Binutils: Security fix for CVE-2018-7208

Affects: <= 2.30 (From OE-Core rev: fc5adfb0af0cae0071c0136068f37fd35529fc7f) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-08 13:20:03 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 1b709e6837dca57e8416fd6066b5a3d821a13fca (patch)
tree: 8f0590b8b4a8969fbb0512ab357ffb1681985a74
parent: 5281adb8856934e003d37fb941070a329a9958fc (diff)
download: poky-1b709e6837dca57e8416fd6066b5a3d821a13fca.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c668e63efc..13389a1d30 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -72,6 +72,7 @@ SRC_URI = "\
     file://CVE-2018-13033.patch \
     file://CVE-2018-6323.patch \
     file://CVE-2018-6759.patch \
+     file://CVE-2018-7208.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
new file mode 100644
index 0000000000..7d78db7eb3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
@@ -0,0 +1,47 @@
+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 27 Jan 2018 08:19:33 +1030
+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
+        PR 22741
+        * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+        range before converting to a symbol table pointer.
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7208
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/coffgen.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+Index: git/bfd/coffgen.c
+===================================================================
+--- git.orig/bfd/coffgen.c
+++ git/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
+  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
+      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+        table_base + auxent->u.auxent.x_sym.x_tagndx.l;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2018-01-29  Alan Modra  <amodra@gmail.com>
+
+       PR 22741
+       * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+       range before converting to a symbol table pointer.
+
+ 2018-02-06  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22794
author	Armin Kuster <akuster@mvista.com>	2018-08-08 13:20:03 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	1b709e6837dca57e8416fd6066b5a3d821a13fca (patch)
tree	8f0590b8b4a8969fbb0512ab357ffb1681985a74
parent	5281adb8856934e003d37fb941070a329a9958fc (diff)
download	poky-1b709e6837dca57e8416fd6066b5a3d821a13fca.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index c668e63efc..13389a1d30 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -72,6 +72,7 @@ SRC_URI = "\
72	file://CVE-2018-13033.patch \	72	file://CVE-2018-13033.patch \
73	file://CVE-2018-6323.patch \	73	file://CVE-2018-6323.patch \
74	file://CVE-2018-6759.patch \	74	file://CVE-2018-6759.patch \
		75	file://CVE-2018-7208.patch \
75	"	76	"
76	S = "${WORKDIR}/git"	77	S = "${WORKDIR}/git"
77		78


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch new file mode 100644 index 0000000000..7d78db7eb3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
@@ -0,0 +1,47 @@
		1	From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sat, 27 Jan 2018 08:19:33 +1030
		4	Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
		5
		6	PR 22741
		7	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
		8	range before converting to a symbol table pointer.
		9
		10	Upstream-Status: Backport
		11	Affects: <= 2.30
		12	CVE: CVE-2018-7208
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	bfd/ChangeLog \| 6 ++++++
		17	bfd/coffgen.c \| 3 ++-
		18	2 files changed, 8 insertions(+), 1 deletion(-)
		19
		20	Index: git/bfd/coffgen.c
		21	===================================================================
		22	--- git.orig/bfd/coffgen.c
		23	+++ git/bfd/coffgen.c
		24	@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
		25	}
		26	/* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
		27	generate one, so we must be careful to ignore it. */
		28	- if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
		29	+ if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
		30	+ < obj_raw_syment_count (abfd))
		31	{
		32	auxent->u.auxent.x_sym.x_tagndx.p =
		33	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
		34	Index: git/bfd/ChangeLog
		35	===================================================================
		36	--- git.orig/bfd/ChangeLog
		37	+++ git/bfd/ChangeLog
		38	@@ -1,3 +1,9 @@
		39	+2018-01-29 Alan Modra <amodra@gmail.com>
		40	+
		41	+ PR 22741
		42	+ * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
		43	+ range before converting to a symbol table pointer.
		44	+
		45	2018-02-06 Nick Clifton <nickc@redhat.com>
		46
		47	PR 22794