1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001
From: Mingi Cho <mgcho.minic@gmail.com>
Date: Thu, 2 Nov 2017 17:01:08 +0000
Subject: [PATCH] Work around integer overflows when readelf is checking for
corrupt ELF notes when run on a 32-bit host.
PR 22384
* readelf.c (print_gnu_property_note): Improve overflow checks so
that they will work on a 32-bit host.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-16830
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 6 ++++++
binutils/readelf.c | 33 +++++++++++++++++----------------
2 files changed, 23 insertions(+), 16 deletions(-)
Index: git/binutils/readelf.c
===================================================================
--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No
return;
}
- while (1)
+ while (ptr < ptr_end)
{
unsigned int j;
- unsigned int type = byte_get (ptr, 4);
- unsigned int datasz = byte_get (ptr + 4, 4);
+ unsigned int type;
+ unsigned int datasz;
+
+ if ((size_t) (ptr_end - ptr) < 8)
+ {
+ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+ break;
+ }
+
+ type = byte_get (ptr, 4);
+ datasz = byte_get (ptr + 4, 4);
ptr += 8;
- if ((ptr + datasz) > ptr_end)
+ if (datasz > (size_t) (ptr_end - ptr))
{
printf (_("<corrupt type (%#x) datasz: %#x>\n"),
type, datasz);
@@ -16520,19 +16529,11 @@ next:
ptr += ((datasz + (size - 1)) & ~ (size - 1));
if (ptr == ptr_end)
break;
- else
- {
- if (do_wide)
- printf (", ");
- else
- printf ("\n\t");
- }
- if (ptr > (ptr_end - 8))
- {
- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
- break;
- }
+ if (do_wide)
+ printf (", ");
+ else
+ printf ("\n\t");
}
printf ("\n");
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-02 Mingi Cho <mgcho.minic@gmail.com>
+
+ PR 22384
+ * readelf.c (print_gnu_property_note): Improve overflow checks so
+ that they will work on a 32-bit host.
+
2017-10-05 Alan Modra <amodra@gmail.com>
PR 22239
|