diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-09-21 20:35:41 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-07 17:10:09 +0000 |
commit | e7f53f5fe5f5977c2f5fe206052e8c6d0b3bd1a2 (patch) | |
tree | 1a0a44389b788f97b3e49fd9753610616f6b526c /meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch | |
parent | ab884ff9a788aa9f1f844407e4cb1dac419447e5 (diff) | |
download | poky-e7f53f5fe5f5977c2f5fe206052e8c6d0b3bd1a2.tar.gz |
binutils: CVE-2017-9955
Source: binutils-gdb.git
MR: 73893
Type: Security Fix
Disposition: Backport from 'binutils-gdb.git/master' branch
ChangeID: 94c3ef8c1fa2e84e84ad76fb45307848d98817c8
Description:
PR 21665 : Fixed multiple heap based buffer overflow
Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: a36978f0dd372ec836f63942f965652ca3716e3f)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..6e1824bbab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch | |||
@@ -0,0 +1,112 @@ | |||
1 | commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f | ||
2 | Author: H.J. Lu <hjl.tools@gmail.com> | ||
3 | Date: Mon Jun 26 09:24:49 2017 -0700 | ||
4 | |||
5 | Check file size before getting section contents | ||
6 | |||
7 | Don't check the section size in bfd_get_full_section_contents since | ||
8 | the size of a decompressed section may be larger than the file size. | ||
9 | Instead, check file size in _bfd_generic_get_section_contents. | ||
10 | |||
11 | PR binutils/21665 | ||
12 | * compress.c (bfd_get_full_section_contents): Don't check the | ||
13 | file size here. | ||
14 | * libbfd.c (_bfd_generic_get_section_contents): Check for and | ||
15 | reject a section whoes size + offset is greater than the size | ||
16 | of the entire file. | ||
17 | (_bfd_generic_get_section_contents_in_window): Likewise. | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | |||
21 | CVE: CVE-2017-9955 | ||
22 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
23 | |||
24 | Index: git/bfd/libbfd.c | ||
25 | =================================================================== | ||
26 | --- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530 | ||
27 | +++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530 | ||
28 | @@ -780,6 +780,7 @@ | ||
29 | bfd_size_type count) | ||
30 | { | ||
31 | bfd_size_type sz; | ||
32 | + file_ptr filesz; | ||
33 | if (count == 0) | ||
34 | return TRUE; | ||
35 | |||
36 | @@ -801,8 +802,15 @@ | ||
37 | sz = section->rawsize; | ||
38 | else | ||
39 | sz = section->size; | ||
40 | + filesz = bfd_get_file_size (abfd); | ||
41 | + if (filesz < 0) | ||
42 | + { | ||
43 | + /* This should never happen. */ | ||
44 | + abort (); | ||
45 | + } | ||
46 | if (offset + count < count | ||
47 | - || offset + count > sz) | ||
48 | + || offset + count > sz | ||
49 | + || (section->filepos + offset + sz) > (bfd_size_type) filesz) | ||
50 | { | ||
51 | bfd_set_error (bfd_error_invalid_operation); | ||
52 | return FALSE; | ||
53 | @@ -825,6 +833,7 @@ | ||
54 | { | ||
55 | #ifdef USE_MMAP | ||
56 | bfd_size_type sz; | ||
57 | + file_ptr filesz; | ||
58 | |||
59 | if (count == 0) | ||
60 | return TRUE; | ||
61 | @@ -857,7 +866,13 @@ | ||
62 | sz = section->rawsize; | ||
63 | else | ||
64 | sz = section->size; | ||
65 | + filesz = bfd_get_file_size (abfd); | ||
66 | + { | ||
67 | + /* This should never happen. */ | ||
68 | + abort (); | ||
69 | + } | ||
70 | if (offset + count > sz | ||
71 | + || (section->filepos + offset + sz) > (bfd_size_type) filesz | ||
72 | || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, | ||
73 | TRUE)) | ||
74 | return FALSE; | ||
75 | Index: git/bfd/compress.c | ||
76 | =================================================================== | ||
77 | --- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530 | ||
78 | +++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530 | ||
79 | @@ -239,12 +239,6 @@ | ||
80 | *ptr = NULL; | ||
81 | return TRUE; | ||
82 | } | ||
83 | - else if (bfd_get_file_size (abfd) > 0 | ||
84 | - && sz > (bfd_size_type) bfd_get_file_size (abfd)) | ||
85 | - { | ||
86 | - *ptr = NULL; | ||
87 | - return FALSE; | ||
88 | - } | ||
89 | |||
90 | switch (sec->compress_status) | ||
91 | { | ||
92 | Index: git/bfd/ChangeLog | ||
93 | =================================================================== | ||
94 | --- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530 | ||
95 | +++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530 | ||
96 | @@ -11,6 +11,16 @@ | ||
97 | of end pointer. | ||
98 | (evax_bfd_print_emh): Check for invalid string lengths. | ||
99 | |||
100 | +2017-06-26 H.J. Lu <hongjiu.lu@intel.com> | ||
101 | + | ||
102 | + PR binutils/21665 | ||
103 | + * compress.c (bfd_get_full_section_contents): Don't check the | ||
104 | + file size here. | ||
105 | + * libbfd.c (_bfd_generic_get_section_contents): Check for and | ||
106 | + reject a section whoes size + offset is greater than the size | ||
107 | + of the entire file. | ||
108 | + (_bfd_generic_get_section_contents_in_window): Likewise. | ||
109 | + | ||
110 | 2017-06-26 Nick Clifton <nickc@redhat.com> | ||
111 | |||
112 | PR binutils/21665 | ||