[binutils] Fix buffer overrun in ihex parser. Fix memory corruption in previous patch. Consoldiate corrupt hand
Nicholas Clifton
nickc at fedoraproject.org
Fri Oct 31 12:17:54 UTC 2014
commit f396ddc9f7850fbe6163abe2d667592f4f65f2b8
Author: Nick Clifton <nickc at redhat.com>
Date: Fri Oct 31 12:17:36 2014 +0000
Fix buffer overrun in ihex parser.
Fix memory corruption in previous patch.
Consoldiate corrupt handling patches into just one patch.
Default strings command to using -a.
...f.patch => binutils-2.24-corrupt-binaries.patch | 293 +++++++++++++++----
binutils-2.24-corrupt-elf.2.patch | 91 ------
binutils-2.24-corrupt-groups.patch | 86 ------
binutils-2.24-corrupt-srec.patch | 41 ---
binutils-2.24-strings-default-all.patch | 310 ++++++++++++++++++++
binutils.spec | 20 +-
6 files changed, 554 insertions(+), 287 deletions(-)
---
diff --git a/binutils-2.24-corrupt-elf.patch b/binutils-2.24-corrupt-binaries.patch
similarity index 78%
rename from binutils-2.24-corrupt-elf.patch
rename to binutils-2.24-corrupt-binaries.patch
index 0b5d5f8..b3985a9 100644
--- a/binutils-2.24-corrupt-elf.patch
+++ b/binutils-2.24-corrupt-binaries.patch
@@ -1,8 +1,92 @@
-diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
-*** ../binutils-2.24.orig/bfd/elf.c 2014-10-28 09:39:29.505064397 +0000
---- bfd/elf.c 2014-10-28 09:45:17.973958424 +0000
+diff -cpr ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
+*** ../binutils-2.24.orig/bfd/elf.c 2014-10-31 11:50:20.132220820 +0000
+--- bfd/elf.c 2014-10-31 11:53:23.669281197 +0000
+*************** setup_group (bfd *abfd, Elf_Internal_Shd
+*** 608,616 ****
+ if (shdr->contents == NULL)
+ {
+ _bfd_error_handler
+! (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ bfd_set_error (bfd_error_bad_value);
+! return FALSE;
+ }
+
+ memset (shdr->contents, 0, amt);
+--- 608,617 ----
+ if (shdr->contents == NULL)
+ {
+ _bfd_error_handler
+! (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ bfd_set_error (bfd_error_bad_value);
+! -- num_group;
+! continue;
+ }
+
+ memset (shdr->contents, 0, amt);
+*************** setup_group (bfd *abfd, Elf_Internal_Shd
+*** 618,625 ****
+ if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+ != shdr->sh_size))
+! return FALSE;
+!
+ /* Translate raw contents, a flag word followed by an
+ array of elf section indices all in target byte order,
+ to the flag word followed by an array of elf section
+--- 619,635 ----
+ if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+ != shdr->sh_size))
+! {
+! _bfd_error_handler
+! (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+! bfd_set_error (bfd_error_bad_value);
+! -- num_group;
+! /* PR 17510: If the group contents are even partially
+! corrupt, do not allow any of the contents to be used. */
+! memset (shdr->contents, 0, amt);
+! continue;
+! }
+!
+ /* Translate raw contents, a flag word followed by an
+ array of elf section indices all in target byte order,
+ to the flag word followed by an array of elf section
+*************** setup_group (bfd *abfd, Elf_Internal_Shd
+*** 651,656 ****
+--- 661,681 ----
+ }
+ }
+ }
++
++ /* PR 17510: Corrupt binaries might contain invalid groups. */
++ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
++ {
++ elf_tdata (abfd)->num_group = num_group;
++
++ /* If all groups are invalid then fail. */
++ if (num_group == 0)
++ {
++ elf_tdata (abfd)->group_sect_ptr = NULL;
++ elf_tdata (abfd)->num_group = num_group = -1;
++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
++ bfd_set_error (bfd_error_bad_value);
++ }
++ }
+ }
+ }
+
+*************** setup_group (bfd *abfd, Elf_Internal_Shd
+*** 716,721 ****
+--- 741,747 ----
+ {
+ (*_bfd_error_handler) (_("%B: no group info for section %A"),
+ abfd, newsect);
++ return FALSE;
+ }
+ return TRUE;
+ }
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1582,1619 ****
+*** 1556,1593 ****
Elf_Internal_Ehdr *ehdr;
const struct elf_backend_data *bed;
const char *name;
@@ -41,12 +125,13 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_link > elf_numsections (abfd))
{
/* PR 10478: Accept Solaris binaries with a sh_link
---- 1582,1648 ----
+--- 1582,1655 ----
Elf_Internal_Ehdr *ehdr;
const struct elf_backend_data *bed;
const char *name;
+ bfd_boolean ret = TRUE;
+ static bfd_boolean * sections_being_created = NULL;
++ static bfd * sections_being_created_abfd = NULL;
+ static unsigned int nesting = 0;
if (shindex >= elf_numsections (abfd))
@@ -59,13 +144,19 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
+ loop. Detect this here, by refusing to load a section that we are
+ already in the process of loading. We only trigger this test if
+ we have nested at least three sections deep as normal ELF binaries
-+ can expect to recurse at least once. */
-+
++ can expect to recurse at least once.
