rpms
/
binutils
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '021d6201a1'
${ noResults }
binutils/SOURCES/binutils-CVE-2018-12699-par...

159 lines
5.9 KiB
Raw Normal View History Unescape

import binutils-2.30-125.el8_10
3 months ago
# This is a merge of four commits to fix a stack overflow bug:
#
# From af4004d1da135610ab931e04a3ba2c9124defbd7 Mon Sep 17 00:00:00 2001
# From: Nick Clifton <nickc@redhat.com>
# Date: Thu, 6 Jan 2022 16:37:26 +0000
# Subject: [PATCH] Fix a stack exhaustion bug parsing malicious STABS format
# debug information.
#
# PR 28718
# * debug.c (debug_write_type): Allow for malicious recursion via
# indirect debug types.
#
# From 0e9f1c04b9572920c7f940203a67d5af3f6c19f6 Mon Sep 17 00:00:00 2001
# From: Pavel Mayorov <pmayorov@cloudlinux.com>
# Date: Fri, 7 Jan 2022 12:34:37 +0000
# Subject: [PATCH] Revert previous delta to debug.c. Replace with patch to
# reject indirect types that point to indirect types.
#
# PR 28718
# * dwarf.c: Revert previous delta.
# (debug_get_real_type): Reject indirect types that point to
# indirect types.
# (debug_get_type_name, debug_get_type_size, debug_write_type):
# Likewise.
#
# From 55a75aae9d971d3d0f49884e3954ac4794559542 Mon Sep 17 00:00:00 2001
# From: Alan Modra <amodra@gmail.com>
# Date: Tue, 9 May 2023 17:11:46 +0930
# Subject: [PATCH] stack overflow in debug_write_type
#
# Another fuzzer attack. This one was a "set" with elements using an
# indirect type pointing back at the set. The existing recursion check
# only prevented simple recursion.
#
# * debug.c (struct debug_type_s): Add mark.
# (debug_write_type): Set mark and check before recursing into
# indirect types.
#
# From 6109320673fe30163b5d00d9e3a7f4e77befb22a Mon Sep 17 00:00:00 2001
# From: Alan Modra <amodra@gmail.com>
# Date: Wed, 10 May 2023 23:05:00 +0930
# Subject: [PATCH] Re: stack overflow in debug_write_type
#
# Apparently u.kindirect->slot can point at a NULL.
#
# * debug.c (debug_write_type): Don't segfault on NULL indirect.
--- binutils.orig/binutils/debug.c 2024-11-06 17:39:57.452250912 +0000
+++ binutils-2.30/binutils/debug.c 2024-11-06 17:44:37.951018606 +0000
@@ -2483,8 +2483,22 @@ debug_write_type (struct debug_handle *i
case DEBUG_KIND_INDIRECT:
if (*type->u.kindirect->slot == DEBUG_TYPE_NULL)
return (*fns->empty_type) (fhandle);
- return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
- name);
+ /* PR 28718: Allow for malicious recursion. */
+ {
+ static int recursion_depth = 0;
+ bfd_boolean result;
+
+ if (recursion_depth > 256)
+ {
+ debug_error (_("debug_write_type: too many levels of nested indirection"));
+ return FALSE;
+ }
+ ++ recursion_depth;
+ result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+ name);
+ -- recursion_depth;
+ return result;
+ }
case DEBUG_KIND_VOID:
return (*fns->void_type) (fhandle);
case DEBUG_KIND_INT:
--- binutils.orig/binutils/debug.c 2024-11-07 12:05:27.049161875 +0000
+++ binutils-2.30/binutils/debug.c 2024-11-07 12:25:03.616783102 +0000
@@ -102,6 +102,8 @@ struct debug_type_s
enum debug_type_kind kind;
/* Size of type (0 if not known). */
unsigned int size;
+ /* Used by debug_write to stop DEBUG_KIND_INDIRECT infinite recursion. */
+ unsigned int mark;
/* Type which is a pointer to this type. */
debug_type pointer;
/* Tagged union with additional information about the type. */
@@ -2065,7 +2067,9 @@ debug_get_real_type (void *handle, debug
/* The default case is just here to avoid warnings. */
default:
case DEBUG_KIND_INDIRECT:
- if (*type->u.kindirect->slot != NULL)
+ /* A valid non-self-referencing indirect type. */
+ if (*type->u.kindirect->slot != NULL
+ && *type->u.kindirect->slot != type)
return debug_get_real_type (handle, *type->u.kindirect->slot, &rl);
return type;
case DEBUG_KIND_NAMED:
@@ -2095,7 +2099,9 @@ debug_get_type_name (void *handle, debug
{
if (type->kind == DEBUG_KIND_INDIRECT)
{
- if (*type->u.kindirect->slot != NULL)
+ /* A valid non-self-referencing indirect type. */
+ if (*type->u.kindirect->slot != NULL
+ && *type->u.kindirect->slot != type)
return debug_get_type_name (handle, *type->u.kindirect->slot);
return type->u.kindirect->tag;
}
@@ -2124,7 +2130,9 @@ debug_get_type_size (void *handle, debug
default:
return 0;
case DEBUG_KIND_INDIRECT:
- if (*type->u.kindirect->slot != NULL)
+ /* A valid non-self-referencing indirect type. */
+ if (*type->u.kindirect->slot != NULL
+ && *type->u.kindirect->slot != type)
return debug_get_type_size (handle, *type->u.kindirect->slot);
return 0;
case DEBUG_KIND_NAMED:
@@ -2419,6 +2427,9 @@ debug_write_type (struct debug_handle *i
int is;
const char *tag = NULL;
+ /* Mark the type so that we don't define a type in terms of itself. */
+ type->mark = info->mark;
+
/* If we have a name for this type, just output it. We only output
typedef names after they have been defined. We output type tags
whenever we are not actually defining them. */
@@ -2481,24 +2492,12 @@ debug_write_type (struct debug_handle *i
debug_error (_("debug_write_type: illegal type encountered"));
return FALSE;
case DEBUG_KIND_INDIRECT:
- if (*type->u.kindirect->slot == DEBUG_TYPE_NULL)
+ /* Prevent infinite recursion. */
+ if (*type->u.kindirect->slot != DEBUG_TYPE_NULL
+ && (*type->u.kindirect->slot)->mark == info->mark)
return (*fns->empty_type) (fhandle);
- /* PR 28718: Allow for malicious recursion. */
- {
- static int recursion_depth = 0;
- bfd_boolean result;
-
- if (recursion_depth > 256)
- {
- debug_error (_("debug_write_type: too many levels of nested indirection"));
- return FALSE;
- }
- ++ recursion_depth;
- result = debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
- name);
- -- recursion_depth;
- return result;
- }
+ return debug_write_type (info, fns, fhandle, *type->u.kindirect->slot,
+ name);
case DEBUG_KIND_VOID:
return (*fns->void_type) (fhandle);
case DEBUG_KIND_INT: