diff options
author | Armin Kuster <akuster@mvista.com> | 2016-05-06 00:11:57 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-05-17 14:43:30 +0100 |
commit | a906a09c730683ee14b84fd890d109f52c9e3b02 (patch) | |
tree | b2b33f5b78cf6ff1b82b9b175aea35454a844951 | |
parent | a1928c81e6f6d81e4b50c1d295758b20a2778a61 (diff) | |
download | poky-a906a09c730683ee14b84fd890d109f52c9e3b02.tar.gz |
gcc: Security fix CVE-2016-4490
(From OE-Core rev: 2fef37fab6967410aff33744c8843bcae028de56)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-5.3.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch | 270 |
2 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc index 2ba25a1cec..5dd8022430 100644 --- a/meta/recipes-devtools/gcc/gcc-5.3.inc +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc | |||
@@ -93,6 +93,7 @@ SRC_URI = "\ | |||
93 | file://CVE-2016-4488.patch \ | 93 | file://CVE-2016-4488.patch \ |
94 | file://CVE-2016-4489.patch \ | 94 | file://CVE-2016-4489.patch \ |
95 | file://CVE-2016-2226.patch \ | 95 | file://CVE-2016-2226.patch \ |
96 | file://CVE-2016-4490.patch \ | ||
96 | " | 97 | " |
97 | 98 | ||
98 | BACKPORTS = "" | 99 | BACKPORTS = "" |
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch new file mode 100644 index 0000000000..4a9ed69938 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch | |||
@@ -0,0 +1,270 @@ | |||
1 | From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001 | ||
2 | From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4> | ||
3 | Date: Mon, 2 May 2016 17:06:40 +0000 | ||
4 | Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?= | ||
5 | =?UTF-8?q?=20Marcel=20B=C3=B6hme.?= | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | PR c++/70498 | ||
11 | * cp-demangle.c: Parse numbers as integer instead of long to avoid | ||
12 | overflow after sanity checks. Include <limits.h> if available. | ||
13 | (INT_MAX): Define if necessary. | ||
14 | (d_make_template_param): Takes integer argument instead of long. | ||
15 | (d_make_function_param): Likewise. | ||
16 | (d_append_num): Likewise. | ||
17 | (d_identifier): Likewise. | ||
18 | (d_number): Parse as and return integer. | ||
19 | (d_compact_number): Handle overflow. | ||
20 | (d_source_name): Change variable type to integer for parsed number. | ||
21 | (d_java_resource): Likewise. | ||
22 | (d_special_name): Likewise. | ||
23 | (d_discriminator): Likewise. | ||
24 | (d_unnamed_type): Likewise. | ||
25 | * testsuite/demangle-expected: Add regression test cases. | ||
26 | |||
27 | |||
28 | |||
29 | git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4 | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | |||
33 | CVE: CVE-2016-4490 | ||
34 | hand applied ChangeLog | ||
35 | |||
36 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
37 | |||
38 | --- | ||
39 | libiberty/ChangeLog | 19 +++++++++++++ | ||
40 | libiberty/cp-demangle.c | 52 ++++++++++++++++++++--------------- | ||
41 | libiberty/testsuite/demangle-expected | 14 ++++++++-- | ||
42 | 3 files changed, 61 insertions(+), 24 deletions(-) | ||
43 | |||
44 | Index: gcc-5.3.0/libiberty/cp-demangle.c | ||
45 | =================================================================== | ||
46 | --- gcc-5.3.0.orig/libiberty/cp-demangle.c | ||
47 | +++ gcc-5.3.0/libiberty/cp-demangle.c | ||
48 | @@ -124,6 +124,13 @@ extern char *alloca (); | ||
49 | # endif /* alloca */ | ||
50 | #endif /* HAVE_ALLOCA_H */ | ||
51 | |||
52 | +#ifdef HAVE_LIMITS_H | ||
53 | +#include <limits.h> | ||
54 | +#endif | ||
55 | +#ifndef INT_MAX | ||
56 | +# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ | ||
57 | +#endif | ||
58 | + | ||
59 | #include "ansidecl.h" | ||
60 | #include "libiberty.h" | ||
61 | #include "demangle.h" | ||