++
++ FIXME: It would be better if this array was attached to the bfd,
++ rather than being held in a static pointer. */
++
++ if (sections_being_created_abfd != abfd)
++ sections_being_created = NULL;
+ if (sections_being_created == NULL)
+ {
+ /* FIXME: It would be more efficient to attach this array to the bfd somehow. */
+ sections_being_created = (bfd_boolean *)
+ bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean));
++ sections_being_created_abfd = abfd;
+ }
+ if (sections_being_created [shindex])
+ {
@@ -110,7 +201,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
/* PR 10478: Accept Solaris binaries with a sh_link
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1627,1637 ****
+*** 1601,1611 ****
break;
/* Otherwise fall through. */
default:
@@ -122,7 +213,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB)
{
Elf_Internal_Shdr *dynsymhdr;
---- 1656,1666 ----
+--- 1663,1673 ----
break;
/* Otherwise fall through. */
default:
@@ -135,7 +226,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
Elf_Internal_Shdr *dynsymhdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1660,1683 ****
+*** 1634,1657 ****
}
}
}
@@ -160,7 +251,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
BFD_ASSERT (elf_onesymtab (abfd) == 0);
elf_onesymtab (abfd) = shindex;
elf_tdata (abfd)->symtab_hdr = *hdr;
---- 1689,1714 ----
+--- 1696,1721 ----
}
}
}
@@ -188,7 +279,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
elf_onesymtab (abfd) = shindex;
elf_tdata (abfd)->symtab_hdr = *hdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1694,1700 ****
+*** 1668,1674 ****
&& (abfd->flags & DYNAMIC) != 0
&& ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
shindex))
@@ -196,7 +287,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
can't read symbols without that section loaded as well. It
---- 1725,1731 ----
+--- 1732,1738 ----
&& (abfd->flags & DYNAMIC) != 0
&& ! _bfd_elf_make_section_from_shdr (abfd, hdr, name,
shindex))
@@ -205,7 +296,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we
can't read symbols without that section loaded as well. It
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1720,1745 ****
+*** 1694,1719 ****
break;
}
if (i != shindex)
@@ -232,7 +323,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
BFD_ASSERT (elf_dynsymtab (abfd) == 0);
elf_dynsymtab (abfd) = shindex;
elf_tdata (abfd)->dynsymtab_hdr = *hdr;
---- 1751,1779 ----
+--- 1758,1786 ----
break;
}
if (i != shindex)
@@ -263,7 +354,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
elf_dynsymtab (abfd) = shindex;
elf_tdata (abfd)->dynsymtab_hdr = *hdr;
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1748,1781 ****
+*** 1722,1755 ****
/* Besides being a symbol table, we also treat this as a regular
section, so that objcopy can handle it. */
@@ -298,7 +389,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex)
{
dynsymtab_strtab:
---- 1782,1819 ----
+--- 1789,1826 ----
/* Besides being a symbol table, we also treat this as a regular
section, so that objcopy can handle it. */
@@ -338,7 +429,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
dynsymtab_strtab:
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1784,1791 ****
+*** 1758,1765 ****
elf_elfsections (abfd)[shindex] = hdr;
/* We also treat this as a regular section, so that objcopy
can handle it. */
@@ -347,7 +438,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* If the string table isn't one of the above, then treat it as a
---- 1822,1830 ----
+--- 1829,1837 ----
elf_elfsections (abfd)[shindex] = hdr;
/* We also treat this as a regular section, so that objcopy
can handle it. */
@@ -358,7 +449,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If the string table isn't one of the above, then treat it as a
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1803,1811 ****
+*** 1777,1785 ****
{
/* Prevent endless recursion on broken objects. */
if (i == shindex)
@@ -368,7 +459,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (elf_onesymtab (abfd) == i)
goto symtab_strtab;
if (elf_dynsymtab (abfd) == i)
