1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 5 Oct 2017 17:32:18 +1030
Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
Pointer comparisons have traps for the unwary. After adding a large
unknown value to "start", the test "start < end" depends on where
"start" is originally in memory.
PR 22239
* dwarf.c (read_cie): Don't compare "start" and "end" pointers
after adding a possibly wild length to "start", compare the length
to the difference of the pointers instead. Remove now redundant
"negative" length test.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-16828 patch1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 8 ++++++++
binutils/dwarf.c | 15 ++++-----------
2 files changed, 12 insertions(+), 11 deletions(-)
Index: git/binutils/dwarf.c
===================================================================
--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
{
READ_ULEB (augmentation_data_len);
augmentation_data = start;
- start += augmentation_data_len;
/* PR 17512: file: 11042-2589-0.004. */
- if (start > end)
+ if (augmentation_data_len > (size_t) (end - start))
{
warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
- augmentation_data_len, (long)((end - start) + augmentation_data_len));
+ augmentation_data_len, (unsigned long) (end - start));
return end;
}
+ start += augmentation_data_len;
}
if (augmentation_data_len)
@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
q = augmentation_data;
qend = q + augmentation_data_len;
- /* PR 17531: file: 015adfaa. */
- if (qend < q)
- {
- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
- augmentation_data_len = 0;
- }
-
- while (p < end && q < augmentation_data + augmentation_data_len)
+ while (p < end && q < qend)
{
if (*p == 'L')
q++;
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2017-10-05 Alan Modra <amodra@gmail.com>
+
+ PR 22239
+ * dwarf.c (read_cie): Don't compare "start" and "end" pointers
+ after adding a possibly wild length to "start", compare the length
+ to the difference of the pointers instead. Remove now redundant
+ "negative" length test.
+
2017-09-27 Nick Clifton <nickc@redhat.com>
PR 22219
|
