diff options
author | Trevor Gamblin <trevor.gamblin@windriver.com> | 2020-01-17 19:14:23 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-01-28 11:15:01 +0000 |
commit | 271da31a92aaa18972d4668f2f5489f7a9de9020 (patch) | |
tree | 4d734d687dbbeaf2b1aecf68a919564d70c246ca | |
parent | f4c99702276ecd64e7b4fe5e7367f04721d76249 (diff) | |
download | poky-271da31a92aaa18972d4668f2f5489f7a9de9020.tar.gz |
binutils: fix CVE-2019-17451
Backport upstream fix.
(From OE-Core rev: 02c54859c009be191958a19a5c3549a6635cc647)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.32.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch | 51 |
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index a92bfd0354..739ba70cf2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc | |||
@@ -53,6 +53,7 @@ SRC_URI = "\ | |||
53 | file://CVE-2019-14250.patch \ | 53 | file://CVE-2019-14250.patch \ |
54 | file://CVE-2019-14444.patch \ | 54 | file://CVE-2019-14444.patch \ |
55 | file://CVE-2019-17450.patch \ | 55 | file://CVE-2019-17450.patch \ |
56 | file://CVE-2019-17451.patch \ | ||
56 | " | 57 | " |
57 | S = "${WORKDIR}/git" | 58 | S = "${WORKDIR}/git" |
58 | 59 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch new file mode 100644 index 0000000000..b36a532668 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Wed, 9 Oct 2019 10:47:13 +1030 | ||
4 | Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line | ||
5 | |||
6 | Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog | ||
7 | file. There are newer versions of binutils, but none of them contain the | ||
8 | commit fixing CVE-2019-17451, so backport it to master and zeus. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848] | ||
12 | CVE: CVE-2019-17451 | ||
13 | Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> | ||
14 | |||
15 | |||
16 | Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 | ||
17 | and ffffd5555453b140 result in a total size of 1. Reading the first | ||
18 | section of course overflows the buffer and tramples on other memory. | ||
19 | |||
20 | PR 25070 | ||
21 | * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of | ||
22 | total_size calculation. | ||
23 | --- | ||
24 | bfd/dwarf2.c | 11 ++++++++++- | ||
25 | 1 file changed, 10 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
28 | index 0b4e485582..a91597b1d0 100644 | ||
29 | --- a/bfd/dwarf2.c | ||
30 | +++ b/bfd/dwarf2.c | ||
31 | @@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, | ||
32 | for (total_size = 0; | ||
33 | msec; | ||
34 | msec = find_debug_info (debug_bfd, debug_sections, msec)) | ||
35 | - total_size += msec->size; | ||
36 | + { | ||
37 | + /* Catch PR25070 testcase overflowing size calculation here. */ | ||
38 | + if (total_size + msec->size < total_size | ||
39 | + || total_size + msec->size < msec->size) | ||
40 | + { | ||
41 | + bfd_set_error (bfd_error_no_memory); | ||
42 | + return FALSE; | ||
43 | + } | ||
44 | + total_size += msec->size; | ||
45 | + } | ||
46 | |||
47 | stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); | ||
48 | if (stash->info_ptr_memory == NULL) | ||
49 | -- | ||
50 | 2.23.0 | ||
51 | |||