fix CVE-2022-47696

(cherry picked from commit 54dfa620c52cecdca05d2b9286ecd24092006528)
2023-07-28 10:05:35 +08:00 · 2023-07-28 10:05:35 +08:00 · 3871f7cec3
commit 3871f7cec3
parent 51b99eced7
2 changed files with 147 additions and 1 deletions
--- a/backport-CVE-2022-47696.patch
+++ b/backport-CVE-2022-47696.patch
@ -0,0 +1,142 @@
 From d12f8998d2d086f0a6606589e5aedb7147e6f2f1 Mon Sep 17 00:00:00 2001
 From: Alan Modra <amodra@gmail.com>
 Date: Fri, 14 Oct 2022 10:30:21 +1030
 Subject: [PATCH] PR29677, Field `the_bfd` of `asymbol` is uninitialised
 Besides not initialising the_bfd of synthetic symbols, counting
 symbols when sizing didn't match symbols created if there were any
 dynsyms named "".  We don't want synthetic symbols without names
 anyway, so get rid of them.  Also, simplify and correct sanity checks.
 	PR 29677
 	* mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite.
 ---
 bfd/mach-o.c | 72 ++++++++++++++++++++++------------------------------
 1 file changed, 31 insertions(+), 41 deletions(-)
 diff --git a/bfd/mach-o.c b/bfd/mach-o.c
 index acb35e7f0c6..5279343768c 100644
 --- a/bfd/mach-o.c
 +++ b/bfd/mach-o.c
@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
   bfd_mach_o_symtab_command *symtab = mdata->symtab;
   asymbol *s;
   char * s_start;
 -  char * s_end;
   unsigned long count, i, j, n;
   size_t size;
   char *names;
 -  char *nul_name;
   const char stub [] = "$stub";
   *ret = NULL;
@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
   /* We need to allocate a bfd symbol for every indirect symbol and to
      allocate the memory for its name.  */
   count = dysymtab->nindirectsyms;
 -  size = count * sizeof (asymbol) + 1;
 -
 +  size = 0;
   for (j = 0; j < count; j++)
     {
 -      const char * strng;
       unsigned int isym = dysymtab->indirect_syms[j];
 +      const char *str;
       /* Some indirect symbols are anonymous.  */
 -      if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name))
 -	/* PR 17512: file: f5b8eeba.  */
 -	size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub);
 +      if (isym < symtab->nsyms
 +	  && (str = symtab->symbols[isym].symbol.name) != NULL)
 +	{
 +	  /* PR 17512: file: f5b8eeba.  */
 +	  size += strnlen (str, symtab->strsize - (str - symtab->strtab));
 +	  size += sizeof (stub);
 +	}
     }
 -  s_start = bfd_malloc (size);
 +  s_start = bfd_malloc (size + count * sizeof (asymbol));
   s = *ret = (asymbol *) s_start;
   if (s == NULL)
     return -1;
   names = (char *) (s + count);
 -  nul_name = names;
 -  *names++ = 0;
 -  s_end = s_start + size;
   n = 0;
   for (i = 0; i < mdata->nsects; i++)
@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd,
 	  entry_size = bfd_mach_o_section_get_entry_size (abfd, sec);
 	  /* PR 17512: file: 08e15eec.  */
 -	  if (first >= count || last >= count || first > last)
 +	  if (first >= count || last > count || first > last)
 	    goto fail;
 	  for (j = first; j < last; j++)
 	    {
 	      unsigned int isym = dysymtab->indirect_syms[j];
 -
 -	      /* PR 17512: file: 04d64d9b.  */
 -	      if (((char *) s) + sizeof (* s) > s_end)
 -		goto fail;
 -
 -	      s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
 -	      s->section = sec->bfdsection;
 -	      s->value = addr - sec->addr;
 -	      s->udata.p = NULL;
 +	      const char *str;
 +	      size_t len;
 	      if (isym < symtab->nsyms
 -		  && symtab->symbols[isym].symbol.name)
 +		  && (str = symtab->symbols[isym].symbol.name) != NULL)
 		{
 -		  const char *sym = symtab->symbols[isym].symbol.name;
 -		  size_t len;
 -
 -		  s->name = names;
 -		  len = strlen (sym);
 -		  /* PR 17512: file: 47dfd4d2.  */
 -		  if (names + len >= s_end)
 +		  /* PR 17512: file: 04d64d9b.  */
 +		  if (n >= count)
 		    goto fail;
 -		  memcpy (names, sym, len);
 -		  names += len;
 -		  /* PR 17512: file: 18f340a4.  */
 -		  if (names + sizeof (stub) >= s_end)
 +		  len = strnlen (str, symtab->strsize - (str - symtab->strtab));
 +		  /* PR 17512: file: 47dfd4d2, 18f340a4.  */
 +		  if (size < len + sizeof (stub))
 		    goto fail;
 -		  memcpy (names, stub, sizeof (stub));
 -		  names += sizeof (stub);
 +		  memcpy (names, str, len);
 +		  memcpy (names + len, stub, sizeof (stub));
 +		  s->name = names;
 +		  names += len + sizeof (stub);
 +		  size -= len + sizeof (stub);
 +		  s->the_bfd = symtab->symbols[isym].symbol.the_bfd;
 +		  s->flags = BSF_GLOBAL | BSF_SYNTHETIC;
 +		  s->section = sec->bfdsection;
 +		  s->value = addr - sec->addr;
 +		  s->udata.p = NULL;
 +		  s++;
 +		  n++;
 		}
 -	      else
 -		s->name = nul_name;
 -
 	      addr += entry_size;
 -	      s++;
 -	      n++;
 	    }
 	  break;
 	default:
 -- 
 2.39.3
--- a/binutils.spec
+++ b/binutils.spec
@ -1,7 +1,7 @@
 Summary: Binary utilities
 Name:    binutils
 Version: 2.37
-Release: 17
+Release: 18
 License: GPLv3+
 URL:     https://sourceware.org/binutils
@ -75,6 +75,7 @@ Patch49: backport-PR28540-segmentation-fault-on-NULL-byte_get.patch
 Patch50: Fix-gold-relocation-offset-and-adrp-signed-shife.patch
 Patch51: CVE-2022-47008.patch
 Patch52: backport-CVE-2022-47011.patch
 Patch53: backport-CVE-2022-47696.patch
 Provides: bundled(libiberty)
@ -398,6 +399,9 @@ fi
 %{_infodir}/bfd*info*
 %changelog
 * Sun Aug 27 2023 liningjie <liningjie@xfusion.com> - 2.37-18
 - fix CVE-2022-47696
 * Thu Aug 24 2023 liningjie <liningjie@xfusion.com> - 2.37-17
 - fix CVE-2022-47011