Binutils: Security fix for CVE-2018-6759

Affects: <= 2.30 (From OE-Core rev: 7baa3e4c8e920caa09082f88e412687cc1590454) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-08 13:14:17 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 5281adb8856934e003d37fb941070a329a9958fc (patch)
tree: 1f659641d3f9c4883a6ecebbb87aac25c868a820
parent: 53df81889a241cd1eee8b25c06800076736cbcd3 (diff)
download: poky-5281adb8856934e003d37fb941070a329a9958fc.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index db7305a954..c668e63efc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -71,6 +71,7 @@ SRC_URI = "\
     file://CVE-2018-10535.patch \
     file://CVE-2018-13033.patch \
     file://CVE-2018-6323.patch \
+     file://CVE-2018-6759.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
new file mode 100644
index 0000000000..3b0e98a0a3
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
@@ -0,0 +1,108 @@
+From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 6 Feb 2018 15:48:29 +0000
+Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
+ chacking the size of debuglink sections.
+        PR 22794
+        * opncls.c (bfd_get_debug_link_info_1): Check the size of the
+        section before attempting to read it in.
+        (bfd_get_alt_debug_link_info): Likewise.
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-6759
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/opncls.c  | 22 +++++++++++++++++-----
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
+++ git/bfd/opncls.c
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   bfd_byte *contents;
+   unsigned int crc_offset;
+   char *name;
+  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   if (sect == NULL)
+     return NULL;
+ 
+  size = bfd_get_section_size (sect);
+
+  /* PR 22794: Make sure that the section has a reasonable size.  */
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+     {
+       if (contents != NULL)
+@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+ 
+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
+   name = (char *) contents;
+-  /* PR 17597: avoid reading off the end of the buffer.  */
+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  /* PR 17597: Avoid reading off the end of the buffer.  */
+  crc_offset = strnlen (name, size) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset + 4 > bfd_get_section_size (sect))
+  if (crc_offset + 4 > size)
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   bfd_byte *contents;
+   unsigned int buildid_offset;
+   char *name;
+  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   if (sect == NULL)
+     return NULL;
+ 
+  size = bfd_get_section_size (sect);
+  if (size < 8 || size >= bfd_get_size (abfd))
+    return NULL;
+
+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+     {
+       if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ 
+   /* BuildID value is stored after the filename.  */
+   name = (char *) contents;
+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
+  buildid_offset = strnlen (name, size) + 1;
+   if (buildid_offset >= bfd_get_section_size (sect))
+     return NULL;
+ 
+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
+  *buildid_len = size - buildid_offset;
+   *buildid_out = bfd_malloc (*buildid_len);
+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
+2018-02-06  Nick Clifton  <nickc@redhat.com>
+
+       PR 22794
+       * opncls.c (bfd_get_debug_link_info_1): Check the size of the
+       section before attempting to read it in.
+       (bfd_get_alt_debug_link_info): Likewise.
+
+ 2018-01-25  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22746
author	Armin Kuster <akuster@mvista.com>	2018-08-08 13:14:17 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	5281adb8856934e003d37fb941070a329a9958fc (patch)
tree	1f659641d3f9c4883a6ecebbb87aac25c868a820
parent	53df81889a241cd1eee8b25c06800076736cbcd3 (diff)
download	poky-5281adb8856934e003d37fb941070a329a9958fc.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index db7305a954..c668e63efc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -71,6 +71,7 @@ SRC_URI = "\
71	file://CVE-2018-10535.patch \	71	file://CVE-2018-10535.patch \
72	file://CVE-2018-13033.patch \	72	file://CVE-2018-13033.patch \
73	file://CVE-2018-6323.patch \	73	file://CVE-2018-6323.patch \
		74	file://CVE-2018-6759.patch \
74	"	75	"
75	S = "${WORKDIR}/git"	76	S = "${WORKDIR}/git"
76		77


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch new file mode 100644 index 0000000000..3b0e98a0a3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
@@ -0,0 +1,108 @@
		1	From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 6 Feb 2018 15:48:29 +0000
		4	Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
		5	chacking the size of debuglink sections.