---- 1842,1850 ----
+--- 1849,1857 ----
{
/* Prevent endless recursion on broken objects. */
if (i == shindex)
@@ -379,7 +470,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
goto symtab_strtab;
if (elf_dynsymtab (abfd) == i)
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1813,1819 ****
+*** 1787,1793 ****
}
}
}
@@ -387,7 +478,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
case SHT_REL:
case SHT_RELA:
---- 1852,1859 ----
+--- 1859,1866 ----
}
}
}
@@ -397,7 +488,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
case SHT_REL:
case SHT_RELA:
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1828,1834 ****
+*** 1802,1808 ****
if (hdr->sh_entsize
!= (bfd_size_type) (hdr->sh_type == SHT_REL
? bed->s->sizeof_rel : bed->s->sizeof_rela))
@@ -405,7 +496,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Check for a bogus link to avoid crashing. */
if (hdr->sh_link >= num_sec)
---- 1868,1874 ----
+--- 1875,1881 ----
if (hdr->sh_entsize
!= (bfd_size_type) (hdr->sh_type == SHT_REL
? bed->s->sizeof_rel : bed->s->sizeof_rela))
@@ -414,7 +505,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* Check for a bogus link to avoid crashing. */
if (hdr->sh_link >= num_sec)
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1836,1843 ****
+*** 1810,1817 ****
((*_bfd_error_handler)
(_("%B: invalid link %lu for reloc section %s (index %u)"),
abfd, hdr->sh_link, name, shindex));
@@ -423,7 +514,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* For some incomprehensible reason Oracle distributes
---- 1876,1884 ----
+--- 1883,1891 ----
((*_bfd_error_handler)
(_("%B: invalid link %lu for reloc section %s (index %u)"),
abfd, hdr->sh_link, name, shindex));
@@ -434,7 +525,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* For some incomprehensible reason Oracle distributes
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1878,1884 ****
+*** 1852,1858 ****
if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
|| elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
&& ! bfd_section_from_shdr (abfd, hdr->sh_link))
@@ -442,7 +533,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If this reloc section does not use the main symbol table we
don't treat it as a reloc section. BFD can't adequately
---- 1919,1925 ----
+--- 1926,1932 ----
if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB
|| elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM)
&& ! bfd_section_from_shdr (abfd, hdr->sh_link))
@@ -451,7 +542,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
/* If this reloc section does not use the main symbol table we
don't treat it as a reloc section. BFD can't adequately
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1893,1906 ****
+*** 1867,1880 ****
|| hdr->sh_info >= num_sec
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
@@ -466,7 +557,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
esdt = elf_section_data (target_sect);
if (hdr->sh_type == SHT_RELA)
---- 1934,1951 ----
+--- 1941,1958 ----
|| hdr->sh_info >= num_sec
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL
|| elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA)
@@ -486,7 +577,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
esdt = elf_section_data (target_sect);
if (hdr->sh_type == SHT_RELA)
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1912,1918 ****
+*** 1886,1892 ****
amt = sizeof (*hdr2);
hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (hdr2 == NULL)
@@ -494,7 +585,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*hdr2 = *hdr;
*p_hdr = hdr2;
elf_elfsections (abfd)[shindex] = hdr2;
---- 1957,1963 ----
+--- 1964,1970 ----
amt = sizeof (*hdr2);
hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt);
if (hdr2 == NULL)
@@ -503,7 +594,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
*p_hdr = hdr2;
elf_elfsections (abfd)[shindex] = hdr2;
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1928,1961 ****
+*** 1902,1935 ****
target_sect->use_rela_p = 1;
}
abfd->flags |= HAS_RELOC;
