summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-05-06 00:11:57 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-05-17 14:43:30 +0100
commita906a09c730683ee14b84fd890d109f52c9e3b02 (patch)
treeb2b33f5b78cf6ff1b82b9b175aea35454a844951
parenta1928c81e6f6d81e4b50c1d295758b20a2778a61 (diff)
downloadpoky-a906a09c730683ee14b84fd890d109f52c9e3b02.tar.gz
gcc: Security fix CVE-2016-4490
(From OE-Core rev: 2fef37fab6967410aff33744c8843bcae028de56) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/gcc/gcc-5.3.inc1
-rw-r--r--meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch270
2 files changed, 271 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 2ba25a1cec..5dd8022430 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -93,6 +93,7 @@ SRC_URI = "\
93 file://CVE-2016-4488.patch \ 93 file://CVE-2016-4488.patch \
94 file://CVE-2016-4489.patch \ 94 file://CVE-2016-4489.patch \
95 file://CVE-2016-2226.patch \ 95 file://CVE-2016-2226.patch \
96 file://CVE-2016-4490.patch \
96" 97"
97 98
98BACKPORTS = "" 99BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
new file mode 100644
index 0000000000..4a9ed69938
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-4490.patch
@@ -0,0 +1,270 @@
1From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001
2From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
3Date: Mon, 2 May 2016 17:06:40 +0000
4Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?=
5 =?UTF-8?q?=20Marcel=20B=C3=B6hme.?=
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10 PR c++/70498
11 * cp-demangle.c: Parse numbers as integer instead of long to avoid
12 overflow after sanity checks. Include <limits.h> if available.
13 (INT_MAX): Define if necessary.
14 (d_make_template_param): Takes integer argument instead of long.
15 (d_make_function_param): Likewise.
16 (d_append_num): Likewise.
17 (d_identifier): Likewise.
18 (d_number): Parse as and return integer.
19 (d_compact_number): Handle overflow.
20 (d_source_name): Change variable type to integer for parsed number.
21 (d_java_resource): Likewise.
22 (d_special_name): Likewise.
23 (d_discriminator): Likewise.
24 (d_unnamed_type): Likewise.
25 * testsuite/demangle-expected: Add regression test cases.
26
27
28
29git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 138bc75d-0d04-0410-961f-82ee72b054a4
30
31Upstream-Status: Backport
32
33CVE: CVE-2016-4490
34hand applied ChangeLog
35
36Signed-off-by: Armin Kuster <akuster@mvista.com>
37
38---
39 libiberty/ChangeLog | 19 +++++++++++++
40 libiberty/cp-demangle.c | 52 ++++++++++++++++++++---------------
41 libiberty/testsuite/demangle-expected | 14 ++++++++--
42 3 files changed, 61 insertions(+), 24 deletions(-)
43
44Index: gcc-5.3.0/libiberty/cp-demangle.c
45===================================================================
46--- gcc-5.3.0.orig/libiberty/cp-demangle.c
47+++ gcc-5.3.0/libiberty/cp-demangle.c
48@@ -124,6 +124,13 @@ extern char *alloca ();
49 # endif /* alloca */
50 #endif /* HAVE_ALLOCA_H */
51
52+#ifdef HAVE_LIMITS_H
53+#include <limits.h>
54+#endif
55+#ifndef INT_MAX
56+# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
57+#endif
58+
59 #include "ansidecl.h"
60 #include "libiberty.h"
61 #include "demangle.h"
62@@ -394,7 +401,7 @@ d_make_dtor (struct d_info *, enum gnu_v
63 struct demangle_component *);
64
65 static struct demangle_component *
66-d_make_template_param (struct d_info *, long);
67+d_make_template_param (struct d_info *, int);
68
69 static struct demangle_component *
70 d_make_sub (struct d_info *, const char *, int);
71@@ -417,7 +424,7 @@ static struct demangle_component *d_unqu
72
73 static struct demangle_component *d_source_name (struct d_info *);
74
75-static long d_number (struct d_info *);
76+static int d_number (struct d_info *);
77
78 static struct demangle_component *d_identifier (struct d_info *, int);
79
80@@ -1105,7 +1112,7 @@ d_make_dtor (struct d_info *di, enum gnu
81 /* Add a new template parameter. */
82
83 static struct demangle_component *
84-d_make_template_param (struct d_info *di, long i)
85+d_make_template_param (struct d_info *di, int i)
86 {
87 struct demangle_component *p;
88
89@@ -1121,7 +1128,7 @@ d_make_template_param (struct d_info *di
90 /* Add a new function parameter. */
91
92 static struct demangle_component *
93-d_make_function_param (struct d_info *di, long i)
94+d_make_function_param (struct d_info *di, int i)
95 {
96 struct demangle_component *p;
97
98@@ -1595,7 +1602,7 @@ d_unqualified_name (struct d_info *di)
99 static struct demangle_component *
100 d_source_name (struct d_info *di)
101 {
102- long len;
103+ int len;
