diff options
author | Armin Kuster <akuster@mvista.com> | 2018-08-07 15:55:30 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:45 +0100 |
commit | 2720b93220c957069c4d2f99b66b13c38e963104 (patch) | |
tree | de15ba41a9d8d03f23df882152ac6ccd44ba42ad | |
parent | 3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c (diff) | |
download | poky-2720b93220c957069c4d2f99b66b13c38e963104.tar.gz |
binutls: Security fix for CVE-2017-16829
Affects: <= 2.29.1
(From OE-Core rev: 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch | 82 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index ba60eccf87..7966cc3248 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc | |||
@@ -56,6 +56,7 @@ SRC_URI = "\ | |||
56 | file://CVE-2017-16827.patch \ | 56 | file://CVE-2017-16827.patch \ |
57 | file://CVE-2017-16828_p1.patch \ | 57 | file://CVE-2017-16828_p1.patch \ |
58 | file://CVE-2017-16828_p2.patch \ | 58 | file://CVE-2017-16828_p2.patch \ |
59 | file://CVE-2017-16829.patch \ | ||
59 | " | 60 | " |
60 | S = "${WORKDIR}/git" | 61 | S = "${WORKDIR}/git" |
61 | 62 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch new file mode 100644 index 0000000000..f9410e2728 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch | |||
@@ -0,0 +1,82 @@ | |||
1 | From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Tue, 17 Oct 2017 21:57:29 +1030 | ||
4 | Subject: [PATCH] PR22307, Heap out of bounds read in | ||
5 | _bfd_elf_parse_gnu_properties | ||
6 | |||
7 | When adding an unbounded increment to a pointer, you can't just check | ||
8 | against the end of the buffer but also must check that overflow | ||
9 | doesn't result in "negative" pointer movement. Pointer comparisons | ||
10 | are signed. Better, check the increment against the space left using | ||
11 | an unsigned comparison. | ||
12 | |||
13 | PR 22307 | ||
14 | * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz | ||
15 | against size left rather than comparing pointers. Reorganise loop. | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | Affects: <= 2.29.1 | ||
19 | CVE: CVE-2017-16829 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | bfd/ChangeLog | 6 ++++++ | ||
24 | bfd/elf-properties.c | 18 +++++++++--------- | ||
25 | 2 files changed, 15 insertions(+), 9 deletions(-) | ||
26 | |||
27 | Index: git/bfd/elf-properties.c | ||
28 | =================================================================== | ||
29 | --- git.orig/bfd/elf-properties.c | ||
30 | +++ git/bfd/elf-properties.c | ||
31 | @@ -93,15 +93,20 @@ bad_size: | ||
32 | return FALSE; | ||
33 | } | ||
34 | |||
35 | - while (1) | ||
36 | + while (ptr != ptr_end) | ||
37 | { | ||
38 | - unsigned int type = bfd_h_get_32 (abfd, ptr); | ||
39 | - unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4); | ||
40 | + unsigned int type; | ||
41 | + unsigned int datasz; | ||
42 | elf_property *prop; | ||
43 | |||
44 | + if ((size_t) (ptr_end - ptr) < 8) | ||
45 | + goto bad_size; | ||
46 | + | ||
47 | + type = bfd_h_get_32 (abfd, ptr); | ||
48 | + datasz = bfd_h_get_32 (abfd, ptr + 4); | ||
49 | ptr += 8; | ||
50 | |||
51 | - if ((ptr + datasz) > ptr_end) | ||
52 | + if (datasz > (size_t) (ptr_end - ptr)) | ||
53 | { | ||
54 | _bfd_error_handler | ||
55 | (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"), | ||
56 | @@ -182,11 +187,6 @@ bad_size: | ||
57 | |||
58 | next: | ||
59 | ptr += (datasz + (align_size - 1)) & ~ (align_size - 1); | ||
60 | - if (ptr == ptr_end) | ||
61 | - break; | ||
62 | - | ||
63 | - if (ptr > (ptr_end - 8)) | ||
64 | - goto bad_size; | ||
65 | } | ||
66 | |||
67 | return TRUE; | ||
68 | Index: git/bfd/ChangeLog | ||
69 | =================================================================== | ||
70 | --- git.orig/bfd/ChangeLog | ||
71 | +++ git/bfd/ChangeLog | ||
72 | @@ -1,4 +1,10 @@ | ||
73 | 2017-10-17 Alan Modra <amodra@gmail.com> | ||
74 | + | ||
75 | + PR 22307 | ||
76 | + * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz | ||
77 | + against size left rather than comparing pointers. Reorganise loop. | ||
78 | + | ||
79 | +2017-10-17 Alan Modra <amodra@gmail.com> | ||
80 | |||
81 | PR 22306 | ||
82 | * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, | ||