@@ -538,7 +629,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->contents != NULL)
{
Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
---- 1973,2012 ----
+--- 1980,2019 ----
target_sect->use_rela_p = 1;
}
abfd->flags |= HAS_RELOC;
@@ -580,7 +671,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
{
Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents;
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1981,1987 ****
+*** 1955,1961 ****
}
}
}
@@ -588,7 +679,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
default:
/* Possibly an attributes section. */
---- 2032,2038 ----
+--- 2039,2045 ----
}
}
}
@@ -597,7 +688,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
default:
/* Possibly an attributes section. */
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 1989,2002 ****
+*** 1963,1976 ****
|| hdr->sh_type == bed->obj_attrs_section_type)
{
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
@@ -612,7 +703,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
{
---- 2040,2053 ----
+--- 2047,2060 ----
|| hdr->sh_type == bed->obj_attrs_section_type)
{
if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex))
@@ -628,7 +719,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER)
{
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 2008,2016 ****
+*** 1982,1990 ****
"specific section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@@ -638,7 +729,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
else if (hdr->sh_type >= SHT_LOPROC
&& hdr->sh_type <= SHT_HIPROC)
---- 2059,2070 ----
+--- 2066,2077 ----
"specific section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@@ -652,7 +743,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else if (hdr->sh_type >= SHT_LOPROC
&& hdr->sh_type <= SHT_HIPROC)
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 2031,2038 ****
+*** 2005,2012 ****
"`%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@@ -661,7 +752,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
else
/* FIXME: We should handle this section. */
---- 2085,2095 ----
+--- 2092,2102 ----
"`%s' [0x%8x]"),
abfd, name, hdr->sh_type);
else
@@ -674,7 +765,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
else
/* FIXME: We should handle this section. */
*************** bfd_section_from_shdr (bfd *abfd, unsign
-*** 2040,2049 ****
+*** 2014,2023 ****
(_("%B: don't know how to handle section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
@@ -685,7 +776,7 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
}
/* Return the local symbol specified by ABFD, R_SYMNDX. */
---- 2097,2113 ----
+--- 2104,2123 ----
(_("%B: don't know how to handle section `%s' [0x%8x]"),
abfd, name, hdr->sh_type);
@@ -695,17 +786,57 @@ diff -rcp ../binutils-2.24.orig/bfd/elf.c bfd/elf.c
! fail:
! ret = FALSE;
! success:
-! if (sections_being_created)
+! if (sections_being_created && sections_being_created_abfd == abfd)
! sections_being_created [shindex] = FALSE;
! if (-- nesting == 0)
-! sections_being_created = NULL;
+! {
+! sections_being_created = NULL;
+! sections_being_created_abfd = abfd;
+! }
! return ret;
}
/* Return the local symbol specified by ABFD, R_SYMNDX. */
-diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
-*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-28 09:39:31.656075721 +0000
---- bfd/peXXigen.c 2014-10-28 09:43:31.011370536 +0000
+*************** elfcore_write_lwpstatus (bfd *abfd,
+*** 9296,9302 ****
+ lwpstat.pr_lwpid = pid >> 16;
+ lwpstat.pr_cursig = cursig;
+ #if defined (HAVE_LWPSTATUS_T_PR_REG)
+! memcpy (lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg));
+ #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT)
+ #if !defined(gregs)
+ memcpy (lwpstat.pr_context.uc_mcontext.gregs,
+--- 9396,9402 ----
+ lwpstat.pr_lwpid = pid >> 16;
+ lwpstat.pr_cursig = cursig;
+ #if defined (HAVE_LWPSTATUS_T_PR_REG)
+! memcpy (&lwpstat.pr_reg, gregs, sizeof (lwpstat.pr_reg));
+ #elif defined (HAVE_LWPSTATUS_T_PR_CONTEXT)
+ #if !defined(gregs)
+ memcpy (lwpstat.pr_context.uc_mcontext.gregs,
+diff -cpr ../binutils-2.24.orig/bfd/ihex.c bfd/ihex.c
