From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 From: Mingi Cho Date: Thu, 2 Nov 2017 17:01:08 +0000 Subject: [PATCH] Work around integer overflows when readelf is checking for corrupt ELF notes when run on a 32-bit host. PR 22384 * readelf.c (print_gnu_property_note): Improve overflow checks so that they will work on a 32-bit host. Upstream-Status: Backport Affects: <= 2.29.1 CVE: CVE-2017-16830 Signed-off-by: Armin Kuster --- binutils/ChangeLog | 6 ++++++ binutils/readelf.c | 33 +++++++++++++++++---------------- 2 files changed, 23 insertions(+), 16 deletions(-) Index: git/binutils/readelf.c =================================================================== --- git.orig/binutils/readelf.c +++ git/binutils/readelf.c @@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No return; } - while (1) + while (ptr < ptr_end) { unsigned int j; - unsigned int type = byte_get (ptr, 4); - unsigned int datasz = byte_get (ptr + 4, 4); + unsigned int type; + unsigned int datasz; + + if ((size_t) (ptr_end - ptr) < 8) + { + printf (_("\n"), pnote->descsz); + break; + } + + type = byte_get (ptr, 4); + datasz = byte_get (ptr + 4, 4); ptr += 8; - if ((ptr + datasz) > ptr_end) + if (datasz > (size_t) (ptr_end - ptr)) { printf (_("\n"), type, datasz); @@ -16520,19 +16529,11 @@ next: ptr += ((datasz + (size - 1)) & ~ (size - 1)); if (ptr == ptr_end) break; - else - { - if (do_wide) - printf (", "); - else - printf ("\n\t"); - } - if (ptr > (ptr_end - 8)) - { - printf (_("\n"), pnote->descsz); - break; - } + if (do_wide) + printf (", "); + else + printf ("\n\t"); } printf ("\n"); Index: git/binutils/ChangeLog =================================================================== --- git.orig/binutils/ChangeLog +++ git/binutils/ChangeLog @@ -1,3 +1,9 @@ +2017-11-02 Mingi Cho + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + 2017-10-05 Alan Modra PR 22239