mirror of
https://git.yoctoproject.org/poky
synced 2026-02-25 19:09:41 +01:00
416eef4a07
drop changes to changelog file in the patch so it can be backport. (From OE-Core rev: c955d1fc332b8c0a931ffa4a068844981406ae8a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
84 lines
2.4 KiB
Diff
84 lines
2.4 KiB
Diff
From 647cebce12a6b0a26960220caff96ff38978cf24 Mon Sep 17 00:00:00 2001
|
|
From: Nick Clifton <nickc@redhat.com>
|
|
Date: Thu, 26 Nov 2020 17:08:33 +0000
|
|
Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
|
|
DWARF debug sections.
|
|
|
|
PR 26946
|
|
* dwarf2.c (read_section): Check for debug sections with excessive
|
|
sizes.
|
|
|
|
|
|
Upstream-Status: Backport [
|
|
https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=647cebce12a6b0a26960220caff96ff38978cf24
|
|
]
|
|
CVE: CVE-2021-3487
|
|
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
|
|
|
|
---
|
|
bfd/dwarf2.c | 25 +++++++++++++++++++------
|
|
1 files changed, 25 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
|
|
index 977bf43a6a1..8bbfc81d3e7 100644
|
|
--- a/bfd/dwarf2.c
|
|
+++ b/bfd/dwarf2.c
|
|
@@ -531,22 +531,24 @@ read_section (bfd * abfd,
|
|
bfd_byte ** section_buffer,
|
|
bfd_size_type * section_size)
|
|
{
|
|
- asection *msec;
|
|
const char *section_name = sec->uncompressed_name;
|
|
bfd_byte *contents = *section_buffer;
|
|
- bfd_size_type amt;
|
|
|
|
/* The section may have already been read. */
|
|
if (contents == NULL)
|
|
{
|
|
+ bfd_size_type amt;
|
|
+ asection *msec;
|
|
+ ufile_ptr filesize;
|
|
+
|
|
msec = bfd_get_section_by_name (abfd, section_name);
|
|
- if (! msec)
|
|
+ if (msec == NULL)
|
|
{
|
|
section_name = sec->compressed_name;
|
|
if (section_name != NULL)
|
|
msec = bfd_get_section_by_name (abfd, section_name);
|
|
}
|
|
- if (! msec)
|
|
+ if (msec == NULL)
|
|
{
|
|
_bfd_error_handler (_("DWARF error: can't find %s section."),
|
|
sec->uncompressed_name);
|
|
@@ -554,12 +556,23 @@ read_section (bfd * abfd,
|
|
return FALSE;
|
|
}
|
|
|
|
- *section_size = msec->rawsize ? msec->rawsize : msec->size;
|
|
+ amt = bfd_get_section_limit_octets (abfd, msec);
|
|
+ filesize = bfd_get_file_size (abfd);
|
|
+ if (amt >= filesize)
|
|
+ {
|
|
+ /* PR 26946 */
|
|
+ _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
|
|
+ section_name, (long) amt, (long) filesize);
|
|
+ bfd_set_error (bfd_error_bad_value);
|
|
+ return FALSE;
|
|
+ }
|
|
+ *section_size = amt;
|
|
/* Paranoia - alloc one extra so that we can make sure a string
|
|
section is NUL terminated. */
|
|
- amt = *section_size + 1;
|
|
+ amt += 1;
|
|
if (amt == 0)
|
|
{
|
|
+ /* Paranoia - this should never happen. */
|
|
bfd_set_error (bfd_error_no_memory);
|
|
return FALSE;
|
|
}
|
|
--
|
|
2.27.0
|
|
|