diff options
Diffstat (limited to 'pkgs/development/tools/misc/binutils/CVE-2020-35448.patch')
-rw-r--r-- | pkgs/development/tools/misc/binutils/CVE-2020-35448.patch | 77 |
1 files changed, 0 insertions, 77 deletions
diff --git a/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch b/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch deleted file mode 100644 index 2eba7b51849f5..0000000000000 --- a/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 8642dafaef21aa6747cec01df1977e9c52eb4679 Mon Sep 17 00:00:00 2001 -From: Alan Modra <amodra@gmail.com> -Date: Fri, 4 Sep 2020 19:19:18 +0930 -Subject: [PATCH] PR26574, heap buffer overflow in - _bfd_elf_slurp_secondary_reloc_section - -A horribly fuzzed object with section headers inside the ELF header. -Disallow that, and crazy reloc sizes. - - PR 26574 - * elfcode.h (elf_object_p): Sanity check section header offset. - * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check - sh_entsize. ---- - bfd/elf.c | 4 +++- - bfd/elfcode.h | 8 ++++---- - 3 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/bfd/elf.c b/bfd/elf.c -index ac2095f787d..5a02f8dc309 100644 ---- a/bfd/elf.c -+++ b/bfd/elf.c -@@ -12576,7 +12576,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd, - Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; - - if (hdr->sh_type == SHT_SECONDARY_RELOC -- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) -+ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx -+ && (hdr->sh_entsize == ebd->s->sizeof_rel -+ || hdr->sh_entsize == ebd->s->sizeof_rela)) - { - bfd_byte * native_relocs; - bfd_byte * native_reloc; -diff --git a/bfd/elfcode.h b/bfd/elfcode.h -index 2ed2f135c34..606ff64fd4d 100644 ---- a/bfd/elfcode.h -+++ b/bfd/elfcode.h -@@ -571,7 +571,7 @@ elf_object_p (bfd *abfd) - - /* If this is a relocatable file and there is no section header - table, then we're hosed. */ -- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) -+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) - goto got_wrong_format_error; - - /* As a simple sanity check, verify that what BFD thinks is the -@@ -581,7 +581,7 @@ elf_object_p (bfd *abfd) - goto got_wrong_format_error; - - /* Further sanity check. */ -- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) -+ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) - goto got_wrong_format_error; - - ebd = get_elf_backend_data (abfd); -@@ -618,7 +618,7 @@ elf_object_p (bfd *abfd) - && ebd->elf_osabi != ELFOSABI_NONE) - goto got_wrong_format_error; - -- if (i_ehdrp->e_shoff != 0) -+ if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) - { - file_ptr where = (file_ptr) i_ehdrp->e_shoff; - -@@ -819,7 +819,7 @@ elf_object_p (bfd *abfd) - } - } - -- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) -+ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) - { - unsigned int num_sec; - --- -2.27.0 - - |