From 87481549722e2d514848f73d3e8076525ae269bc Mon Sep 17 00:00:00 2001 From: Pamplemousse Date: Thu, 18 Mar 2021 09:19:07 -0700 Subject: [PATCH] binutils, libbfd: Patch CVE-2020-35448 Signed-off-by: Pamplemousse --- .../tools/misc/binutils/CVE-2020-35448.patch | 77 +++++++++++++++++++ .../tools/misc/binutils/default.nix | 1 + 2 files changed, 78 insertions(+) create mode 100644 pkgs/development/tools/misc/binutils/CVE-2020-35448.patch diff --git a/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch b/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch new file mode 100644 index 00000000000..2eba7b51849 --- /dev/null +++ b/pkgs/development/tools/misc/binutils/CVE-2020-35448.patch @@ -0,0 +1,77 @@ +From 8642dafaef21aa6747cec01df1977e9c52eb4679 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 4 Sep 2020 19:19:18 +0930 +Subject: [PATCH] PR26574, heap buffer overflow in + _bfd_elf_slurp_secondary_reloc_section + +A horribly fuzzed object with section headers inside the ELF header. +Disallow that, and crazy reloc sizes. + + PR 26574 + * elfcode.h (elf_object_p): Sanity check section header offset. + * elf.c (_bfd_elf_slurp_secondary_reloc_section): Sanity check + sh_entsize. +--- + bfd/elf.c | 4 +++- + bfd/elfcode.h | 8 ++++---- + 3 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index ac2095f787d..5a02f8dc309 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -12576,7 +12576,9 @@ _bfd_elf_slurp_secondary_reloc_section (bfd * abfd, + Elf_Internal_Shdr * hdr = & elf_section_data (relsec)->this_hdr; + + if (hdr->sh_type == SHT_SECONDARY_RELOC +- && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx) ++ && hdr->sh_info == (unsigned) elf_section_data (sec)->this_idx ++ && (hdr->sh_entsize == ebd->s->sizeof_rel ++ || hdr->sh_entsize == ebd->s->sizeof_rela)) + { + bfd_byte * native_relocs; + bfd_byte * native_reloc; +diff --git a/bfd/elfcode.h b/bfd/elfcode.h +index 2ed2f135c34..606ff64fd4d 100644 +--- a/bfd/elfcode.h ++++ b/bfd/elfcode.h +@@ -571,7 +571,7 @@ elf_object_p (bfd *abfd) + + /* If this is a relocatable file and there is no section header + table, then we're hosed. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_type == ET_REL) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_type == ET_REL) + goto got_wrong_format_error; + + /* As a simple sanity check, verify that what BFD thinks is the +@@ -581,7 +581,7 @@ elf_object_p (bfd *abfd) + goto got_wrong_format_error; + + /* Further sanity check. */ +- if (i_ehdrp->e_shoff == 0 && i_ehdrp->e_shnum != 0) ++ if (i_ehdrp->e_shoff < sizeof (x_ehdr) && i_ehdrp->e_shnum != 0) + goto got_wrong_format_error; + + ebd = get_elf_backend_data (abfd); +@@ -618,7 +618,7 @@ elf_object_p (bfd *abfd) + && ebd->elf_osabi != ELFOSABI_NONE) + goto got_wrong_format_error; + +- if (i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + file_ptr where = (file_ptr) i_ehdrp->e_shoff; + +@@ -819,7 +819,7 @@ elf_object_p (bfd *abfd) + } + } + +- if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff != 0) ++ if (i_ehdrp->e_shstrndx != 0 && i_ehdrp->e_shoff >= sizeof (x_ehdr)) + { + unsigned int num_sec; + +-- +2.27.0 + + diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 5022f8a7f8c..37ba3420b18 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -61,6 +61,7 @@ stdenv.mkDerivation { # cross-compiling. ./always-search-rpath.patch + ./CVE-2020-35448.patch ] ++ lib.optional stdenv.targetPlatform.isiOS ./support-ios.patch ++ # This patch was suggested by Nick Clifton to fix # https://sourceware.org/bugzilla/show_bug.cgi?id=16177