summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 21:14:28 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:45 +0100
commite6fdc8959bb4a9c3f5c734ea9381ffc3b817df68 (patch)
tree47108112afedb0f6a14c39d9da26652a3658679b
parent4e970e640940fe59afda9ce9b3a28cf72d0d6b6c (diff)
downloadpoky-e6fdc8959bb4a9c3f5c734ea9381ffc3b817df68.tar.gz
binutls: Security fix for CVE-2017-17122
Affects: <= 2.29.1 (From OE-Core rev: 86c54c4770ce207575e29c589732c74e68d9ff3c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch58
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 27d77cc409..59718c7d1f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -62,6 +62,7 @@ SRC_URI = "\
62 file://CVE-2017-16832.patch \ 62 file://CVE-2017-16832.patch \
63 file://CVE-2017-17080.patch \ 63 file://CVE-2017-17080.patch \
64 file://CVE-2017-17121.patch \ 64 file://CVE-2017-17121.patch \
65 file://CVE-2017-17122.patch \
65" 66"
66S = "${WORKDIR}/git" 67S = "${WORKDIR}/git"
67 68
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
new file mode 100644
index 0000000000..5ae749bcca
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
@@ -0,0 +1,58 @@
1From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 29 Nov 2017 12:40:43 +0000
4Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of
5 memory when parsing relocs in a corrupt file.
6
7 PR 22508
8 * objdump.c (dump_relocs_in_section): Also check the section's
9 relocation count to make sure that it is reasonable before
10 attempting to allocate space for the relocs.
11
12Upstream-Status: Backport
13Affects: <= 2.29.1
14CVE: CVE-2017-17122
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 binutils/ChangeLog | 7 +++++++
19 binutils/objdump.c | 11 ++++++++++-
20 2 files changed, 17 insertions(+), 1 deletion(-)
21
22Index: git/binutils/objdump.c
23===================================================================
24--- git.orig/binutils/objdump.c
25+++ git/binutils/objdump.c
26@@ -3381,7 +3381,16 @@ dump_relocs_in_section (bfd *abfd,
27 }
28
29 if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
30- && (ufile_ptr) relsize > bfd_get_file_size (abfd))
31+ && (((ufile_ptr) relsize > bfd_get_file_size (abfd))
32+ /* Also check the section's reloc count since if this is negative
33+ (or very large) the computation in bfd_get_reloc_upper_bound
34+ may have resulted in returning a small, positive integer.
35+ See PR 22508 for a reproducer.
36+
37+ Note - we check against file size rather than section size as
38+ it is possible for there to be more relocs that apply to a
39+ section than there are bytes in that section. */
40+ || (section->reloc_count > bfd_get_file_size (abfd))))
41 {
42 printf (" (too many: 0x%x)\n", section->reloc_count);
43 bfd_set_error (bfd_error_file_truncated);
44Index: git/binutils/ChangeLog
45===================================================================
46--- git.orig/binutils/ChangeLog
47+++ git/binutils/ChangeLog
48@@ -1,3 +1,10 @@
49+2017-11-29 Nick Clifton <nickc@redhat.com>
50+
51+ PR 22508
52+ * objdump.c (dump_relocs_in_section): Also check the section's
53+ relocation count to make sure that it is reasonable before
54+ attempting to allocate space for the relocs.
55+
56 2017-11-02 Mingi Cho <mgcho.minic@gmail.com>
57
58 PR 22384