diff options
author | Armin Kuster <akuster@mvista.com> | 2018-08-06 19:36:12 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:45 +0100 |
commit | f0be43144f1b8719d7342c9288dc8efe2c050e60 (patch) | |
tree | d175562cb14006db8fee5b9dddf1f9b472154536 /meta/recipes-devtools/binutils/binutils | |
parent | e4c382ecc6212166644d7b85fbdbf7ee0c1264dc (diff) | |
download | poky-f0be43144f1b8719d7342c9288dc8efe2c050e60.tar.gz |
binutls: Security fix for CVE-2017-15939
affects: <= 2.29.1
(From OE-Core rev: dec0162e16040aa00c5fff3e5cfde1b488af3e55)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch new file mode 100644 index 0000000000..bccad763f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Tue, 26 Sep 2017 09:38:26 +0930 | ||
4 | Subject: [PATCH] PR22205, .debug_line file table NULL filename | ||
5 | |||
6 | The PR22200 fuzzer testcase found one way to put NULLs into .debug_line | ||
7 | file tables. PR22205 finds another. This patch gives up on trying to | ||
8 | prevent NULL files in the file table and instead just copes with them. | ||
9 | Arguably, this is better than giving up and showing no info from | ||
10 | .debug_line. I've also fixed a case where the fairly recent DWARF5 | ||
11 | support in handling broken DWARG could result in uninitialized memory | ||
12 | reads, and made a small tidy. | ||
13 | |||
14 | PR 22205 | ||
15 | * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename. | ||
16 | (read_formatted_entries): Init "fe". | ||
17 | (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name. | ||
18 | |||
19 | Upstream-Status: Backport | ||
20 | Affects: <= 2.29.1 | ||
21 | CVE: CVE-2017-15939 | ||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | bfd/ChangeLog | 7 +++++++ | ||
26 | bfd/dwarf2.c | 35 +++++++++++++---------------------- | ||
27 | 2 files changed, 20 insertions(+), 22 deletions(-) | ||
28 | |||
29 | Index: git/bfd/dwarf2.c | ||
30 | =================================================================== | ||
31 | --- git.orig/bfd/dwarf2.c | ||
32 | +++ git/bfd/dwarf2.c | ||
33 | @@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table | ||
34 | } | ||
35 | |||
36 | filename = table->files[file - 1].name; | ||
37 | + if (filename == NULL) | ||
38 | + return strdup ("<unknown>"); | ||
39 | |||
40 | if (!IS_ABSOLUTE_PATH (filename)) | ||
41 | { | ||
42 | @@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit | ||
43 | bfd_byte *format = format_header_data; | ||
44 | struct fileinfo fe; | ||
45 | |||
46 | + memset (&fe, 0, sizeof fe); | ||
47 | for (formati = 0; formati < format_count; formati++) | ||
48 | { | ||
49 | bfd_vma content_type, form; | ||
50 | @@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit | ||
51 | unsigned int discriminator = 0; | ||
52 | int is_stmt = lh.default_is_stmt; | ||
53 | int end_sequence = 0; | ||
54 | + unsigned int dir, xtime, size; | ||
55 | /* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some | ||
56 | compilers generate address sequences that are wildly out of | ||
57 | order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler | ||
58 | @@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit | ||
59 | case DW_LNE_define_file: | ||
60 | cur_file = read_string (abfd, line_ptr, line_end, &bytes_read); | ||
61 | line_ptr += bytes_read; | ||
62 | - if ((table->num_files % FILE_ALLOC_CHUNK) == 0) | ||
63 | - { | ||
64 | - struct fileinfo *tmp; | ||
65 | - | ||
66 | - amt = table->num_files + FILE_ALLOC_CHUNK; | ||
67 | - amt *= sizeof (struct fileinfo); | ||
68 | - tmp = (struct fileinfo *) bfd_realloc (table->files, amt); | ||
69 | - if (tmp == NULL) | ||
70 | - goto line_fail; | ||
71 | - table->files = tmp; | ||
72 | - } | ||
73 | - table->files[table->num_files].name = cur_file; | ||
74 | - table->files[table->num_files].dir = | ||
75 | - _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
76 | - FALSE, line_end); | ||
77 | + dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
78 | + FALSE, line_end); | ||
79 | line_ptr += bytes_read; | ||
80 | - table->files[table->num_files].time = | ||
81 | - _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
82 | - FALSE, line_end); | ||
83 | + xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
84 | + FALSE, line_end); | ||
85 | line_ptr += bytes_read; | ||
86 | - table->files[table->num_files].size = | ||
87 | - _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
88 | - FALSE, line_end); | ||
89 | + size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read, | ||
90 | + FALSE, line_end); | ||
91 | line_ptr += bytes_read; | ||
92 | - table->num_files++; | ||
93 | + if (!line_info_add_file_name (table, cur_file, dir, | ||
94 | + xtime, size)) | ||
95 | + goto line_fail; | ||
96 | break; | ||
97 | case DW_LNE_set_discriminator: | ||
98 | discriminator = | ||
99 | Index: git/bfd/ChangeLog | ||
100 | =================================================================== | ||
101 | --- git.orig/bfd/ChangeLog | ||
102 | +++ git/bfd/ChangeLog | ||
103 | @@ -1,3 +1,10 @@ | ||
104 | +2017-09-26 Alan Modra <amodra@gmail.com> | ||
105 | + | ||
106 | + PR 22205 | ||
107 | + * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename. | ||
108 | + (read_formatted_entries): Init "fe". | ||
109 | + (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name. | ||
110 | + | ||
111 | 2017-10-09 Alan Modra <amodra@gmail.com> | ||
112 | |||
113 | PR 22212 | ||