Binutils: Security fix for CVE-2018-13033

Affects: <= 2.30 (From OE-Core rev: 64afab325facc55f4a49247e4033b1d3c8b22b67) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-08 12:07:35 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 1b202d632b1c12cb3fb4683c53098e245ba99f23 (patch)
tree: ce1f3e62092879cef3d9b15262457be6a96b37ea
parent: 8eeacb689b934c989a1cfad882559cd2d5c5f901 (diff)
download: poky-1b202d632b1c12cb3fb4683c53098e245ba99f23.tar.gz
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 4d9983b984..2f9b4fee02 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
     file://CVE-2018-10373.patch \
     file://CVE-2018-10534.patch \
     file://CVE-2018-10535.patch \
+     file://CVE-2018-13033.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
new file mode 100644
index 0000000000..3fa852c951
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
@@ -0,0 +1,71 @@
+From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 8 May 2018 12:51:06 +0100
+Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
+ fuzzed input file with corrupt string and attribute sections.
+        PR 22809
+        * elf.c (bfd_elf_get_str_section): Check for an excessively large
+        string section.
+        * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+        attribute section is larger than the size of the file.
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-13033
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog   | 8 ++++++++
+ bfd/elf-attrs.c | 9 +++++++++
+ bfd/elf.c       | 1 +
+ 3 files changed, 18 insertions(+)
+Index: git/bfd/elf-attrs.c
+===================================================================
+--- git.orig/bfd/elf-attrs.c
+++ git/bfd/elf-attrs.c
+@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
+   /* PR 17512: file: 2844a11d.  */
+   if (hdr->sh_size == 0)
+     return;
+  if (hdr->sh_size > bfd_get_file_size (abfd))
+    {
+      /* xgettext:c-format */
+      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
+                         abfd, hdr->bfd_section, (long long) hdr->sh_size);
+      bfd_set_error (bfd_error_invalid_operation);
+      return;
+    }
+
+   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
+   if (!contents)
+     return;
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
+++ git/bfd/elf.c
+@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
+       /* Allocate and clear an extra byte at the end, to prevent crashes
+         in case the string table is not terminated.  */
+       if (shstrtabsize + 1 <= 1
+         || shstrtabsize > bfd_get_file_size (abfd)
+          || bfd_seek (abfd, offset, SEEK_SET) != 0
+          || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
+        shstrtab = NULL;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
+2018-05-08  Nick Clifton  <nickc@redhat.com>
+
+       PR 22809
+       * elf.c (bfd_elf_get_str_section): Check for an excessively large
+       string section.
+       * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+       attribute section is larger than the size of the file.
+
+ 2018-04-24  Nick Clifton  <nickc@redhat.com>
+  
+        PR 23113
author	Armin Kuster <akuster@mvista.com>	2018-08-08 12:07:35 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	1b202d632b1c12cb3fb4683c53098e245ba99f23 (patch)
tree	ce1f3e62092879cef3d9b15262457be6a96b37ea
parent	8eeacb689b934c989a1cfad882559cd2d5c5f901 (diff)
download	poky-1b202d632b1c12cb3fb4683c53098e245ba99f23.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 4d9983b984..2f9b4fee02 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
69	file://CVE-2018-10373.patch \	69	file://CVE-2018-10373.patch \
70	file://CVE-2018-10534.patch \	70	file://CVE-2018-10534.patch \
71	file://CVE-2018-10535.patch \	71	file://CVE-2018-10535.patch \
		72	file://CVE-2018-13033.patch \
72	"	73	"
73	S = "${WORKDIR}/git"	74	S = "${WORKDIR}/git"
74		75


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch new file mode 100644 index 0000000000..3fa852c951 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
@@ -0,0 +1,71 @@
		1	From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 8 May 2018 12:51:06 +0100
		4	Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
		5	fuzzed input file with corrupt string and attribute sections.
		6
		7	PR 22809
		8	* elf.c (bfd_elf_get_str_section): Check for an excessively large
		9	string section.
		10	* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
		11	attribute section is larger than the size of the file.
		12
		13	Upstream-Status: Backport
		14	Affects: <= 2.30
		15	CVE: CVE-2018-13033
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	bfd/ChangeLog \| 8 ++++++++
		20	bfd/elf-attrs.c \| 9 +++++++++
		21	bfd/elf.c \| 1 +
		22	3 files changed, 18 insertions(+)
		23
		24	Index: git/bfd/elf-attrs.c
		25	===================================================================
		26	--- git.orig/bfd/elf-attrs.c
		27	+++ git/bfd/elf-attrs.c
		28	@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
		29	/* PR 17512: file: 2844a11d. */
		30	if (hdr->sh_size == 0)
		31	return;
		32	+ if (hdr->sh_size > bfd_get_file_size (abfd))
		33	+ {
		34	+ /* xgettext:c-format */
		35	+ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
		36	+ abfd, hdr->bfd_section, (long long) hdr->sh_size);
		37	+ bfd_set_error (bfd_error_invalid_operation);
		38	+ return;
		39	+ }
		40	+
		41	contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
		42	if (!contents)
		43	return;
		44	Index: git/bfd/elf.c
		45	===================================================================
		46	--- git.orig/bfd/elf.c
		47	+++ git/bfd/elf.c
		48	@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
		49	/* Allocate and clear an extra byte at the end, to prevent crashes
		50	in case the string table is not terminated. */
		51	if (shstrtabsize + 1 <= 1
		52	+ \|\| shstrtabsize > bfd_get_file_size (abfd)
		53	\|\| bfd_seek (abfd, offset, SEEK_SET) != 0
		54	\|\| (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
		55	shstrtab = NULL;
		56	Index: git/bfd/ChangeLog
		57	===================================================================
		58	--- git.orig/bfd/ChangeLog
		59	+++ git/bfd/ChangeLog
		60	@@ -1,3 +1,11 @@
		61	+2018-05-08 Nick Clifton <nickc@redhat.com>
		62	+
		63	+ PR 22809
		64	+ * elf.c (bfd_elf_get_str_section): Check for an excessively large
		65	+ string section.
		66	+ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
		67	+ attribute section is larger than the size of the file.
		68	+
		69	2018-04-24 Nick Clifton <nickc@redhat.com>
		70
		71	PR 23113