+*** ../binutils-2.24.orig/bfd/ihex.c 2014-10-31 11:50:20.143220890 +0000
+--- bfd/ihex.c 2014-10-31 11:51:45.746721162 +0000
+*************** ihex_scan (bfd *abfd)
+*** 322,328 ****
+ {
+ if (! ISHEX (buf[i]))
+ {
+! ihex_bad_byte (abfd, lineno, hdr[i], error);
+ goto error_return;
+ }
+ }
+--- 322,328 ----
+ {
+ if (! ISHEX (buf[i]))
+ {
+! ihex_bad_byte (abfd, lineno, buf[i], error);
+ goto error_return;
+ }
+ }
+diff -cpr ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
+*** ../binutils-2.24.orig/bfd/peXXigen.c 2014-10-31 11:50:20.149220928 +0000
+--- bfd/peXXigen.c 2014-10-31 11:51:00.397462266 +0000
*************** _bfd_XXi_swap_aouthdr_in (bfd * abfd,
*** 460,465 ****
--- 460,476 ----
@@ -760,6 +891,24 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
dataoff = addr - section->vma;
datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size;
*************** pe_print_edata (bfd * abfd, void * vfile
+*** 1426,1431 ****
+--- 1444,1458 ----
+ }
+ }
+
++ /* PR 17512: Handle corrupt PE binaries. */
++ if (datasize < 36)
++ {
++ fprintf (file,
++ _("\nThere is an export table in %s, but it is too small (%d)\n"),
++ section->name, (int) datasize);
++ return TRUE;
++ }
++
+ fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"),
+ section->name, (unsigned long) addr);
+
+*************** pe_print_edata (bfd * abfd, void * vfile
*** 1469,1476 ****
fprintf (file,
_("Name \t\t\t\t"));
@@ -769,7 +918,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
fprintf (file,
_("Ordinal Base \t\t\t%ld\n"), edt.base);
---- 1487,1497 ----
+--- 1496,1506 ----
fprintf (file,
_("Name \t\t\t\t"));
bfd_fprintf_vma (abfd, file, edt.name);
@@ -790,7 +939,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma eat_member = bfd_get_32 (abfd,
data + edt.eat_addr + (i * 4) - adj);
---- 1537,1548 ----
+--- 1546,1557 ----
_("\nExport Address Table -- Ordinal Base %ld\n"),
edt.base);
@@ -812,7 +961,7 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma name_ptr = bfd_get_32 (abfd,
data +
---- 1578,1593 ----
+--- 1587,1602 ----
fprintf (file,
_("\n[Ordinal/Name Pointer] Table\n"));
@@ -829,9 +978,9 @@ diff -rcp ../binutils-2.24.orig/bfd/peXXigen.c bfd/peXXigen.c
{
bfd_vma name_ptr = bfd_get_32 (abfd,
data +
-diff -rcp ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
-*** ../binutils-2.24.orig/bfd/srec.c 2014-10-28 09:39:30.762071014 +0000
---- bfd/srec.c 2014-10-28 09:40:54.769513267 +0000
+diff -cpr ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
+*** ../binutils-2.24.orig/bfd/srec.c 2014-10-31 11:50:20.144220896 +0000
+--- bfd/srec.c 2014-10-31 11:50:55.808436025 +0000
*************** srec_bad_byte (bfd *abfd,
*** 248,254 ****
}
@@ -850,19 +999,43 @@ diff -rcp ../binutils-2.24.orig/bfd/srec.c bfd/srec.c
if (! ISPRINT (c))
sprintf (buf, "\\%03o", (unsigned int) c);
*************** srec_scan (bfd *abfd)
-*** 454,460 ****
+*** 454,461 ****
case 'S':
{
file_ptr pos;
! char hdr[3];
- unsigned int bytes, min_bytes;
+! unsigned int bytes;
bfd_vma address;
bfd_byte *data;
---- 454,460 ----
+ unsigned char check_sum;
+--- 454,461 ----
case 'S':
{
file_ptr pos;
! unsigned char hdr[3];
- unsigned int bytes, min_bytes;
+! unsigned int bytes, min_bytes;
bfd_vma address;
bfd_byte *data;
+ unsigned char check_sum;
+*************** srec_scan (bfd *abfd)
+*** 478,483 ****
+--- 478,496 ----
+ }
+
+ check_sum = bytes = HEX (hdr + 1);
++ min_bytes = 3;
++ if (hdr[0] == '2' || hdr[0] == '8')
++ min_bytes = 4;
++ else if (hdr[0] == '3' || hdr[0] == '7')
++ min_bytes = 5;
++ if (bytes < min_bytes)
++ {
++ (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"),
++ abfd, lineno, bytes);
++ bfd_set_error (bfd_error_bad_value);
++ goto error_return;
++ }
++
+ if (bytes * 2 > bufsize)
+ {
+ if (buf != NULL)
diff --git a/binutils-2.24-strings-default-all.patch b/binutils-2.24-strings-default-all.patch
new file mode 100644
index 0000000..97b9f8e
--- /dev/null
+++ b/binutils-2.24-strings-default-all.patch
@@ -0,0 +1,310 @@
+diff -cpr ../binutils-2.24.orig/binutils/config.in binutils/config.in
