binutils: CVE-2017-7225

Source: git://sourceware.org/git/binutils-gdb.git MR: 74296 Type: Security Fix Disposition: Backport from binutils-2_29-branch ChangeID: d2cf3ab15c89351c941c92e4cdf28c2bfa9dcda8 Description: Fix seg-fault running addr2line on a corrupt binary. PR binutils/20891 * aoutx.h (find_nearest_line): Handle the case where the main file name and the directory name are both empty. Affects: <= 2.29 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: ba01ee6899c8d36e6469f6d02d40866fb0502af9) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-04 13:59:36 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: 24a6fa61841c1f2de621b7cf41585300a69f9951 (patch)
tree: ce5342b79cb3da60d1b4b30cfbfdadc3353160e9 /meta/recipes-devtools
parent: f85b35f63ac606ef455413f2315551509cb7a0e7 (diff)
download: poky-24a6fa61841c1f2de621b7cf41585300a69f9951.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 82b9be774f..4833552ca9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
     file://CVE-2017-12450_12452_12453_12454_12456.patch \
     file://CVE-2017-7223.patch \
     file://CVE-2017-7224.patch \
+     file://CVE-2017-7225.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch
new file mode 100644
index 0000000000..699905a4d0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch
@@ -0,0 +1,66 @@
+commit 50455f1ab2935f7321215dfa681745c9b1cb5b19
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Thu Dec 1 10:15:07 2016 +0000
+    Fix seg-fault running addr2line on a corrupt binary.
+    
+        PR binutils/20891
+        * aoutx.h (find_nearest_line): Handle the case where the main file
+        name and the directory name are both empty.
+Upstream-Status: backport
+CVE: CVE-2017-7225
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-04 13:04:20.941485636 +0530
+++ git/bfd/ChangeLog   2017-09-04 13:08:05.003175703 +0530
+@@ -120,6 +120,12 @@
+        * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over
+        the end of the string buffer.
+ 
+2016-12-01  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/20891
+       * aoutx.h (find_nearest_line): Handle the case where the main file
+       name and the directory name are both empty.
+
+        PR binutils/20892
+        * aoutx.h (find_nearest_line): Handle the case where the function
+        name is empty.
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h        2017-09-04 13:04:20.941485636 +0530
+++ git/bfd/aoutx.h     2017-09-04 13:10:55.856441243 +0530
+@@ -2663,7 +2663,7 @@
+   char *buf;
+ 
+   *filename_ptr = abfd->filename;
+-  *functionname_ptr = 0;
+  *functionname_ptr = NULL;
+   *line_ptr = 0;
+   if (disriminator_ptr)
+     *disriminator_ptr = 0;
+@@ -2808,9 +2808,17 @@
+        *filename_ptr = main_file_name;
+       else
+        {
+-         sprintf (buf, "%s%s", directory_name, main_file_name);
+-         *filename_ptr = buf;
+-         buf += filelen + 1;
+         if (buf == NULL)
+           /* PR binutils/20891: In a corrupt input file both
+              main_file_name and directory_name can be empty...  */
+           * filename_ptr = NULL;
+         else
+           {
+             snprintf (buf, filelen + 1, "%s%s", directory_name,
+                       main_file_name);
+             *filename_ptr = buf;
+             buf += filelen + 1;
+           }
+        }
+     }
+
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-04 13:59:36 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	24a6fa61841c1f2de621b7cf41585300a69f9951 (patch)
tree	ce5342b79cb3da60d1b4b30cfbfdadc3353160e9 /meta/recipes-devtools
parent	f85b35f63ac606ef455413f2315551509cb7a0e7 (diff)
download	poky-24a6fa61841c1f2de621b7cf41585300a69f9951.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 82b9be774f..4833552ca9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -61,6 +61,7 @@ SRC_URI = "\
61	file://CVE-2017-12450_12452_12453_12454_12456.patch \	61	file://CVE-2017-12450_12452_12453_12454_12456.patch \
62	file://CVE-2017-7223.patch \	62	file://CVE-2017-7223.patch \
63	file://CVE-2017-7224.patch \	63	file://CVE-2017-7224.patch \
		64	file://CVE-2017-7225.patch \
64	"	65	"
65	S = "${WORKDIR}/git"	66	S = "${WORKDIR}/git"
66		67


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch new file mode 100644 index 0000000000..699905a4d0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7225.patch
@@ -0,0 +1,66 @@
		1	commit 50455f1ab2935f7321215dfa681745c9b1cb5b19
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Thu Dec 1 10:15:07 2016 +0000
		4
		5	Fix seg-fault running addr2line on a corrupt binary.
		6
		7	PR binutils/20891
		8	* aoutx.h (find_nearest_line): Handle the case where the main file
		9	name and the directory name are both empty.
		10
		11	Upstream-Status: backport
		12
		13	CVE: CVE-2017-7225
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16	Index: git/bfd/ChangeLog
		17	===================================================================
		18	--- git.orig/bfd/ChangeLog 2017-09-04 13:04:20.941485636 +0530
		19	+++ git/bfd/ChangeLog 2017-09-04 13:08:05.003175703 +0530
		20	@@ -120,6 +120,12 @@
		21	* peicode.h (pe_ILF_object_p): Use strnlen to avoid running over
		22	the end of the string buffer.
		23
		24	+2016-12-01 Nick Clifton <nickc@redhat.com>
		25	+
		26	+ PR binutils/20891
		27	+ * aoutx.h (find_nearest_line): Handle the case where the main file
		28	+ name and the directory name are both empty.
		29	+
		30	PR binutils/20892
		31	* aoutx.h (find_nearest_line): Handle the case where the function
		32	name is empty.
		33	Index: git/bfd/aoutx.h
		34	===================================================================
		35	--- git.orig/bfd/aoutx.h 2017-09-04 13:04:20.941485636 +0530
		36	+++ git/bfd/aoutx.h 2017-09-04 13:10:55.856441243 +0530
		37	@@ -2663,7 +2663,7 @@
		38	char *buf;
		39
		40	*filename_ptr = abfd->filename;
		41	- *functionname_ptr = 0;
		42	+ *functionname_ptr = NULL;
		43	*line_ptr = 0;
		44	if (disriminator_ptr)
		45	*disriminator_ptr = 0;
		46	@@ -2808,9 +2808,17 @@
		47	*filename_ptr = main_file_name;
		48	else
		49	{
		50	- sprintf (buf, "%s%s", directory_name, main_file_name);
		51	- *filename_ptr = buf;
		52	- buf += filelen + 1;
		53	+ if (buf == NULL)
		54	+ /* PR binutils/20891: In a corrupt input file both
		55	+ main_file_name and directory_name can be empty... */
		56	+ * filename_ptr = NULL;
		57	+ else
		58	+ {
		59	+ snprintf (buf, filelen + 1, "%s%s", directory_name,
		60	+ main_file_name);
		61	+ *filename_ptr = buf;
		62	+ buf += filelen + 1;
		63	+ }
		64	}
		65	}
		66