From 0a29ea8a1e1a794d19ba9f23ccc2836379419e18 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Thu, 1 Aug 2019 03:15:42 -0500 Subject: system/binutils: patch multiple CVEs (#116) --- system/binutils/CVE-2019-9075.patch | 96 +++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 system/binutils/CVE-2019-9075.patch (limited to 'system/binutils/CVE-2019-9075.patch') diff --git a/system/binutils/CVE-2019-9075.patch b/system/binutils/CVE-2019-9075.patch new file mode 100644 index 000000000..0084d3368 --- /dev/null +++ b/system/binutils/CVE-2019-9075.patch @@ -0,0 +1,96 @@ +From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 20 Feb 2019 08:21:24 +1030 +Subject: [PATCH] PR24236, Heap buffer overflow in + _bfd_archive_64_bit_slurp_armap + + PR 24236 + * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding + sentinel NUL to string buffer nearer to loop where it is used. + Don't go past sentinel when scanning strings, and don't write + NUL again. + * archive.c (do_slurp_coff_armap): Simplify string handling to + archive64.c style. +--- + bfd/archive.c | 17 +++++++---------- + bfd/archive64.c | 10 +++++----- + 3 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/bfd/archive.c b/bfd/archive.c +index d2d9b72..68a92a3 100644 +--- a/bfd/archive.c ++++ b/bfd/archive.c +@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) + int *raw_armap, *rawptr; + struct artdata *ardata = bfd_ardata (abfd); + char *stringbase; ++ char *stringend; + bfd_size_type stringsize; + bfd_size_type parsed_size; + carsym *carsyms; +@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) + } + + /* OK, build the carsyms. */ +- for (i = 0; i < nsymz && stringsize > 0; i++) ++ stringend = stringbase + stringsize; ++ *stringend = 0; ++ for (i = 0; i < nsymz; i++) + { +- bfd_size_type len; +- + rawptr = raw_armap + i; + carsyms->file_offset = swap ((bfd_byte *) rawptr); + carsyms->name = stringbase; +- /* PR 17512: file: 4a1d50c1. */ +- len = strnlen (stringbase, stringsize); +- if (len < stringsize) +- len ++; +- stringbase += len; +- stringsize -= len; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + carsyms++; + } +- *stringbase = 0; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +diff --git a/bfd/archive64.c b/bfd/archive64.c +index 312bf82..42f6ed9 100644 +--- a/bfd/archive64.c ++++ b/bfd/archive64.c +@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + return FALSE; + carsyms = ardata->symdefs; + stringbase = ((char *) ardata->symdefs) + carsym_size; +- stringbase[stringsize] = 0; +- stringend = stringbase + stringsize; + + raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); + if (raw_armap == NULL) +@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) + goto release_raw_armap; + } + ++ stringend = stringbase + stringsize; ++ *stringend = 0; + for (i = 0; i < nsymz; i++) + { + carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); + carsyms->name = stringbase; +- if (stringbase < stringend) +- stringbase += strlen (stringbase) + 1; ++ stringbase += strlen (stringbase); ++ if (stringbase != stringend) ++ ++stringbase; + ++carsyms; + } +- *stringbase = '\0'; + + ardata->symdef_count = nsymz; + ardata->first_file_filepos = bfd_tell (abfd); +-- +2.9.3 + -- cgit v1.2.3-60-g2f50