+*** ../binutils-2.24.orig/binutils/config.in 2014-10-31 11:50:20.455222877 +0000
+--- binutils/config.in 2014-10-31 11:59:05.021241036 +0000
+***************
+*** 18,23 ****
+--- 18,26 ----
+ /* Should ar and ranlib use -D behavior by default? */
+ #undef DEFAULT_AR_DETERMINISTIC
+
++ /* Should strings use -a behavior by default? */
++ #undef DEFAULT_STRINGS_ALL
++
+ /* Define to 1 if translation of program messages to the user's native
+ language is requested. */
+ #undef ENABLE_NLS
+diff -cpr ../binutils-2.24.orig/binutils/configure binutils/configure
+*** ../binutils-2.24.orig/binutils/configure 2014-10-31 11:50:20.590223736 +0000
+--- binutils/configure 2014-10-31 12:01:46.570102643 +0000
+*************** with_gnu_ld
+*** 772,777 ****
+--- 772,778 ----
+ enable_libtool_lock
+ enable_targets
+ enable_deterministic_archives
++ enable_default_strings_all
+ enable_werror
+ enable_build_warnings
+ enable_nls
+*************** Optional Features:
+*** 1421,1426 ****
+--- 1422,1429 ----
+ --enable-targets alternative target configurations
+ --enable-deterministic-archives
+ ar and ranlib default to -D behavior
++ --disable-default-strings-all
++ strings defaults to --data behavior
+ --enable-werror treat compile warnings as errors
+ --enable-build-warnings enable build-time compiler warnings
+ --disable-nls do not use Native Language Support
+*************** cat >>confdefs.h <<_ACEOF
+*** 11615,11620 ****
+--- 11594,11618 ----
+ _ACEOF
+
+
++ # Check whether --enable-default-strings-all was given.
++ if test "${enable_default_strings_all+set}" = set; then :
++ enableval=$enable_default_strings_all;
++ if test "${enableval}" = no; then
++ default_strings_all=0
++ else
++ default_strings_all=1
++ fi
++ else
++ default_strings_all=1
++ fi
++
++
++
++ cat >>confdefs.h <<_ACEOF
++ #define DEFAULT_STRINGS_ALL $default_strings_all
++ _ACEOF
++
++
+
+ GCC_WARN_CFLAGS="-W -Wall -Wstrict-prototypes -Wmissing-prototypes"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+diff -cpr ../binutils-2.24.orig/binutils/configure.in binutils/configure.in
+*** ../binutils-2.24.orig/binutils/configure.in 2014-10-31 11:50:20.430222717 +0000
+--- binutils/configure.in 2014-10-31 12:00:48.092790946 +0000
+*************** fi], [default_ar_deterministic=0])
+*** 57,62 ****
+--- 57,74 ----
+ AC_DEFINE_UNQUOTED(DEFAULT_AR_DETERMINISTIC, $default_ar_deterministic,
+ [Should ar and ranlib use -D behavior by default?])
+
++ AC_ARG_ENABLE(default-strings-all,
++ [AS_HELP_STRING([--disable-default-strings-all],
++ [strings defaults to --data behavior])], [
++ if test "${enableval}" = no; then
++ default_strings_all=0
++ else
++ default_strings_all=1
++ fi], [default_strings_all=1])
++
++ AC_DEFINE_UNQUOTED(DEFAULT_STRINGS_ALL, $default_strings_all,
++ [Should strings use -a behavior by default?])
++
+ AM_BINUTILS_WARNINGS
+
+ AC_CONFIG_HEADERS(config.h:config.in)
+diff -cpr ../binutils-2.24.orig/binutils/doc/binutils.texi binutils/doc/binutils.texi
+*** ../binutils-2.24.orig/binutils/doc/binutils.texi 2014-10-31 11:50:20.579223666 +0000
+--- binutils/doc/binutils.texi 2014-10-31 11:59:23.052339164 +0000
+*************** strings [@option{-afovV}] [@option{-}@va
+*** 2653,2667 ****
+
+ @c man begin DESCRIPTION strings
+
+! For each @var{file} given, @sc{gnu} @command{strings} prints the printable
+! character sequences that are at least 4 characters long (or the number
+! given with the options below) and are followed by an unprintable
+! character. By default, it only prints the strings from the initialized
+! and loaded sections of object files; for other types of files, it prints
+! the strings from the whole file.
+
+! @command{strings} is mainly useful for determining the contents of non-text
+! files.
+
+ @c man end
+
+--- 2653,2676 ----
+
+ @c man begin DESCRIPTION strings
+
+! For each @var{file} given, @sc{gnu} @command{strings} prints the
+! printable character sequences that are at least 4 characters long (or
+! the number given with the options below) and are followed by an
+! unprintable character.
+!