		6
		7	PR 22794
		8	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
		9	section before attempting to read it in.
		10	(bfd_get_alt_debug_link_info): Likewise.
		11
		12	Upstream-Status: Backport
		13	Affects: <= 2.30
		14	CVE: CVE-2018-6759
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	bfd/ChangeLog \| 7 +++++++
		19	bfd/opncls.c \| 22 +++++++++++++++++-----
		20	2 files changed, 24 insertions(+), 5 deletions(-)
		21
		22	Index: git/bfd/opncls.c
		23	===================================================================
		24	--- git.orig/bfd/opncls.c
		25	+++ git/bfd/opncls.c
		26	@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
		27	bfd_byte *contents;
		28	unsigned int crc_offset;
		29	char *name;
		30	+ bfd_size_type size;
		31
		32	BFD_ASSERT (abfd);
		33	BFD_ASSERT (crc32_out);
		34	@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
		35	if (sect == NULL)
		36	return NULL;
		37
		38	+ size = bfd_get_section_size (sect);
		39	+
		40	+ /* PR 22794: Make sure that the section has a reasonable size. */
		41	+ if (size < 8 \|\| size >= bfd_get_size (abfd))
		42	+ return NULL;
		43	+
		44	if (!bfd_malloc_and_get_section (abfd, sect, &contents))
		45	{
		46	if (contents != NULL)
		47	@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
		48
		49	/* CRC value is stored after the filename, aligned up to 4 bytes. */
		50	name = (char *) contents;
		51	- /* PR 17597: avoid reading off the end of the buffer. */
		52	- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
		53	+ /* PR 17597: Avoid reading off the end of the buffer. */
		54	+ crc_offset = strnlen (name, size) + 1;
		55	crc_offset = (crc_offset + 3) & ~3;
		56	- if (crc_offset + 4 > bfd_get_section_size (sect))
		57	+ if (crc_offset + 4 > size)
		58	return NULL;
		59
		60	*crc32 = bfd_get_32 (abfd, contents + crc_offset);
		61	@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
		62	bfd_byte *contents;
		63	unsigned int buildid_offset;
		64	char *name;
		65	+ bfd_size_type size;
		66
		67	BFD_ASSERT (abfd);
		68	BFD_ASSERT (buildid_len);
		69	@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
		70	if (sect == NULL)
		71	return NULL;
		72
		73	+ size = bfd_get_section_size (sect);
		74	+ if (size < 8 \|\| size >= bfd_get_size (abfd))
		75	+ return NULL;
		76	+
		77	if (!bfd_malloc_and_get_section (abfd, sect, & contents))
		78	{
		79	if (contents != NULL)
		80	@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
		81
		82	/* BuildID value is stored after the filename. */
		83	name = (char *) contents;
		84	- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
		85	+ buildid_offset = strnlen (name, size) + 1;
		86	if (buildid_offset >= bfd_get_section_size (sect))
		87	return NULL;
		88
		89	- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
		90	+ *buildid_len = size - buildid_offset;
		91	buildid_out = bfd_malloc (buildid_len);
		92	memcpy (buildid_out, contents + buildid_offset, buildid_len);
		93
		94	Index: git/bfd/ChangeLog
		95	===================================================================
		96	--- git.orig/bfd/ChangeLog
		97	+++ git/bfd/ChangeLog
		98	@@ -1,3 +1,10 @@
		99	+2018-02-06 Nick Clifton <nickc@redhat.com>
		100	+
		101	+ PR 22794
		102	+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
		103	+ section before attempting to read it in.
		104	+ (bfd_get_alt_debug_link_info): Likewise.
		105	+
		106	2018-01-25 Alan Modra <amodra@gmail.com>
		107
		108	PR 22746