summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
diff options
context:
space:
mode:
authorTrevor Gamblin <trevor.gamblin@windriver.com>2019-10-25 10:11:45 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-31 16:09:34 +0000
commitefea2749d28e641af6eceff90e10ccabb341ee64 (patch)
treeab96c3e1b9707cc16ab13bb4be51a03ec15d7475 /meta/recipes-devtools
parentab808af9fda7ad4690024831ae9ce5dd6568acfe (diff)
downloadpoky-efea2749d28e641af6eceff90e10ccabb341ee64.tar.gz
binutils: fix CVE-2019-17451
Backport upstream fix. No upstream release version of binutils it yet, so backport the fix independently. (From OE-Core rev: 3693a0a8b9461521b95613a76b7fd79c86a3bf8f) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.32.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch51
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 1e96cf494d..349c3e1154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
50 file://CVE-2019-14250.patch \ 50 file://CVE-2019-14250.patch \
51 file://CVE-2019-14444.patch \ 51 file://CVE-2019-14444.patch \
52 file://CVE-2019-17450.patch \ 52 file://CVE-2019-17450.patch \
53 file://CVE-2019-17451.patch \
53" 54"
54S = "${WORKDIR}/git" 55S = "${WORKDIR}/git"
55 56
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
new file mode 100644
index 0000000000..b36a532668
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
1From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 9 Oct 2019 10:47:13 +1030
4Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
5
6Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
7file. There are newer versions of binutils, but none of them contain the
8commit fixing CVE-2019-17451, so backport it to master and zeus.
9
10Upstream-Status: Backport
11[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
12CVE: CVE-2019-17451
13Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
14
15
16Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
17and ffffd5555453b140 result in a total size of 1. Reading the first
18section of course overflows the buffer and tramples on other memory.
19
20 PR 25070
21 * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
22 total_size calculation.
23---
24 bfd/dwarf2.c | 11 ++++++++++-
25 1 file changed, 10 insertions(+), 1 deletion(-)
26
27diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
28index 0b4e485582..a91597b1d0 100644
29--- a/bfd/dwarf2.c
30+++ b/bfd/dwarf2.c
31@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
32 for (total_size = 0;
33 msec;
34 msec = find_debug_info (debug_bfd, debug_sections, msec))
35- total_size += msec->size;
36+ {
37+ /* Catch PR25070 testcase overflowing size calculation here. */
38+ if (total_size + msec->size < total_size
39+ || total_size + msec->size < msec->size)
40+ {
41+ bfd_set_error (bfd_error_no_memory);
42+ return FALSE;
43+ }
44+ total_size += msec->size;
45+ }
46
47 stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
48 if (stash->info_ptr_memory == NULL)
49--
502.23.0
51