62 | @@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v | ||
63 | struct demangle_component *); | ||
64 | |||
65 | static struct demangle_component * | ||
66 | -d_make_template_param (struct d_info *, long); | ||
67 | +d_make_template_param (struct d_info *, int); | ||
68 | |||
69 | static struct demangle_component * | ||
70 | d_make_sub (struct d_info *, const char *, int); | ||
71 | @@ -417,7 +424,7 @@ static struct demangle_component *d_unqu | ||
72 | |||
73 | static struct demangle_component *d_source_name (struct d_info *); | ||
74 | |||
75 | -static long d_number (struct d_info *); | ||
76 | +static int d_number (struct d_info *); | ||
77 | |||
78 | static struct demangle_component *d_identifier (struct d_info *, int); | ||
79 | |||
80 | @@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu | ||
81 | /* Add a new template parameter. */ | ||
82 | |||
83 | static struct demangle_component * | ||
84 | -d_make_template_param (struct d_info *di, long i) | ||
85 | +d_make_template_param (struct d_info *di, int i) | ||
86 | { | ||
87 | struct demangle_component *p; | ||
88 | |||
89 | @@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di | ||
90 | /* Add a new function parameter. */ | ||
91 | |||
92 | static struct demangle_component * | ||
93 | -d_make_function_param (struct d_info *di, long i) | ||
94 | +d_make_function_param (struct d_info *di, int i) | ||
95 | { | ||
96 | struct demangle_component *p; | ||
97 | |||
98 | @@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di) | ||
99 | static struct demangle_component * | ||
100 | d_source_name (struct d_info *di) | ||
101 | { | ||
102 | - long len; | ||
103 | + int len; | ||
104 | struct demangle_component *ret; | ||
105 | |||
106 | len = d_number (di); | ||
107 | @@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di) | ||
108 | |||
109 | /* number ::= [n] <(non-negative decimal integer)> */ | ||
110 | |||
111 | -static long | ||
112 | +static int | ||
113 | d_number (struct d_info *di) | ||
114 | { | ||
115 | int negative; | ||
116 | char peek; | ||
117 | - long ret; | ||
118 | + int ret; | ||
119 | |||
120 | negative = 0; | ||
121 | peek = d_peek_char (di); | ||
122 | @@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di) | ||
123 | { | ||
124 | struct demangle_component *p = NULL; | ||
125 | struct demangle_component *next = NULL; | ||
126 | - long len, i; | ||
127 | + int len, i; | ||
128 | char c; | ||
129 | const char *str; | ||
130 | |||
131 | @@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di) | ||
132 | case 'C': | ||
133 | { | ||
134 | struct demangle_component *derived_type; | ||
135 | - long offset; | ||
136 | + int offset; | ||
137 | struct demangle_component *base_type; | ||
138 | |||
139 | derived_type = cplus_demangle_type (di); | ||
140 | @@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info | ||
141 | |||
142 | /* <non-negative number> _ */ | ||
143 | |||
144 | -static long | ||
145 | +static int | ||
146 | d_compact_number (struct d_info *di) | ||
147 | { | ||
148 | - long num; | ||
149 | + int num; | ||
150 | if (d_peek_char (di) == '_') | ||
151 | num = 0; | ||
152 | else if (d_peek_char (di) == 'n') | ||
153 | @@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di) | ||
154 | else | ||
155 | num = d_number (di) + 1; | ||
156 | |||
157 | - if (! d_check_char (di, '_')) | ||
158 | + if (num < 0 || ! d_check_char (di, '_')) | ||
159 | return -1; | ||
160 | return num; | ||
161 | } | ||
162 | @@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di) | ||
163 | static struct demangle_component * | ||
164 | d_template_param (struct d_info *di) | ||
165 | { | ||
166 | - long param; | ||
167 | + int param; | ||
168 | |||
169 | if (! d_check_char (di, 'T')) | ||
170 | return NULL; | ||