+! Depending upon how the strings program was configured it will default
+! to either displaying all the printable sequences that it can find in
+! each file, or only those sequences that are in loadable, initialized
+! data sections. If the file type in unrecognizable, or if strings is
+! reading from stdin then it will always display all of the printable
+! sequences that it can find.
+!
+! For backwards compatibility any file that occurs after a command line
+! option of just @option{-} will also be scanned in full, regardless of
+! the presence of any @option{-d} option.
+
+! @command{strings} is mainly useful for determining the contents of
+! non-text files.
+
+ @c man end
+
+*************** files.
+*** 2671,2678 ****
+ @item -a
+ @itemx --all
+ @itemx -
+! Do not scan only the initialized and loaded sections of object files;
+! scan the whole files.
+
+ @item -f
+ @itemx --print-file-name
+--- 2680,2704 ----
+ @item -a
+ @itemx --all
+ @itemx -
+! Scan the whole file, regardless of what sections it contains or
+! whether those sections are loaded or initialized. Normally this is
+! the default behaviour, but strings can be configured so that the
+! @option{-d} is the default instead.
+!
+! The @option{-} option is position dependent and forces strings to
+! perform full scans of any file that is mentioned after the @option{-}
+! on the command line, even if the @option{-d} option has been
+! specified.
+!
+! @item -d
+! @itemx --data
+! Only print strings from initialized, loaded data sections in the
+! file. This may reduce the amount of garbage in the output, but it
+! also exposes the strings program to any security flaws that may be
+! present in the BFD library used to scan and load sections. Strings
+! can be configured so that this option is the default behaviour. In
+! such cases the @option{-a} option can be used to avoid using the BFD
+! library and instead just print all of the strings found in the file.
+
+ @item -f
+ @itemx --print-file-name
+diff -cpr ../binutils-2.24.orig/binutils/NEWS binutils/NEWS
+*** ../binutils-2.24.orig/binutils/NEWS 2014-10-31 11:50:20.338222131 +0000
+--- binutils/NEWS 2014-10-31 11:59:52.315493579 +0000
+***************
+*** 1,5 ****
+--- 1,10 ----
+ -*- text -*-
+
++ * Add --data option to strings to only print strings in loadable, initialized
++ data sections. Change the default behaviour to be --all, but add a new
++ configure time option of --disable-default-strings-all to restore the old
++ default behaviour.
++
+ Changes in 2.24:
+
+ * Objcopy now supports wildcard characters in command line options that take
+diff -cpr ../binutils-2.24.orig/binutils/strings.c binutils/strings.c
+*** ../binutils-2.24.orig/binutils/strings.c 2014-10-31 11:50:20.464222934 +0000
+--- binutils/strings.c 2014-10-31 12:01:33.901035485 +0000
+***************
+*** 23,29 ****
+ Options:
+ --all
+ -a
+! - Do not scan only the initialized data section of object files.
+
+ --print-file-name
+ -f Print the name of the file before each string.
+--- 23,32 ----
+ Options:
+ --all
+ -a
+! - Scan each file in its entirety.
+!
+! --data
+! -d Scan only the initialized data section(s) of object files.
+
+ --print-file-name
+ -f Print the name of the file before each string.
+*************** static int encoding_bytes;
+*** 107,112 ****
+--- 110,116 ----
+ static struct option long_options[] =
+ {
+ {"all", no_argument, NULL, 'a'},
++ {"data", no_argument, NULL, 'd'},
+ {"print-file-name", no_argument, NULL, 'f'},
+ {"bytes", required_argument, NULL, 'n'},
+ {"radix", required_argument, NULL, 't'},
+*************** typedef struct
+*** 128,134 ****
+
+ static void strings_a_section (bfd *, asection *, void *);
+ static bfd_boolean strings_object_file (const char *);
+! static bfd_boolean strings_file (char *file);
+ static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
+ static void usage (FILE *, int);
+ static long get_char (FILE *, file_ptr *, int *, char **);
+--- 132,138 ----
+
+ static void strings_a_section (bfd *, asection *, void *);
+ static bfd_boolean strings_object_file (const char *);
+! static bfd_boolean strings_file (char *);
