binutls: Security fix CVE-2017-14934

Affects: <= 2.29.1 (From OE-Core rev: b7715d4782cf956c198eaa6b43a6bf11fe8ece7c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-06 14:09:04 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 6e01f789947809c3039ea5ff9bdff05d1142cd25 (patch)
tree: 599e16fe207eb5306100ab108c309ab1597387b1
parent: 9be7b4f3db6243fc2a557ad63543173f2b1f5d86 (diff)
download: poky-6e01f789947809c3039ea5ff9bdff05d1142cd25.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 78b5249ee1..1962f5c303 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
     file://CVE-2017-14932.patch \
     file://CVE-2017-14933_p1.patch \
     file://CVE-2017-14933_p2.patch \
+     file://CVE-2017-14934.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
new file mode 100644
index 0000000000..57733f08cf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
@@ -0,0 +1,63 @@
+From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 27 Sep 2017 10:42:51 +0100
+Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when
+ encountering a CU structure with a small negative size.
+        PR 22219
+        * dwarf.c (process_debug_info): Add a check for a negative
+        cu_length field.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14934
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/dwarf.c   | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
+@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section
+       int level, last_level, saved_level;
+       dwarf_vma cu_offset;
+       unsigned int offset_size;
+-      int initial_length_size;
+      unsigned int initial_length_size;
+       dwarf_vma signature_high = 0;
+       dwarf_vma signature_low = 0;
+       dwarf_vma type_offset = 0;
+@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section
+          num_units = unit;
+          break;
+        }
+      else if (compunit.cu_length + initial_length_size < initial_length_size)
+       {
+         warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
+               dwarf_vmatoa ("x", cu_offset),
+               dwarf_vmatoa ("x", compunit.cu_length));
+         num_units = unit;
+         break;
+       }
+
+       tags = hdrptr;
+       start += compunit.cu_length + initial_length_size;
+ 
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
+2017-09-27  Nick Clifton  <nickc@redhat.com>
+
+       PR 22219
+       * dwarf.c (process_debug_info): Add a check for a negative
+       cu_length field.
+
+ 2017-11-01  Alan Modra  <amodra@gmail.com>
+ 
+        Apply from master
author	Armin Kuster <akuster@mvista.com>	2018-08-06 14:09:04 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	6e01f789947809c3039ea5ff9bdff05d1142cd25 (patch)
tree	599e16fe207eb5306100ab108c309ab1597387b1
parent	9be7b4f3db6243fc2a557ad63543173f2b1f5d86 (diff)
download	poky-6e01f789947809c3039ea5ff9bdff05d1142cd25.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 78b5249ee1..1962f5c303 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -40,6 +40,7 @@ SRC_URI = "\
40	file://CVE-2017-14932.patch \	40	file://CVE-2017-14932.patch \
41	file://CVE-2017-14933_p1.patch \	41	file://CVE-2017-14933_p1.patch \
42	file://CVE-2017-14933_p2.patch \	42	file://CVE-2017-14933_p2.patch \
		43	file://CVE-2017-14934.patch \
43	"	44	"
44	S = "${WORKDIR}/git"	45	S = "${WORKDIR}/git"
45		46


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch new file mode 100644 index 0000000000..57733f08cf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14934.patch
@@ -0,0 +1,63 @@
		1	From 19485196044b2521af979f1e5c4a89bfb90fba0b Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 27 Sep 2017 10:42:51 +0100
		4	Subject: [PATCH] Prevent an infinite loop in the DWARF parsing code when
		5	encountering a CU structure with a small negative size.
		6
		7	PR 22219
		8	* dwarf.c (process_debug_info): Add a check for a negative
		9	cu_length field.
		10
		11	Upstream-Status: Backport
		12	Affects: <= 2.29.1
		13	CVE: CVE-2017-14934
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	binutils/ChangeLog \| 6 ++++++
		18	binutils/dwarf.c \| 11 ++++++++++-
		19	2 files changed, 16 insertions(+), 1 deletion(-)
		20
		21	Index: git/binutils/dwarf.c
		22	===================================================================
		23	--- git.orig/binutils/dwarf.c
		24	+++ git/binutils/dwarf.c
		25	@@ -2547,7 +2547,7 @@ process_debug_info (struct dwarf_section
		26	int level, last_level, saved_level;
		27	dwarf_vma cu_offset;
		28	unsigned int offset_size;
		29	- int initial_length_size;
		30	+ unsigned int initial_length_size;
		31	dwarf_vma signature_high = 0;
		32	dwarf_vma signature_low = 0;
		33	dwarf_vma type_offset = 0;
		34	@@ -2695,6 +2695,15 @@ process_debug_info (struct dwarf_section
		35	num_units = unit;
		36	break;
		37	}
		38	+ else if (compunit.cu_length + initial_length_size < initial_length_size)
		39	+ {
		40	+ warn (_("Debug info is corrupted, length of CU at %s is negative (%s)\n"),
		41	+ dwarf_vmatoa ("x", cu_offset),
		42	+ dwarf_vmatoa ("x", compunit.cu_length));
		43	+ num_units = unit;
		44	+ break;
		45	+ }
		46	+
		47	tags = hdrptr;
		48	start += compunit.cu_length + initial_length_size;
		49
		50	Index: git/binutils/ChangeLog
		51	===================================================================
		52	--- git.orig/binutils/ChangeLog
		53	+++ git/binutils/ChangeLog
		54	@@ -1,3 +1,9 @@
		55	+2017-09-27 Nick Clifton <nickc@redhat.com>
		56	+
		57	+ PR 22219
		58	+ * dwarf.c (process_debug_info): Add a check for a negative
		59	+ cu_length field.
		60	+
		61	2017-11-01 Alan Modra <amodra@gmail.com>
		62
		63	Apply from master