binutls: Security fix for CVE-2017-16829

Affects: <= 2.29.1 (From OE-Core rev: 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-07 15:55:30 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 2720b93220c957069c4d2f99b66b13c38e963104 (patch)
tree: de15ba41a9d8d03f23df882152ac6ccd44ba42ad
parent: 3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c (diff)
download: poky-2720b93220c957069c4d2f99b66b13c38e963104.tar.gz
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ba60eccf87..7966cc3248 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -56,6 +56,7 @@ SRC_URI = "\
     file://CVE-2017-16827.patch \
     file://CVE-2017-16828_p1.patch \
     file://CVE-2017-16828_p2.patch \
+     file://CVE-2017-16829.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
new file mode 100644
index 0000000000..f9410e2728
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
+From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 17 Oct 2017 21:57:29 +1030
+Subject: [PATCH] PR22307, Heap out of bounds read in
+ _bfd_elf_parse_gnu_properties
+When adding an unbounded increment to a pointer, you can't just check
+against the end of the buffer but also must check that overflow
+doesn't result in "negative" pointer movement.  Pointer comparisons
+are signed.  Better, check the increment against the space left using
+an unsigned comparison.
+        PR 22307
+        * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+        against size left rather than comparing pointers.  Reorganise loop.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16829
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog        |  6 ++++++
+ bfd/elf-properties.c | 18 +++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+Index: git/bfd/elf-properties.c
+===================================================================
+--- git.orig/bfd/elf-properties.c
+++ git/bfd/elf-properties.c
+@@ -93,15 +93,20 @@ bad_size:
+       return FALSE;
+     }
+ 
+-  while (1)
+  while (ptr != ptr_end)
+     {
+-      unsigned int type = bfd_h_get_32 (abfd, ptr);
+-      unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
+      unsigned int type;
+      unsigned int datasz;
+       elf_property *prop;
+ 
+      if ((size_t) (ptr_end - ptr) < 8)
+       goto bad_size;
+
+      type = bfd_h_get_32 (abfd, ptr);
+      datasz = bfd_h_get_32 (abfd, ptr + 4);
+       ptr += 8;
+ 
+-      if ((ptr + datasz) > ptr_end)
+      if (datasz > (size_t) (ptr_end - ptr))
+        {
+          _bfd_error_handler
+            (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
+@@ -182,11 +187,6 @@ bad_size:
+ 
+ next:
+       ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
+-      if (ptr == ptr_end)
+-       break;
+-
+-      if (ptr > (ptr_end - 8))
+-       goto bad_size;
+     }
+ 
+   return TRUE;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,4 +1,10 @@
+ 2017-10-17  Alan Modra  <amodra@gmail.com>
+ 
+       PR 22307
+       * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+       against size left rather than comparing pointers.  Reorganise loop.
+
+2017-10-17  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22306
+        * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
author	Armin Kuster <akuster@mvista.com>	2018-08-07 15:55:30 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	2720b93220c957069c4d2f99b66b13c38e963104 (patch)
tree	de15ba41a9d8d03f23df882152ac6ccd44ba42ad
parent	3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c (diff)
download	poky-2720b93220c957069c4d2f99b66b13c38e963104.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index ba60eccf87..7966cc3248 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -56,6 +56,7 @@ SRC_URI = "\
56	file://CVE-2017-16827.patch \	56	file://CVE-2017-16827.patch \
57	file://CVE-2017-16828_p1.patch \	57	file://CVE-2017-16828_p1.patch \
58	file://CVE-2017-16828_p2.patch \	58	file://CVE-2017-16828_p2.patch \
		59	file://CVE-2017-16829.patch \
59	"	60	"
60	S = "${WORKDIR}/git"	61	S = "${WORKDIR}/git"
61		62


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch new file mode 100644 index 0000000000..f9410e2728 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
		1	From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 17 Oct 2017 21:57:29 +1030
		4	Subject: [PATCH] PR22307, Heap out of bounds read in
		5	_bfd_elf_parse_gnu_properties
		6
		7	When adding an unbounded increment to a pointer, you can't just check
		8	against the end of the buffer but also must check that overflow
		9	doesn't result in "negative" pointer movement. Pointer comparisons
		10	are signed. Better, check the increment against the space left using
		11	an unsigned comparison.
		12
		13	PR 22307
		14	* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
		15	against size left rather than comparing pointers. Reorganise loop.
		16
		17	Upstream-Status: Backport
		18	Affects: <= 2.29.1
		19	CVE: CVE-2017-16829
		20	Signed-off-by: Armin Kuster <akuster@mvista.com>
		21
		22	---
		23	bfd/ChangeLog \| 6 ++++++
		24	bfd/elf-properties.c \| 18 +++++++++---------
		25	2 files changed, 15 insertions(+), 9 deletions(-)
		26
		27	Index: git/bfd/elf-properties.c
		28	===================================================================
		29	--- git.orig/bfd/elf-properties.c
		30	+++ git/bfd/elf-properties.c
		31	@@ -93,15 +93,20 @@ bad_size:
		32	return FALSE;
		33	}
		34
		35	- while (1)
		36	+ while (ptr != ptr_end)
		37	{
		38	- unsigned int type = bfd_h_get_32 (abfd, ptr);
		39	- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
		40	+ unsigned int type;
		41	+ unsigned int datasz;
		42	elf_property *prop;
		43
		44	+ if ((size_t) (ptr_end - ptr) < 8)
		45	+ goto bad_size;
		46	+
		47	+ type = bfd_h_get_32 (abfd, ptr);
		48	+ datasz = bfd_h_get_32 (abfd, ptr + 4);
		49	ptr += 8;
		50
		51	- if ((ptr + datasz) > ptr_end)
		52	+ if (datasz > (size_t) (ptr_end - ptr))
		53	{
		54	_bfd_error_handler
		55	(_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
		56	@@ -182,11 +187,6 @@ bad_size:
		57
		58	next:
		59	ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
		60	- if (ptr == ptr_end)
		61	- break;
		62	-
		63	- if (ptr > (ptr_end - 8))
		64	- goto bad_size;
		65	}
		66
		67	return TRUE;
		68	Index: git/bfd/ChangeLog
		69	===================================================================
		70	--- git.orig/bfd/ChangeLog
		71	+++ git/bfd/ChangeLog
		72	@@ -1,4 +1,10 @@
		73	2017-10-17 Alan Modra <amodra@gmail.com>
		74	+
		75	+ PR 22307
		76	+ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
		77	+ against size left rather than comparing pointers. Reorganise loop.
		78	+
		79	+2017-10-17 Alan Modra <amodra@gmail.com>
		80
		81	PR 22306
		82	* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,