3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #116757 from Pamplemousse/master

libbfd: Patch CVE-2020-35448
This commit is contained in:
Jörg Thalheim 2021-03-25 08:43:06 +00:00 committed by GitHub
commit 84cf39d9cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 78 additions and 0 deletions

View file

@ -0,0 +1,77 @@
From 8642dafaef21aa6747cec01df1977e9c52eb4679 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Fri, 4 Sep 2020 19:19:18 +0930
Subject: [PATCH] PR26574, heap buffer overflow in
_bfd_elf_slurp_secondary_reloc_section
A horribly fuzzed object with section headers inside the ELF header.
Disallow that, and crazy reloc sizes.
PR 26574
* elfcode.h (elf_object_p): Sanity check section header offset.
* elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check
sh_entsize.
---
bfd/elf.c | 4 +++-
bfd/elfcode.h | 8 ++++----
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/bfd/elf.c b/bfd/elf.c
index ac2095f787d..5a02f8dc309 100644
--- a/bfd/elf.c
+++ b/bfd/elf.c
@@ -12576,7 +12576,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd,
Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr;
if (hdr->sh_type == SHT_SECONDARY_RELOC
- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx)
+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx
+ && (hdr->sh_entsize == ebd->s->sizeof_rel
+ || hdr->sh_entsize == ebd->s->sizeof_rela))
{
bfd_byte * native_relocs;
bfd_byte * native_reloc;
diff --git a/bfd/elfcode.h b/bfd/elfcode.h
index 2ed2f135c34..606ff64fd4d 100644
--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
@@ -571,7 +571,7 @@ elf_object_p (bfd *abfd)
/* If this is a relocatable file and there is no section header
table, then we're hosed. */
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL)
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL)
goto got_wrong_format_error;
/* As a simple sanity check, verify that what BFD thinks is the
@@ -581,7 +581,7 @@ elf_object_p (bfd *abfd)
goto got_wrong_format_error;
/* Further sanity check. */
- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0)
+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0)
goto got_wrong_format_error;
ebd = get_elf_backend_data (abfd);
@@ -618,7 +618,7 @@ elf_object_p (bfd *abfd)
&& ebd->elf_osabi != ELFOSABI_NONE)
goto got_wrong_format_error;
- if (i_ehdrp->e_shoff != 0)
+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr))
{
file_ptr where = (file_ptr) i_ehdrp->e_shoff;
@@ -819,7 +819,7 @@ elf_object_p (bfd *abfd)
}
}
- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0)
+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr))
{
unsigned int num_sec;
--
2.27.0

View file

@ -61,6 +61,7 @@ stdenv.mkDerivation {
# cross-compiling.
./always-search-rpath.patch
./CVE-2020-35448.patch
] ++ lib.optional stdenv.targetPlatform.isiOS ./support-ios.patch
++ # This patch was suggested by Nick Clifton to fix
# https://sourceware.org/bugzilla/show_bug.cgi?id=16177