[binutils] Fix memory corruption bug introduced by the previous patch.
Nicholas Clifton
nickc at fedoraproject.org
Wed Oct 29 10:36:51 UTC 2014
commit c6c4136c200baaee07c69573fe30282fc0c9d106
Author: Nick Clifton <nickc at redhat.com>
Date: Wed Oct 29 10:36:37 2014 +0000
Fix memory corruption bug introduced by the previous patch.
binutils-2.24-corrupt-elf.2.patch | 91 +++++++++++++++++++++++++++++++++++++
binutils.spec | 7 +++-
2 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/binutils-2.24-corrupt-elf.2.patch b/binutils-2.24-corrupt-elf.2.patch
new file mode 100644
index 0000000..0ad40dd
--- /dev/null
+++ b/binutils-2.24-corrupt-elf.2.patch
@@ -0,0 +1,91 @@
+diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
+*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 16:02:16.233549448 +0000
+--- bfd/elf.c 2014-10-28 16:02:36.754653055 +0000
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 1584,1589 ****
+--- 1584,1590 ----
+ const char *name;
+ bfd_boolean ret = TRUE;
+ static bfd_boolean * sections_being_created = NULL;
++ static bfd * sections_being_created_abfd = NULL;
+ static unsigned int nesting = 0;
+
+ if (shindex >= elf_numsections (abfd))
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 1596,1608 ****
+ loop. Detect this here, by refusing to load a section that we are
+ already in the process of loading. We only trigger this test if
+ we have nested at least three sections deep as normal ELF binaries
+! can expect to recurse at least once. */
+!
+ if (sections_being_created == NULL)
+ {
+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
+ sections_being_created = (bfd_boolean *)
+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
+ }
+ if (sections_being_created [shindex])
+ {
+--- 1597,1615 ----
+ loop. Detect this here, by refusing to load a section that we are
+ already in the process of loading. We only trigger this test if
+ we have nested at least three sections deep as normal ELF binaries
+! can expect to recurse at least once.
+!
+! FIXME: It would be better if this array was attached to the bfd,
+! rather than being held in a static pointer. */
+!
+! if (sections_being_created_abfd != abfd)
+! sections_being_created = NULL;
+ if (sections_being_created == NULL)
+ {
+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
+ sections_being_created = (bfd_boolean *)
+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ sections_being_created_abfd = abfd;
+ }
+ if (sections_being_created [shindex])
+ {
+*************** bfd_section_from_shdr (bfd *abfd, unsign
+*** 2106,2112 ****
+ if (sections_being_created)
+ sections_being_created [shindex] = FALSE;
+ if (-- nesting == 0)
+! sections_being_created = NULL;
+ return ret;
+ }
+
+--- 2113,2122 ----
+ if (sections_being_created)
+ sections_being_created [shindex] = FALSE;
+ if (-- nesting == 0)
+! {
+! sections_being_created = NULL;
+! sections_being_created_abfd = abfd;
+! }
+ return ret;
+ }
+
+Only in bfd: elf.c.orig
+diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
+*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 16:02:16.251549538 +0000
+--- bfd/peXXigen.c 2014-10-28 16:02:36.755653060 +0000
+*************** pe_print_edata (bfd * abfd, void * vfile
+*** 1444,1449 ****
+--- 1444,1458 ----
+ }
+ }
+
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (datasize < 36)
++ {
++ fprintf (file,
++ _("\nThere is an export table in %s, but it is too small (%d)\n"),
++ section->name, (int) datasize);
++ return TRUE;
++ }
++
+ fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+ section->name, (unsigned long) addr);
+
+Only in bfd: peXXigen.c.orig
diff --git a/binutils.spec b/binutils.spec
index 2d886d8..0876262 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -19,7 +19,7 @@
Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.24
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv3+
Group: Development/Tools
URL: http://sources.redhat.com/binutils
@@ -75,6 +75,7 @@ Patch30: binutils-HEAD-change-ld-notice-interface.patch
Patch31: binutils-2.24-corrupt-srec.patch
Patch32: binutils-2.24-corrupt-groups.patch
Patch33: binutils-2.24-corrupt-elf.patch
+Patch34: binutils-2.24-corrupt-elf.2.patch
Provides: bundled(libiberty)
@@ -212,6 +213,7 @@ using libelf instead of BFD.
%patch31 -p0 -b .corrupt-srec~
%patch32 -p0 -b .corrupt-groups~
%patch33 -p0 -b .corrupt-elf~
+%patch34 -p0 -b .corrupt-elf2~
# We cannot run autotools as there is an exact requirement of autoconf-2.59.
@@ -526,6 +528,9 @@ exit 0
%endif # %{isnative}
%changelog
+* Wed Oct 29 2014 Nick Clifton <nickc at redhat.com> - 2.24-27
+- Fix memory corruption bug introduced by the previous patch.
+
* Tue Oct 28 2014 Nick Clifton <nickc at redhat.com> - 2.24-26
- Import patches for PR/17510 and PR/17512 to fix reading corrupt ELF binaries.
Resolves: BZ #1157276, #1157277
More information about the scm-commits
mailing list