summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 16:06:49 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:45 +0100
commit7d51055f445c6f91454fe3b05174ec1d6020e896 (patch)
tree766a440e606614ccc5875a8f1862c1c24cff3028
parent2720b93220c957069c4d2f99b66b13c38e963104 (diff)
downloadpoky-7d51055f445c6f91454fe3b05174ec1d6020e896.tar.gz
binutls: Security fix for CVE-2017-16830
Affects: <= 2.29.1 (From OE-Core rev: 29c6da2092599145e5a4f00ccc6029f31ec724da) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch91
2 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 7966cc3248..4191482929 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -57,6 +57,7 @@ SRC_URI = "\
57 file://CVE-2017-16828_p1.patch \ 57 file://CVE-2017-16828_p1.patch \
58 file://CVE-2017-16828_p2.patch \ 58 file://CVE-2017-16828_p2.patch \
59 file://CVE-2017-16829.patch \ 59 file://CVE-2017-16829.patch \
60 file://CVE-2017-16830.patch \
60" 61"
61S = "${WORKDIR}/git" 62S = "${WORKDIR}/git"
62 63
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch
new file mode 100644
index 0000000000..1382c8e3e7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch
@@ -0,0 +1,91 @@
1From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001
2From: Mingi Cho <mgcho.minic@gmail.com>
3Date: Thu, 2 Nov 2017 17:01:08 +0000
4Subject: [PATCH] Work around integer overflows when readelf is checking for
5 corrupt ELF notes when run on a 32-bit host.
6
7 PR 22384
8 * readelf.c (print_gnu_property_note): Improve overflow checks so
9 that they will work on a 32-bit host.
10
11Upstream-Status: Backport
12Affects: <= 2.29.1
13CVE: CVE-2017-16830
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 binutils/ChangeLog | 6 ++++++
18 binutils/readelf.c | 33 +++++++++++++++++----------------
19 2 files changed, 23 insertions(+), 16 deletions(-)
20
21Index: git/binutils/readelf.c
22===================================================================
23--- git.orig/binutils/readelf.c
24+++ git/binutils/readelf.c
25@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No
26 return;
27 }
28
29- while (1)
30+ while (ptr < ptr_end)
31 {
32 unsigned int j;
33- unsigned int type = byte_get (ptr, 4);
34- unsigned int datasz = byte_get (ptr + 4, 4);
35+ unsigned int type;
36+ unsigned int datasz;
37+
38+ if ((size_t) (ptr_end - ptr) < 8)
39+ {
40+ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
41+ break;
42+ }
43+
44+ type = byte_get (ptr, 4);
45+ datasz = byte_get (ptr + 4, 4);
46
47 ptr += 8;
48
49- if ((ptr + datasz) > ptr_end)
50+ if (datasz > (size_t) (ptr_end - ptr))
51 {
52 printf (_("<corrupt type (%#x) datasz: %#x>\n"),
53 type, datasz);
54@@ -16520,19 +16529,11 @@ next:
55 ptr += ((datasz + (size - 1)) & ~ (size - 1));
56 if (ptr == ptr_end)
57 break;
58- else
59- {
60- if (do_wide)
61- printf (", ");
62- else
63- printf ("\n\t");
64- }
65
66- if (ptr > (ptr_end - 8))
67- {
68- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
69- break;
70- }
71+ if (do_wide)
72+ printf (", ");
73+ else
74+ printf ("\n\t");
75 }
76
77 printf ("\n");
78Index: git/binutils/ChangeLog
79===================================================================
80--- git.orig/binutils/ChangeLog
81+++ git/binutils/ChangeLog
82@@ -1,3 +1,9 @@
83+2017-11-02 Mingi Cho <mgcho.minic@gmail.com>
84+
85+ PR 22384
86+ * readelf.c (print_gnu_property_note): Improve overflow checks so
87+ that they will work on a 32-bit host.
88+
89 2017-10-05 Alan Modra <amodra@gmail.com>
90
91 PR 22239