104 struct demangle_component *ret;
105
106 len = d_number (di);
107@@ -1608,12 +1615,12 @@ d_source_name (struct d_info *di)
108
109 /* number ::= [n] <(non-negative decimal integer)> */
110
111-static long
112+static int
113 d_number (struct d_info *di)
114 {
115 int negative;
116 char peek;
117- long ret;
118+ int ret;
119
120 negative = 0;
121 peek = d_peek_char (di);
122@@ -1840,7 +1847,7 @@ d_java_resource (struct d_info *di)
123 {
124 struct demangle_component *p = NULL;
125 struct demangle_component *next = NULL;
126- long len, i;
127+ int len, i;
128 char c;
129 const char *str;
130
131@@ -1982,7 +1989,7 @@ d_special_name (struct d_info *di)
132 case 'C':
133 {
134 struct demangle_component *derived_type;
135- long offset;
136+ int offset;
137 struct demangle_component *base_type;
138
139 derived_type = cplus_demangle_type (di);
140@@ -2905,10 +2912,10 @@ d_pointer_to_member_type (struct d_info
141
142 /* <non-negative number> _ */
143
144-static long
145+static int
146 d_compact_number (struct d_info *di)
147 {
148- long num;
149+ int num;
150 if (d_peek_char (di) == '_')
151 num = 0;
152 else if (d_peek_char (di) == 'n')
153@@ -2916,7 +2923,7 @@ d_compact_number (struct d_info *di)
154 else
155 num = d_number (di) + 1;
156
157- if (! d_check_char (di, '_'))
158+ if (num < 0 || ! d_check_char (di, '_'))
159 return -1;
160 return num;
161 }
162@@ -2928,7 +2935,7 @@ d_compact_number (struct d_info *di)
163 static struct demangle_component *
164 d_template_param (struct d_info *di)
165 {
166- long param;
167+ int param;
168
169 if (! d_check_char (di, 'T'))
170 return NULL;
171@@ -3130,9 +3137,10 @@ d_expression_1 (struct d_info *di)
172 }
173 else
174 {
175- index = d_compact_number (di) + 1;
176- if (index == 0)
177+ index = d_compact_number (di);
178+ if (index == INT_MAX || index == -1)
179 return NULL;
180+ index ++;
181 }
182 return d_make_function_param (di, index);
183 }
184@@ -3455,7 +3463,7 @@ d_local_name (struct d_info *di)
185 static int
186 d_discriminator (struct d_info *di)
187 {
188- long discrim;
189+ int discrim;
190
191 if (d_peek_char (di) != '_')
192 return 1;
193@@ -3511,7 +3519,7 @@ static struct demangle_component *
194 d_unnamed_type (struct d_info *di)
195 {
196 struct demangle_component *ret;
197- long num;
198+ int num;
199
200 if (! d_check_char (di, 'U'))
201 return NULL;
202@@ -4037,10 +4045,10 @@ d_append_string (struct d_print_info *dp
203 }
204
205 static inline void
206-d_append_num (struct d_print_info *dpi, long l)
207+d_append_num (struct d_print_info *dpi, int l)
208 {
209 char buf[25];
210- sprintf (buf,"%ld", l);
211+ sprintf (buf,"%d", l);
212 d_append_string (dpi, buf);
213 }
214
215Index: gcc-5.3.0/libiberty/testsuite/demangle-expected
216===================================================================
217--- gcc-5.3.0.orig/libiberty/testsuite/demangle-expected
218+++ gcc-5.3.0/libiberty/testsuite/demangle-expected
219@@ -4357,12 +4357,22 @@ _QueueNotification_QueueController__$4PP
220 _Z1fSsB3fooS_
221 f(std::string[abi:foo], std::string[abi:foo])
222 #
223-# Tests a use-after-free problem
224+# Tests a use-after-free problem PR70481
225
226 _Q.__0
227 ::Q.(void)
228 #
229-# Tests a use-after-free problem
230+# Tests a use-after-free problem PR70481
231
232 _Q10-__9cafebabe.
233 cafebabe.::-(void)
234+#
235+# Tests integer overflow problem PR70492
236+
237+__vt_90000000000cafebabe
238+__vt_90000000000cafebabe
239+#
240+# Tests write access violation PR70498
241+
242+_Z80800000000000000000000
243+_Z80800000000000000000000
244Index: gcc-5.3.0/libiberty/ChangeLog
245===================================================================
246--- gcc-5.3.0.orig/libiberty/ChangeLog
247+++ gcc-5.3.0/libiberty/ChangeLog
248@@ -1,3 +1,22 @@
249+2016-05-02 Marcel Böhme <boehme.marcel@gmail.com>
250+
251+ PR c++/70498
252+ * cp-demangle.c: Parse numbers as integer instead of long to avoid
253+ overflow after sanity checks. Include <limits.h> if available.
254+ (INT_MAX): Define if necessary.
255+ (d_make_template_param): Takes integer argument instead of long.
256+ (d_make_function_param): Likewise.
257+ (d_append_num): Likewise.
258+ (d_identifier): Likewise.
259+ (d_number): Parse as and return integer.
260+ (d_compact_number): Handle overflow.
261+ (d_source_name): Change variable type to integer for parsed number.
262+ (d_java_resource): Likewise.
263+ (d_special_name): Likewise.
264+ (d_discriminator): Likewise.
265+ (d_unnamed_type): Likewise.
266+ * testsuite/demangle-expected: Add regression test cases.
267+
268 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
269
270 PR c++/69687