Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Aug 2021 11:07:59 GMT
From:      =?utf-8?Q?Fernando Apestegu=C3=ADa?= <fernape@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org
Subject:   git: 9c4ee12ed3cd - 2021Q3 - devel/binutils: Add fix for CVE-2021-3487
Message-ID:  <202108131107.17DB7xam060746@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch 2021Q3 has been updated by fernape:

URL: https://cgit.FreeBSD.org/ports/commit/?id=9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6

commit 9c4ee12ed3cddad1cb19a62d05b7efe77cb896a6
Author:     Yasuhiro Kimura <yasu@utahime.org>
AuthorDate: 2021-08-13 10:55:57 +0000
Commit:     Fernando ApesteguĂ­a <fernape@FreeBSD.org>
CommitDate: 2021-08-13 10:55:57 +0000

    devel/binutils: Add fix for CVE-2021-3487
    
    The CVE is fixed in main in a0e752df8013. Merging that would mean merging other
    changes to other ports and doing more exp-runs, so we just backport the fix in
    the quarterly branch to avoid too much disruption.
    
    VuXML entry to be handled in PR 256133.
    
    PR:     255368, 251385
    Reported by:    diizzy@
    Security:       CVE-2021-3487
---
 devel/binutils/Makefile                  |  2 +-
 devel/binutils/files/patch-CVE-2021-3487 | 75 ++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/devel/binutils/Makefile b/devel/binutils/Makefile
index 2b8517bc4d9b..3d3762653bd7 100644
--- a/devel/binutils/Makefile
+++ b/devel/binutils/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	binutils
 PORTVERSION=	2.33.1
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH?=	1
 CATEGORIES?=	devel
 MASTER_SITES=	SOURCEWARE/binutils/releases
diff --git a/devel/binutils/files/patch-CVE-2021-3487 b/devel/binutils/files/patch-CVE-2021-3487
new file mode 100644
index 000000000000..05e9d63642f9
--- /dev/null
+++ b/devel/binutils/files/patch-CVE-2021-3487
@@ -0,0 +1,75 @@
+From a782e724be101be550bb47b4e6a2a0c92475c494 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 26 Nov 2020 17:08:33 +0000
+Subject: [PATCH] Prevent a memory allocation failure when parsing corrupt
+ DWARF debug sections.
+
+	PR 26946
+	* dwarf2.c (read_section): Check for debug sections with excessive
+	sizes.
+---
+ bfd/dwarf2.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git bfd/dwarf2.c bfd/dwarf2.c
+index ed6dcd48c7f..348e69cb063 100644
+--- bfd/dwarf2.c
++++ bfd/dwarf2.c
+@@ -527,22 +527,24 @@ read_section (bfd *	      abfd,
+ 	      bfd_byte **     section_buffer,
+ 	      bfd_size_type * section_size)
+ {
+-  asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+-  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+     {
++      bfd_size_type amt;
++      asection *msec;
++      ufile_ptr filesize;
++
+       msec = bfd_get_section_by_name (abfd, section_name);
+-      if (! msec)
++      if (msec == NULL)
+ 	{
+ 	  section_name = sec->compressed_name;
+ 	  if (section_name != NULL)
+ 	    msec = bfd_get_section_by_name (abfd, section_name);
+ 	}
+-      if (! msec)
++      if (msec == NULL)
+ 	{
+ 	  _bfd_error_handler (_("DWARF error: can't find %s section."),
+ 			      sec->uncompressed_name);
+@@ -550,12 +552,23 @@ read_section (bfd *	      abfd,
+ 	  return FALSE;
+ 	}
+ 
+-      *section_size = msec->rawsize ? msec->rawsize : msec->size;
++      amt = bfd_get_section_limit_octets (abfd, msec);
++      filesize = bfd_get_file_size (abfd);
++      if (amt >= filesize)
++	{
++	  /* PR 26946 */
++	  _bfd_error_handler (_("DWARF error: section %s is larger than its filesize! (0x%lx vs 0x%lx)"),
++			      section_name, (long) amt, (long) filesize);
++	  bfd_set_error (bfd_error_bad_value);
++	  return FALSE;
++	}
++      *section_size = amt;
+       /* Paranoia - alloc one extra so that we can make sure a string
+ 	 section is NUL terminated.  */
+-      amt = *section_size + 1;
++      amt += 1;
+       if (amt == 0)
+ 	{
++	  /* Paranoia - this should never happen.  */
+ 	  bfd_set_error (bfd_error_no_memory);
+ 	  return FALSE;
+ 	}
+-- 
+2.31.1
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108131107.17DB7xam060746>