri May 07 2021 Nick Clifton <nickc@redhat.com> - 2.36.1-9
- Fix stack exhaustion in the rust demangler. (#1956424)
* Thu Mar 25 2021 Nick Clifton <nickc@redhat.com> - 2.36.1-8 * Thu Mar 25 2021 Nick Clifton <nickc@redhat.com> - 2.36.1-8
- Add an explicit dependency upon autoconf 2.69. (#1942991) - Add an explicit dependency upon autoconf 2.69. (#1942991)