diff options
author | Armin Kuster <akuster@mvista.com> | 2018-08-07 16:16:58 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:45 +0100 |
commit | d40d4bf86f5f4cec5dc7e11227020f63684301df (patch) | |
tree | dc9b7d37f7989f5b98e20d3bc922d9e9aa578748 /meta/recipes-devtools/binutils/binutils | |
parent | 7d51055f445c6f91454fe3b05174ec1d6020e896 (diff) | |
download | poky-d40d4bf86f5f4cec5dc7e11227020f63684301df.tar.gz |
binutls: Security fix for CVE-2017-16831
Affects: <= 2.29.1
(From OE-Core rev: ab9e8161a3b89914d8664175a684675bc99d6f21)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch new file mode 100644 index 0000000000..7acd5e0f2f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | From 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Fri, 3 Nov 2017 11:55:21 +0000 | ||
4 | Subject: [PATCH] Fix excessive memory allocation attempts and possible integer | ||
5 | overfloaws when attempting to read a COFF binary with a corrupt symbol count. | ||
6 | |||
7 | PR 22385 | ||
8 | * coffgen.c (_bfd_coff_get_external_symbols): Check for an | ||
9 | overlarge raw syment count. | ||
10 | (coff_get_normalized_symtab): Likewise. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | Affects: <= 2.29.1 | ||
14 | CVE: CVE-2017-16831 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | bfd/ChangeLog | 8 ++++++++ | ||
19 | bfd/coffgen.c | 17 +++++++++++++++-- | ||
20 | 2 files changed, 23 insertions(+), 2 deletions(-) | ||
21 | |||
22 | Index: git/bfd/ChangeLog | ||
23 | =================================================================== | ||
24 | --- git.orig/bfd/ChangeLog | ||
25 | +++ git/bfd/ChangeLog | ||
26 | @@ -1,3 +1,11 @@ | ||
27 | +2017-11-03 Mingi Cho <mgcho.minic@gmail.com> | ||
28 | + Nick Clifton <nickc@redhat.com> | ||
29 | + | ||
30 | + PR 22385 | ||
31 | + * coffgen.c (_bfd_coff_get_external_symbols): Check for an | ||
32 | + overlarge raw syment count. | ||
33 | + (coff_get_normalized_symtab): Likewise. | ||
34 | + | ||
35 | 2017-10-17 Alan Modra <amodra@gmail.com> | ||
36 | |||
37 | PR 22307 | ||
38 | Index: git/bfd/coffgen.c | ||
39 | =================================================================== | ||
40 | --- git.orig/bfd/coffgen.c | ||
41 | +++ git/bfd/coffgen.c | ||
42 | @@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf | ||
43 | size = obj_raw_syment_count (abfd) * symesz; | ||
44 | if (size == 0) | ||
45 | return TRUE; | ||
46 | + /* Check for integer overflow and for unreasonable symbol counts. */ | ||
47 | + if (size < obj_raw_syment_count (abfd) | ||
48 | + || (bfd_get_file_size (abfd) > 0 | ||
49 | + && size > bfd_get_file_size (abfd))) | ||
50 | + | ||
51 | + { | ||
52 | + _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), | ||
53 | + abfd, obj_raw_syment_count (abfd)); | ||
54 | + return FALSE; | ||
55 | + } | ||
56 | |||
57 | syms = bfd_malloc (size); | ||
58 | if (syms == NULL) | ||
59 | { | ||
60 | /* PR 21013: Provide an error message when the alloc fails. */ | ||
61 | - _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"), | ||
62 | - abfd, size); | ||
63 | + _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), | ||
64 | + abfd, obj_raw_syment_count (abfd), symesz); | ||
65 | return FALSE; | ||
66 | } | ||
67 | |||
68 | @@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd) | ||
69 | return NULL; | ||
70 | |||
71 | size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); | ||
72 | + /* Check for integer overflow. */ | ||
73 | + if (size < obj_raw_syment_count (abfd)) | ||
74 | + return NULL; | ||
75 | internal = (combined_entry_type *) bfd_zalloc (abfd, size); | ||
76 | if (internal == NULL && size != 0) | ||
77 | return NULL; | ||