[Bug binutils/24447] New: Provides patches for all CVEs in version 2.31.1

2019-04-11 Thread wp_scut at 163 dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=24447

Bug ID: 24447
   Summary: Provides patches for all CVEs in version 2.31.1
   Product: binutils
   Version: 2.31
Status: UNCONFIRMED
  Severity: enhancement
  Priority: P2
 Component: binutils
  Assignee: unassigned at sourceware dot org
  Reporter: wp_scut at 163 dot com
  Target Milestone: ---

Created attachment 11739
  --> https://sourceware.org/bugzilla/attachment.cgi?id=11739&action=edit
run the file of patch_all.sh, then patch will take effect

Hi, when we recently used the 2.31.1 version of binutils, we found 13 CVEs, 10
of which have been fixed, 1 is non-problem, and 2 have been moved to gcc.

Then we have integrated the fixed solution, and the script file is written
according to the order of the 9 patch files (two of which are repaired by the
same patch), and the replacement of the source file can be completed at one
time. 

Considering that some developers who have to use binutils(2.31.1) will also
encounter problems like us, the script files and patch files are provided in
the attachment for other developers to use.

Attachment contains 9 patch files and scripts.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
bug-binutils mailing list
bug-binutils@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-binutils

[Bug binutils/23994] Heap overflow in libbfd caused by integer overflow

2019-04-14 Thread wp_scut at 163 dot com 
https://sourceware.org/bugzilla/show_bug.cgi?id=23994

wang peng  changed:

   What|Removed |Added

 CC||wp_scut at 163 dot com

--- Comment #4 from wang peng  ---
(In reply to tfx from comment #0)
> Created attachment 11464 [details]
> Heap overflow in libbfd caused by integer overflow.
> 
> Hi there,
> 
> A Heap overflow issue was discovered in bfd caused by integer overflow, as
> distributed in GNU Binutils 2.31. It also exists with the latest version in
> Binutils 2.32 commit 76d2760bc38ada83f81087f16eb151ccc0176574. This issue
> may exist for a long time.
> 
> The source Code show as follow. Exec Binutils 2.31 "objdump -d poc1" as
> example:
> 
> In disassemble_data function in objdump.c, line 2463 is a heap allocation.
> But 'relsize' maybe too small caused by integer overflow . Line 8271 in
> _bfd_elf_canonicalize_dynamic_reloc function in elf.c will cause heap
> overflow.
> 
> 
> objdump.c 
> >2456  long relsize = bfd_get_dynamic_reloc_upper_bound (abfd); //relsize = 4
> 
> >2463aux.dynrelbuf = (arelent **) xmalloc (relsize);
> >2464aux.dynrelcount = bfd_canonicalize_dynamic_reloc (abfd,  
> >2465 aux.dynrelbuf,
> >2466 dynsyms);   //heap overflow
> 
> elf.c
> >8210  _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
> >8211  {
> >8212long ret; 
>   ...
> 
> >8226ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) 
> >8227  * sizeof(arelent *));   //integer overflow  
> 
>   
> >8229return ret; 
> >8230  }
> 
> >8241  _bfd_elf_canonicalize_dynamic_reloc (bfd *abfd,
> >8242  arelent **storage, //objdump.c:2463 alloc
> >8243  asymbol **syms)
> >8244  {
>   ...
>   
> >8268 count = s->size / elf_section_data (s)->this_hdr.sh_entsize;
> >8269   p = s->relocation;
> >8270   for (i = 0; i < count; i++)
> >8271 *storage++ = p++; //heap overflow
> 
>   ...
> }
> 
> 
> The crash output show as follow.
> 
> $ ../binutils-gdb/binutils/objdump --version
> GNU objdump (GNU Binutils) 2.31.51.20181216
> 
> 
> $ ../binutils-gdb/binutils/objdump -d poc2 
> ../binutils-gdb/binutils/objdump: warning: poc2 has a corrupt section with a
> size (fbff80) larger than the file size
> 
> poc2: file format elf64-x86-64
> 
> *** Error in `../binutils-gdb/binutils/objdump': malloc(): memory
> corruption: 0x08997948 ***
> === Backtrace: =
> /lib/i386-linux-gnu/libc.so.6(+0x67377)[0xf7d60377]
> /lib/i386-linux-gnu/libc.so.6(+0x6d2f7)[0xf7d662f7]
> /lib/i386-linux-gnu/libc.so.6(+0x6f3f2)[0xf7d683f2]
> /lib/i386-linux-gnu/libc.so.6(__libc_malloc+0xc5)[0xf7d69fc5]
> /lib/i386-linux-gnu/libc.so.6(+0x29171)[0xf7d22171]
> /lib/i386-linux-gnu/libc.so.6(+0x270a2)[0xf7d200a2]
> /lib/i386-linux-gnu/libc.so.6(+0x26a20)[0xf7d1fa20]
> /lib/i386-linux-gnu/libc.so.6(dcgettext+0x26)[0xf7d1e8b6]
> /lib/i386-linux-gnu/libc.so.6(dgettext+0x12)[0xf7d1e8d2]
> ../binutils-gdb/binutils/objdump[0x809b1aa]
> ../binutils-gdb/binutils/objdump[0x8088100]
> ../binutils-gdb/binutils/objdump[0x80882ad]
> ../binutils-gdb/binutils/objdump[0x804edfd]
> ../binutils-gdb/binutils/objdump[0x80516a0]
> ../binutils-gdb/binutils/objdump[0x805182f]
> ../binutils-gdb/binutils/objdump[0x8051a7e]
> ../binutils-gdb/binutils/objdump[0x8051aeb]
> ../binutils-gdb/binutils/objdump[0x8052458]
> /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf7)[0xf7d11637]
> ../binutils-gdb/binutils/objdump[0x8049b51]
> === Memory map: 
> 08048000-08246000 r-xp  08:22 433952
> ../testcase/binutils/binutils-gdb/binutils/objdump
> 08246000-08247000 r--p 001fd000 08:22 433952
> ../testcase/binutils/binutils-gdb/binutils/objdump
> 08247000-0824c000 rw-p 001fe000 08:22 433952
> ../testcase/binutils/binutils-gdb/binutils/objdump
> 0824c000-08253000 rw-p  00:00 0 
> 0898f000-089b rw-p  00:00 0 
> [heap]
> f790-f7921000 rw-p  00:00 0 
> f7921000-f7a0 ---p  00:00 0 
> f7ab5000-f7ad1000 r-xp  08:06 3802106   
> /lib/i386-linux-gnu/libgcc_s.so.1
> f7ad1000-f7ad2000 r--p 0001b000 08:06 3802106   
> /lib/i386-linux-gnu/libgcc_s.so.1
> f7ad2000-f7ad3000 rw-p 0001c000 08:06