From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Sat, 1 Jul 2017 21:58:10 +0930 Subject: [PATCH] Use bfd_malloc_and_get_section It's nicer than xmalloc followed by bfd_get_section_contents, since xmalloc exits on failure and needs a check that its size_t arg doesn't lose high bits when converted from bfd_size_type. PR binutils/21665 * objdump.c (strtab): Make var a bfd_byte*. (disassemble_section): Don't limit malloc size. Instead, use bfd_malloc_and_get_section. (read_section_stabs): Use bfd_malloc_and_get_section. Return bfd_byte*. (find_stabs_section): Remove now unnecessary cast. * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free contents on error return. * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. Upstream-Status: Backport CVE: CVE-2017-9955 #8 Signed-off-by: Armin Kuster --- binutils/ChangeLog | 13 +++++++++++++ binutils/nlmconv.c | 6 ++---- binutils/objcopy.c | 5 +++-- binutils/objdump.c | 44 +++++++------------------------------------- 4 files changed, 25 insertions(+), 43 deletions(-) Index: git/binutils/ChangeLog =================================================================== --- git.orig/binutils/ChangeLog +++ git/binutils/ChangeLog @@ -1,3 +1,16 @@ +2017-07-01 Alan Modra + + PR binutils/21665 + * objdump.c (strtab): Make var a bfd_byte*. + (disassemble_section): Don't limit malloc size. Instead, use + bfd_malloc_and_get_section. + (read_section_stabs): Use bfd_malloc_and_get_section. Return + bfd_byte*. + (find_stabs_section): Remove now unnecessary cast. + * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free + contents on error return. + * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. + 2017-06-30 Nick Clifton PR binutils/21665 Index: git/binutils/nlmconv.c =================================================================== --- git.orig/binutils/nlmconv.c +++ git/binutils/nlmconv.c @@ -1224,7 +1224,7 @@ copy_sections (bfd *inbfd, asection *ins const char *inname; asection *outsec; bfd_size_type size; - void *contents; + bfd_byte *contents; long reloc_size; bfd_byte buf[4]; bfd_size_type add; @@ -1240,9 +1240,7 @@ copy_sections (bfd *inbfd, asection *ins contents = NULL; else { - contents = xmalloc (size); - if (! bfd_get_section_contents (inbfd, insec, contents, - (file_ptr) 0, size)) + if (!bfd_malloc_and_get_section (inbfd, insec, &contents)) bfd_fatal (bfd_get_filename (inbfd)); } Index: git/binutils/objdump.c =================================================================== --- git.orig/binutils/objdump.c +++ git/binutils/objdump.c @@ -180,7 +180,7 @@ static long dynsymcount = 0; static bfd_byte *stabs; static bfd_size_type stab_size; -static char *strtab; +static bfd_byte *strtab; static bfd_size_type stabstr_size; static bfd_boolean is_relocatable = FALSE; @@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection } rel_ppend = rel_pp + rel_count; - /* PR 21665: Check for overlarge datasizes. - Note - we used to check for "datasize > bfd_get_file_size (abfd)" but - this fails when using compressed sections or compressed file formats - (eg MMO, tekhex). - - The call to xmalloc below will fail if too much memory is requested, - which will catch the problem in the normal use case. But if a memory - checker is in use, eg valgrind or sanitize, then an exception will - be still generated, so we try to catch the problem first. - - Unfortunately there is no simple way to determine how much memory can - be allocated by calling xmalloc. So instead we use a simple, arbitrary - limit of 2Gb. Hopefully this should be enough for most users. If - someone does start trying to disassemble sections larger then 2Gb in - size they will doubtless complain and we can increase the limit. */ -#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ - if (datasize > MAX_XMALLOC) - { - non_fatal (_("Reading section %s failed because it is too big (%#lx)"), - section->name, (unsigned long) datasize); - return; - } - data = (bfd_byte *) xmalloc (datasize); bfd_get_section_contents (abfd, section, data, 0, datasize); @@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd) /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to it. Return NULL on failure. */ -static char * +static bfd_byte * read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr) { asection *stabsect; - bfd_size_type size; - char *contents; + bfd_byte *contents; stabsect = bfd_get_section_by_name (abfd, sect_name); if (stabsect == NULL) @@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha return FALSE; } - size = bfd_section_size (abfd, stabsect); - contents = (char *) xmalloc (size); - - if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size)) + if (!bfd_malloc_and_get_section (abfd, stabsect, &contents)) { non_fatal (_("reading %s section of %s failed: %s"), sect_name, bfd_get_filename (abfd), @@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha return NULL; } - *size_ptr = size; + *size_ptr = bfd_section_size (abfd, stabsect); return contents; } @@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection if (strtab) { - stabs = (bfd_byte *) read_section_stabs (abfd, section->name, - &stab_size); + stabs = read_section_stabs (abfd, section->name, &stab_size); if (stabs) print_section_stabs (abfd, section->name, &sought->string_offset); } Index: git/binutils/objcopy.c =================================================================== --- git.orig/binutils/objcopy.c +++ git/binutils/objcopy.c @@ -2186,14 +2186,15 @@ copy_object (bfd *ibfd, bfd *obfd, const continue; } - bfd_byte * contents = xmalloc (size); - if (bfd_get_section_contents (ibfd, sec, contents, 0, size)) + bfd_byte *contents; + if (bfd_malloc_and_get_section (ibfd, sec, &contents)) { if (fwrite (contents, 1, size, f) != size) { non_fatal (_("error writing section contents to %s (error: %s)"), pdump->filename, strerror (errno)); + free (contents); return FALSE; } }