代码拉取完成,页面将自动刷新
同步操作将从 src-anolis-os/binutils 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From eb82b793715e1c16f5adbee72d1346c2cefb6f6d Mon Sep 17 00:00:00 2001
From: hanshuang <hanshuang@uniontech.com>
Date: Thu, 20 Apr 2023 11:12:43 +0800
Subject: [PATCH 2/2] fix-POC-CVE
diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
index 13472a11..2c437b14 100644
--- a/bfd/elf64-x86-64.c
+++ b/bfd/elf64-x86-64.c
@@ -3296,20 +3296,39 @@ direct:
{
if (contents[roff + 5] == 0xb8)
{
+ if (roff < 3
+ || (roff - 3 + 22) > input_section->size)
+ {
+corrupt_input:
+ info->callbacks->einfo
+ (_("%F%P: corrupt input: %pB\n"),
+ input_bfd);
+ return FALSE;
+ }
memcpy (contents + roff - 3,
"\x64\x48\x8b\x04\x25\0\0\0\0\x48\x8d\x80"
"\0\0\0\0\x66\x0f\x1f\x44\0", 22);
largepic = 1;
}
else
+ {
+ if (roff < 4
+ || (roff - 4 + 16) > input_section->size)
+ goto corrupt_input;
memcpy (contents + roff - 4,
"\x64\x48\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0",
16);
+ }
}
else
+ {
+ if (roff < 3
+ || (roff - 3 + 15) > input_section->size)
+ goto corrupt_input;
memcpy (contents + roff - 3,
"\x64\x8b\x04\x25\0\0\0\0\x48\x8d\x80\0\0\0",
15);
+ }
bfd_put_32 (output_bfd,
elf_x86_64_tpoff (info, relocation),
contents + roff + 8 + largepic);
@@ -3329,7 +3348,8 @@ direct:
movl $x@tpoff, %rax. */
unsigned int val, type;
-
+ if (roff < 3)
+ goto corrupt_input;
type = bfd_get_8 (input_bfd, contents + roff - 3);
val = bfd_get_8 (input_bfd, contents + roff - 1);
bfd_put_8 (output_bfd, 0x48 | ((type >> 2) & 1),
@@ -3376,7 +3396,11 @@ direct:
if (roff >= 3)
val = bfd_get_8 (input_bfd, contents + roff - 3);
else
- val = 0;
+ {
+ if (roff < 2)
+ goto corrupt_input;
+ val = 0;
+ }
type = bfd_get_8 (input_bfd, contents + roff - 2);
reg = bfd_get_8 (input_bfd, contents + roff - 1);
reg >>= 3;
@@ -3384,11 +3408,19 @@ direct:
{
/* movq */
if (val == 0x4c)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x49,
contents + roff - 3);
+ }
else if (!ABI_64_P (output_bfd) && val == 0x44)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x41,
contents + roff - 3);
+ }
bfd_put_8 (output_bfd, 0xc7,
contents + roff - 2);
bfd_put_8 (output_bfd, 0xc0 | reg,
@@ -3399,11 +3431,19 @@ direct:
/* addq/addl -> addq/addl - addressing with %rsp/%r12
is special */
if (val == 0x4c)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x49,
contents + roff - 3);
+ }
else if (!ABI_64_P (output_bfd) && val == 0x44)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x41,
contents + roff - 3);
+ }
bfd_put_8 (output_bfd, 0x81,
contents + roff - 2);
bfd_put_8 (output_bfd, 0xc0 | reg,
@@ -3413,11 +3453,19 @@ direct:
{
/* addq/addl -> leaq/leal */
if (val == 0x4c)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x4d,
contents + roff - 3);
+ }
else if (!ABI_64_P (output_bfd) && val == 0x44)
