binutils: patch CVE-2021-3487

3 years ago · 745023e01a
parent f378420360
commit 745023e01a
2 changed files with 74 additions and 0 deletions
--- a/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch
+++ b/pkgs/development/tools/misc/binutils/CVE-2021-3487.patch
@ -0,0 +1,73 @@
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 26 Nov 2020 17:08:33 +0000 (+0000)
+Subject: Prevent a memory allocation failure when parsing corrupt DWARF debug sections.
+X-Git-Tag: binutils-2_36~485
+X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=647cebce12a6b0a26960220caff96ff38978cf24;hp=239ca5e497dda2c151009d664d500086a5c2173a
+
+Prevent a memory allocation failure when parsing corrupt DWARF debug sections.
+
+	PR 26946
+	* dwarf2.c (read_section): Check for debug sections with excessive
+	sizes.
+---
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 977bf43a6a1..8bbfc81d3e7 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -531,22 +531,24 @@ read_section (bfd *	      abfd,
+ 	      bfd_byte **     section_buffer,
+ 	      bfd_size_type * section_size)
+ {
+-  asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+-  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+     {
+      bfd_size_type amt;
+      asection *msec;
+      ufile_ptr filesize;
+
+       msec = bfd_get_section_by_name (abfd, section_name);
+-      if (! msec)
+      if (msec == NULL)
+ 	{
+ 	  section_name = sec->compressed_name;
+ 	  if (section_name != NULL)
+ 	    msec = bfd_get_section_by_name (abfd, section_name);
+ 	}
+-      if (! msec)
+      if (msec == NULL)
+ 	{
+ 	  _bfd_error_handler (_("DWARF error: can't find %s section."),
+ 			      sec->uncompressed_name);
+@@ -554,12 +556,23 @@ read_section (bfd *	      abfd,
+ 	  return FALSE;
+ 	}
+ 
+-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
+      amt = bfd_get_section_limit_octets (abfd, msec);
+      filesize = bfd_get_file_size (abfd);
+      if (amt >= filesize)
+	{
+	  /* PR 26946 */
+	  _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
+			      section_name, (long) amt, (long) filesize);
+	  bfd_set_error (bfd_error_bad_value);
+	  return FALSE;
+	}
+      *section_size = amt;
+       /* Paranoia - alloc one extra so that we can make sure a string
+ 	 section is NUL terminated.  */
+-      amt = *section_size + 1;
+      amt += 1;
+       if (amt == 0)
+ 	{
+	  /* Paranoia - this should never happen.  */
+ 	  bfd_set_error (bfd_error_no_memory);
+ 	  return FALSE;
+ 	}
+
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@ -84,6 +84,7 @@ stdenv.mkDerivation {
    ./gold-Update-GNU_PROPERTY_X86_XXX-macros.patch

    ./CVE-2020-35448.patch
+    ./CVE-2021-3487.patch
  ] ++ lib.optional stdenv.targetPlatform.isiOS ./support-ios.patch
    ++ # This patch was suggested by Nick Clifton to fix
       # https://sourceware.org/bugzilla/show_bug.cgi?id=16177