meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

From 1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Mon, 25 Sep 2017 20:20:38 +0930
Subject: [PATCH] PR22202, buffer overflow in parse_die

There was a complete lack of sanity checking in dwarf1.c

	PR 22202
	* dwarf1.c (parse_die): Sanity check pointer against section limit
	before dereferencing.
	(parse_line_table): Likewise.

Upstream-Status: Backport
Affects: <= 2.30
CVE: CVE-2018-7568 patch1
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 bfd/ChangeLog |  7 +++++++
 bfd/dwarf1.c  | 56 ++++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 45 insertions(+), 18 deletions(-)

Index: git/bfd/dwarf1.c
===================================================================
--- git.orig/bfd/dwarf1.c
+++ git/bfd/dwarf1.c
@@ -189,11 +189,14 @@ parse_die (bfd *             abfd,
   memset (aDieInfo, 0, sizeof (* aDieInfo));
 
   /* First comes the length.  */
-  aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr);
+  if (xptr + 4 > aDiePtrEnd)
+    return FALSE;
+  aDieInfo->length = bfd_get_32 (abfd, xptr);
   xptr += 4;
   if (aDieInfo->length == 0
-      || (this_die + aDieInfo->length) >= aDiePtrEnd)
+      || this_die + aDieInfo->length > aDiePtrEnd)
     return FALSE;
+  aDiePtrEnd = this_die + aDieInfo->length;
   if (aDieInfo->length < 6)
     {
       /* Just padding bytes.  */
@@ -202,18 +205,20 @@ parse_die (bfd *             abfd,
     }
 
   /* Then the tag.  */
-  aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr);
+  if (xptr + 2 > aDiePtrEnd)
+    return FALSE;
+  aDieInfo->tag = bfd_get_16 (abfd, xptr);
   xptr += 2;
 
   /* Then the attributes.  */
-  while (xptr < (this_die + aDieInfo->length))
+  while (xptr + 2 <= aDiePtrEnd)
     {
       unsigned short attr;
 
       /* Parse the attribute based on its form.  This section
          must handle all dwarf1 forms, but need only handle the
 	 actual attributes that we care about.  */
-      attr = bfd_get_16 (abfd, (bfd_byte *) xptr);
+      attr = bfd_get_16 (abfd, xptr);
       xptr += 2;
 
       switch (FORM_FROM_ATTR (attr))
@@ -223,12 +228,15 @@ parse_die (bfd *             abfd,
 	  break;
 	case FORM_DATA4:
 	case FORM_REF:
-	  if (attr == AT_sibling)
-	    aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr);
-	  else if (attr == AT_stmt_list)
+	  if (xptr + 4 <= aDiePtrEnd)
 	    {
-	      aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr);
-	      aDieInfo->has_stmt_list = 1;
+	      if (attr == AT_sibling)
+		aDieInfo->sibling = bfd_get_32 (abfd, xptr);
+	      else if (attr == AT_stmt_list)
+		{
+		  aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr);
+		  aDieInfo->has_stmt_list = 1;
+		}
 	    }
 	  xptr += 4;
 	  break;
@@ -236,22 +244,29 @@ parse_die (bfd *             abfd,
 	  xptr += 8;
 	  break;
 	case FORM_ADDR:
-	  if (attr == AT_low_pc)
-	    aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);
-	  else if (attr == AT_high_pc)
-	    aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);
+	  if (xptr + 4 <= aDiePtrEnd)
+	    {
+	      if (attr == AT_low_pc)
+		aDieInfo->low_pc = bfd_get_32 (abfd, xptr);
+	      else if (attr == AT_high_pc)
+		aDieInfo->high_pc = bfd_get_32 (abfd, xptr);
+	    }
 	  xptr += 4;
 	  break;
 	case FORM_BLOCK2:
-	  xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr);
+	  if (xptr + 2 <= aDiePtrEnd)
+	    xptr += bfd_get_16 (abfd, xptr);
+	  xptr += 2;
 	  break;
 	case FORM_BLOCK4:
-	  xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr);
+	  if (xptr + 4 <= aDiePtrEnd)
+	    xptr += bfd_get_32 (abfd, xptr);
+	  xptr += 4;
 	  break;
 	case FORM_STRING:
 	  if (attr == AT_name)
 	    aDieInfo->name = (char *) xptr;
-	  xptr += strlen ((char *) xptr) + 1;
+	  xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1;
 	  break;
 	}
     }
@@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* s
     }
 
   xptr = stash->line_section + aUnit->stmt_list_offset;
-  if (xptr < stash->line_section_end)
+  if (xptr + 8 <= stash->line_section_end)
     {
       unsigned long eachLine;
       bfd_byte *tblend;
@@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* s
 
       for (eachLine = 0; eachLine < aUnit->line_count; eachLine++)
 	{
+	  if (xptr + 10 > stash->line_section_end)
+	    {
+	      aUnit->line_count = eachLine;
+	      break;
+	    }
 	  /* A line number.  */
 	  aUnit->linenumber_table[eachLine].linenumber
 	    = bfd_get_32 (stash->abfd, (bfd_byte *) xptr);
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,3 +1,10 @@
+2017-09-25  Alan Modra  <amodra@gmail.com>
+
+       PR 22202
+       * dwarf1.c (parse_die): Sanity check pointer against section limit
+       before dereferencing.
+       (parse_line_table): Likewise.
+
 2018-01-29  Alan Modra  <amodra@gmail.com>
 
        PR 22741