+ {
+ if (roff < 3)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x45,
contents + roff - 3);
+ }
bfd_put_8 (output_bfd, 0x8d,
contents + roff - 2);
bfd_put_8 (output_bfd, 0x80 | reg | (reg << 3),
@@ -3587,20 +3635,33 @@ direct:
{
if (contents[roff + 5] == 0xb8)
{
+ if (roff < 3
+ || (roff - 3 + 22) > input_section->size)
+ goto corrupt_input;
memcpy (contents + roff - 3,
"\x64\x48\x8b\x04\x25\0\0\0\0\x48\x03\x05"
"\0\0\0\0\x66\x0f\x1f\x44\0", 22);
largepic = 1;
}
else
+ {
+ if (roff < 4
+ || (roff - 4 + 16) > input_section->size)
+ goto corrupt_input;
memcpy (contents + roff - 4,
"\x64\x48\x8b\x04\x25\0\0\0\0\x48\x03\x05\0\0\0",
16);
+ }
}
else
+ {
+ if (roff < 3
+ || (roff - 3 + 15) > input_section->size)
+ goto corrupt_input;
memcpy (contents + roff - 3,
"\x64\x8b\x04\x25\0\0\0\0\x48\x03\x05\0\0\0",
15);
+ }
relocation = (htab->elf.sgot->output_section->vma
+ htab->elf.sgot->output_offset + off
@@ -3629,6 +3690,8 @@ direct:
turn a leaq into a movq in the form we use it, it
suffices to change the second byte from 0x8d to
0x8b. */
+ if (roff < 2)
+ goto corrupt_input;
bfd_put_8 (output_bfd, 0x8b, contents + roff - 2);
bfd_put_32 (output_bfd,
@@ -3697,28 +3760,57 @@ direct:
BFD_ASSERT (r_type == R_X86_64_TPOFF32);
if (ABI_64_P (output_bfd))
{
+ if ((rel->r_offset + 5) >= input_section->size)
+ goto corrupt_input;
if (contents[rel->r_offset + 5] == 0xb8)
+ {
+ if (rel->r_offset < 3
+ || (rel->r_offset - 3 + 22) > input_section->size)
+ goto corrupt_input;
memcpy (contents + rel->r_offset - 3,
"\x66\x66\x66\x66\x2e\x0f\x1f\x84\0\0\0\0\0"
"\x64\x48\x8b\x04\x25\0\0\0", 22);
+ }
else if (contents[rel->r_offset + 4] == 0xff
|| contents[rel->r_offset + 4] == 0x67)
+ {
+ if (rel->r_offset < 3
+ || (rel->r_offset - 3 + 13) > input_section->size)
+ goto corrupt_input;
memcpy (contents + rel->r_offset - 3,
"\x66\x66\x66\x66\x64\x48\x8b\x04\x25\0\0\0",
13);
+ }
else
+ {
+ if (rel->r_offset < 3
+ || (rel->r_offset - 3 + 12) > input_section->size)
+ goto corrupt_input;
memcpy (contents + rel->r_offset - 3,
"\x66\x66\x66\x64\x48\x8b\x04\x25\0\0\0", 12);
+ }
}
else
{
+ if ((rel->r_offset + 4) >= input_section->size)
+ goto corrupt_input;
if (contents[rel->r_offset + 4] == 0xff)
+ {
+ if (rel->r_offset < 3
+ || (rel->r_offset - 3 + 13) > input_section->size)
+ goto corrupt_input;
memcpy (contents + rel->r_offset - 3,
"\x66\x0f\x1f\x40\x00\x64\x8b\x04\x25\0\0\0",
13);
+ }
else
+ {
+ if (rel->r_offset < 3
+ || (rel->r_offset - 3 + 12) > input_section->size)
+ goto corrupt_input;
memcpy (contents + rel->r_offset - 3,
"\x0f\x1f\x40\x00\x64\x8b\x04\x25\0\0\0", 12);
+ }
}
/* Skip R_X86_64_PC32, R_X86_64_PLT32, R_X86_64_GOTPCRELX
and R_X86_64_PLTOFF64. */
--
2.31.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
