diff options
author | Armin Kuster <akuster@mvista.com> | 2018-08-05 21:53:37 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-06 16:24:02 +0100 |
commit | b44ea099835afaaac92819c512f2d438540864d5 (patch) | |
tree | ad89e44b6030f409874b961d508325a0a677ec94 | |
parent | b83fd9847fae7f9b02091df8e6b3ffb2b70326bd (diff) | |
download | poky-b44ea099835afaaac92819c512f2d438540864d5.tar.gz |
binutls: Security fix CVE-2018-7643
Affects <= 2.30
(From OE-Core rev: 70308a1133a3bd0e9d297bd66be4e05722484e7a)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.30.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch | 102 |
2 files changed, 103 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc index 349fa5a36a..1952d46c20 100644 --- a/meta/recipes-devtools/binutils/binutils-2.30.inc +++ b/meta/recipes-devtools/binutils/binutils-2.30.inc | |||
@@ -36,6 +36,7 @@ SRC_URI = "\ | |||
36 | file://0014-Detect-64-bit-MIPS-targets.patch \ | 36 | file://0014-Detect-64-bit-MIPS-targets.patch \ |
37 | file://0015-sync-with-OE-libtool-changes.patch \ | 37 | file://0015-sync-with-OE-libtool-changes.patch \ |
38 | file://CVE-2018-8945.patch \ | 38 | file://CVE-2018-8945.patch \ |
39 | file://CVE-2018-7643.patch \ | ||
39 | " | 40 | " |
40 | S = "${WORKDIR}/git" | 41 | S = "${WORKDIR}/git" |
41 | 42 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch new file mode 100644 index 0000000000..2a2dec3a48 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu, 1 Mar 2018 16:14:08 +0000 | ||
4 | Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow | ||
5 | when parsing corrupt DWARF information on a 32-bit host. | ||
6 | |||
7 | PR 22905 | ||
8 | * dwarf.c (display_debug_ranges): Check that the offset loaded | ||
9 | from the range_entry structure is valid. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | Affects: Binutils <= 2.30 | ||
13 | CVE: CVE-2018-7643 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | binutils/ChangeLog | 6 ++++++ | ||
18 | binutils/dwarf.c | 15 +++++++++++++++ | ||
19 | 2 files changed, 21 insertions(+) | ||
20 | |||
21 | Index: git/binutils/dwarf.c | ||
22 | =================================================================== | ||
23 | --- git.orig/binutils/dwarf.c | ||
24 | +++ git/binutils/dwarf.c | ||
25 | @@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data, | ||
26 | } \ | ||
27 | while (0) | ||
28 | |||
29 | +/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value. | ||
30 | + Checks to make sure that the read will not reach or pass END | ||
31 | + and that VAL is big enough to hold AMOUNT bytes. */ | ||
32 | #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END) \ | ||
33 | do \ | ||
34 | { \ | ||
35 | @@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data, | ||
36 | } \ | ||
37 | while (0) | ||
38 | |||
39 | +/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT. */ | ||
40 | #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \ | ||
41 | do \ | ||
42 | { \ | ||
43 | @@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data, | ||
44 | } \ | ||
45 | while (0) | ||
46 | |||
47 | +/* Like SAFE_BYTE_GET, but reads a signed value. */ | ||
48 | #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END) \ | ||
49 | do \ | ||
50 | { \ | ||
51 | @@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data, | ||
52 | } \ | ||
53 | while (0) | ||
54 | |||
55 | +/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT. */ | ||
56 | #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \ | ||
57 | do \ | ||
58 | { \ | ||
59 | @@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char | ||
60 | break; | ||
61 | SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish); | ||
62 | |||
63 | + | ||
64 | printf (" %8.8lx ", offset); | ||
65 | |||
66 | if (begin == 0 && end == 0) | ||
67 | @@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_secti | ||
68 | continue; | ||
69 | } | ||
70 | |||
71 | + if (next < section_begin || next >= finish) | ||
72 | + { | ||
73 | + warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"), | ||
74 | + (unsigned long) offset, i); | ||
75 | + continue; | ||
76 | + } | ||
77 | + | ||
78 | if (dwarf_check != 0 && i > 0) | ||
79 | { | ||
80 | if (start < next) | ||
81 | @@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_secti | ||
82 | (unsigned long) (next - section_begin), section->name); | ||
83 | } | ||
84 | } | ||
85 | + | ||
86 | start = next; | ||
87 | last_start = next; | ||
88 | |||
89 | Index: git/bfd/ChangeLog | ||
90 | =================================================================== | ||
91 | --- git.orig/bfd/ChangeLog | ||
92 | +++ git/bfd/ChangeLog | ||
93 | @@ -1,3 +1,9 @@ | ||
94 | +2018-03-01 Nick Clifton <nickc@redhat.com> | ||
95 | + | ||
96 | + PR 22905 | ||
97 | + * dwarf.c (display_debug_ranges): Check that the offset loaded | ||
98 | + from the range_entry structure is valid. | ||
99 | + | ||
100 | 2018-05-08 Nick Clifton <nickc@redhat.com> | ||
101 | |||
102 | PR 22809 | ||