171 | @@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di) | ||
172 | } | ||
173 | else | ||
174 | { | ||
175 | - index = d_compact_number (di) + 1; | ||
176 | - if (index == 0) | ||
177 | + index = d_compact_number (di); | ||
178 | + if (index == INT_MAX || index == -1) | ||
179 | return NULL; | ||
180 | + index ++; | ||
181 | } | ||
182 | return d_make_function_param (di, index); | ||
183 | } | ||
184 | @@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di) | ||
185 | static int | ||
186 | d_discriminator (struct d_info *di) | ||
187 | { | ||
188 | - long discrim; | ||
189 | + int discrim; | ||
190 | |||
191 | if (d_peek_char (di) != '_') | ||
192 | return 1; | ||
193 | @@ -3511,7 +3519,7 @@ static struct demangle_component * | ||
194 | d_unnamed_type (struct d_info *di) | ||
195 | { | ||
196 | struct demangle_component *ret; | ||
197 | - long num; | ||
198 | + int num; | ||
199 | |||
200 | if (! d_check_char (di, 'U')) | ||
201 | return NULL; | ||
202 | @@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp | ||
203 | } | ||
204 | |||
205 | static inline void | ||
206 | -d_append_num (struct d_print_info *dpi, long l) | ||
207 | +d_append_num (struct d_print_info *dpi, int l) | ||
208 | { | ||
209 | char buf[25]; | ||
210 | - sprintf (buf,"%ld", l); | ||
211 | + sprintf (buf,"%d", l); | ||
212 | d_append_string (dpi, buf); | ||
213 | } | ||
214 | |||
215 | Index: gcc-5.3.0/libiberty/testsuite/demangle-expected | ||
216 | =================================================================== | ||
217 | --- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected | ||
218 | +++ gcc-5.3.0/libiberty/testsuite/demangle-expected | ||
219 | @@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP | ||
220 | _Z1fSsB3fooS_ | ||
221 | f(std::string[abi:foo], std::string[abi:foo]) | ||
222 | # | ||
223 | -# Tests a use-after-free problem | ||
224 | +# Tests a use-after-free problem PR70481 | ||
225 | |||
226 | _Q.__0 | ||
227 | ::Q.(void) | ||
228 | # | ||
229 | -# Tests a use-after-free problem | ||
230 | +# Tests a use-after-free problem PR70481 | ||
231 | |||
232 | _Q10-__9cafebabe. | ||
233 | cafebabe.::-(void) | ||
234 | +# | ||
235 | +# Tests integer overflow problem PR70492 | ||
236 | + | ||
237 | +__vt_90000000000cafebabe | ||
238 | +__vt_90000000000cafebabe | ||
239 | +# | ||
240 | +# Tests write access violation PR70498 | ||
241 | + | ||
242 | +_Z80800000000000000000000 | ||
243 | +_Z80800000000000000000000 | ||
244 | Index: gcc-5.3.0/libiberty/ChangeLog | ||
245 | =================================================================== | ||
246 | --- gcc-5.3.0.orig/libiberty/ChangeLog | ||
247 | +++ gcc-5.3.0/libiberty/ChangeLog | ||
248 | @@ -1,3 +1,22 @@ | ||
249 | +2016-05-02 Marcel Böhme <boehme.marcel@gmail.com> | ||
250 | + | ||
251 | + PR c++/70498 | ||
252 | + * cp-demangle.c: Parse numbers as integer instead of long to avoid | ||
253 | + overflow after sanity checks. Include <limits.h> if available. | ||
254 | + (INT_MAX): Define if necessary. | ||
255 | + (d_make_template_param): Takes integer argument instead of long. | ||
256 | + (d_make_function_param): Likewise. | ||
257 | + (d_append_num): Likewise. | ||
258 | + (d_identifier): Likewise. | ||
259 | + (d_number): Parse as and return integer. | ||
260 | + (d_compact_number): Handle overflow. | ||
261 | + (d_source_name): Change variable type to integer for parsed number. | ||
262 | + (d_java_resource): Likewise. | ||
263 | + (d_special_name): Likewise. | ||
264 | + (d_discriminator): Likewise. | ||
265 | + (d_unnamed_type): Likewise. | ||
266 | + * testsuite/demangle-expected: Add regression test cases. | ||
267 | + | ||
268 | 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com> | ||
269 | |||
270 | PR c++/69687 | ||