+ static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
+ static void usage (FILE *, int);
+ static long get_char (FILE *, file_ptr *, int *, char **);
+*************** main (int argc, char **argv)
+*** 158,168 ****
+ string_min = 4;
+ print_addresses = FALSE;
+ print_filenames = FALSE;
+! datasection_only = TRUE;
+ target = NULL;
+ encoding = 's';
+
+! while ((optc = getopt_long (argc, argv, "afhHn:ot:e:T:Vv0123456789",
+ long_options, (int *) 0)) != EOF)
+ {
+ switch (optc)
+--- 162,175 ----
+ string_min = 4;
+ print_addresses = FALSE;
+ print_filenames = FALSE;
+! if (DEFAULT_STRINGS_ALL)
+! datasection_only = FALSE;
+! else
+! datasection_only = TRUE;
+ target = NULL;
+ encoding = 's';
+
+! while ((optc = getopt_long (argc, argv, "adfhHn:ot:e:T:Vv0123456789",
+ long_options, (int *) 0)) != EOF)
+ {
+ switch (optc)
+*************** main (int argc, char **argv)
+*** 171,176 ****
+--- 178,187 ----
+ datasection_only = FALSE;
+ break;
+
++ case 'd':
++ datasection_only = TRUE;
++ break;
++
+ case 'f':
+ print_filenames = TRUE;
+ break;
+*************** usage (FILE *stream, int status)
+*** 635,642 ****
+ {
+ fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name);
+ fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n"));
+! fprintf (stream, _(" The options are:\n\
+ -a - --all Scan the entire file, not just the data section\n\
+ -f --print-file-name Print the name of the file before each string\n\
+ -n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\
+ -<number> least [number] characters (default 4).\n\
+--- 646,663 ----
+ {
+ fprintf (stream, _("Usage: %s [option(s)] [file(s)]\n"), program_name);
+ fprintf (stream, _(" Display printable strings in [file(s)] (stdin by default)\n"));
+! fprintf (stream, _(" The options are:\n"));
+!
+! if (DEFAULT_STRINGS_ALL)
+! fprintf (stream, _("\
+! -a - --all Scan the entire file, not just the data section [default]\n\
+! -d --data Only scan the data sections in the file\n"));
+! else
+! fprintf (stream, _("\
+ -a - --all Scan the entire file, not just the data section\n\
++ -d --data Only scan the data sections in the file [default]\n"));
++
++ fprintf (stream, _("\
+ -f --print-file-name Print the name of the file before each string\n\
+ -n --bytes=[number] Locate & print any NUL-terminated sequence of at\n\
+ -<number> least [number] characters (default 4).\n\
+
+Only in binutils: strings.c.rej
diff --git a/binutils.spec b/binutils.spec
index 0876262..132baa1 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -19,7 +19,7 @@
Summary: A GNU collection of binary utilities
Name: %{?cross}binutils%{?_with_debug:-debug}
Version: 2.24
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv3+
Group: Development/Tools
URL: http://sources.redhat.com/binutils
@@ -72,10 +72,8 @@ Patch27: binutils-2.24-aarch64-fix-gotplt-offset-ifunc.patch
Patch28: binutils-2.24-aarch64-fix-static-ifunc.patch
Patch29: binutils-2.24-aarch64-fix-ie-relax.patch
Patch30: binutils-HEAD-change-ld-notice-interface.patch
-Patch31: binutils-2.24-corrupt-srec.patch
-Patch32: binutils-2.24-corrupt-groups.patch
-Patch33: binutils-2.24-corrupt-elf.patch
-Patch34: binutils-2.24-corrupt-elf.2.patch
+Patch31: binutils-2.24-corrupt-binaries.patch
+Patch32: binutils-2.24-strings-default-all.patch
Provides: bundled(libiberty)
@@ -210,10 +208,8 @@ using libelf instead of BFD.
%patch28 -p1 -b .aa64-2~
%patch29 -p1 -b .aa64-3~
%patch30 -p1 -b .ldplugin~
-%patch31 -p0 -b .corrupt-srec~
-%patch32 -p0 -b .corrupt-groups~
-%patch33 -p0 -b .corrupt-elf~
-%patch34 -p0 -b .corrupt-elf2~
+%patch31 -p0 -b .corrupt-binaries~
+%patch32 -p0 -b .strings-all~
# We cannot run autotools as there is an exact requirement of autoconf-2.59.
@@ -528,6 +524,12 @@ exit 0
%endif # %{isnative}
%changelog
+* Fri Oct 31 2014 Nick Clifton <nickc at redhat.com> - 2.24-28
+- Fix buffer overrun in ihex parser.
+- Fix memory corruption in previous patch.
+- Consoldiate corrupt handling patches into just one patch.
+- Default strings command to using -a.
+
* Wed Oct 29 2014 Nick Clifton <nickc at redhat.com> - 2.24-27
- Fix memory corruption bug introduced by the previous patch.
More information about the scm-commits
mailing list