diff options
author | Armin Kuster <akuster@mvista.com> | 2016-05-06 00:11:56 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-05-17 14:43:30 +0100 |
commit | a1928c81e6f6d81e4b50c1d295758b20a2778a61 (patch) | |
tree | 8405a11bab9030c2282b6b9c973a55a9bddbd7ea /meta | |
parent | 23f00321e97abebbfe1298691487f5bb0dbcf2b4 (diff) | |
download | poky-a1928c81e6f6d81e4b50c1d295758b20a2778a61.tar.gz |
gcc: Security fix CVE-2016-2226
(From OE-Core rev: 9b85d69584fdb0d2c607fa820b4515ee38202ab9)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-5.3.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch | 103 |
2 files changed, 104 insertions, 0 deletions
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc index 11287e4f94..2ba25a1cec 100644 --- a/meta/recipes-devtools/gcc/gcc-5.3.inc +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc | |||
@@ -92,6 +92,7 @@ SRC_URI = "\ | |||
92 | file://0060-remove-prototypes-cfns.patch \ | 92 | file://0060-remove-prototypes-cfns.patch \ |
93 | file://CVE-2016-4488.patch \ | 93 | file://CVE-2016-4488.patch \ |
94 | file://CVE-2016-4489.patch \ | 94 | file://CVE-2016-4489.patch \ |
95 | file://CVE-2016-2226.patch \ | ||
95 | " | 96 | " |
96 | 97 | ||
97 | BACKPORTS = "" | 98 | BACKPORTS = "" |
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch new file mode 100644 index 0000000000..4decb84cdd --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch | |||
@@ -0,0 +1,103 @@ | |||
1 | From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001 | ||
2 | From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4> | ||
3 | Date: Fri, 8 Apr 2016 12:10:21 +0000 | ||
4 | Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?= | ||
5 | =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?= | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | PR c++/69687 | ||
11 | * cplus-dem.c: Include <limits.h> if available. | ||
12 | (INT_MAX): Define if necessary. | ||
13 | (remember_type, remember_Ktype, register_Btype, string_need): | ||
14 | Abort if we detect cases where we the size of the allocation would | ||
15 | overflow. | ||
16 | |||
17 | |||
18 | |||
19 | git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4 | ||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2016-2226 | ||
22 | |||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | libiberty/ChangeLog | 7 +++++++ | ||
27 | libiberty/cplus-dem.c | 15 +++++++++++++++ | ||
28 | 2 files changed, 22 insertions(+) | ||
29 | |||
30 | diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog | ||
31 | index 8e82a5f..2a34356 100644 | ||
32 | --- a/libiberty/ChangeLog | ||
33 | +++ b/libiberty/ChangeLog | ||
34 | @@ -1,5 +1,12 @@ | ||
35 | 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com> | ||
36 | |||
37 | + PR c++/69687 | ||
38 | + * cplus-dem.c: Include <limits.h> if available. | ||
39 | + (INT_MAX): Define if necessary. | ||
40 | + (remember_type, remember_Ktype, register_Btype, string_need): | ||
41 | + Abort if we detect cases where we the size of the allocation would | ||
42 | + overflow. | ||
43 | + | ||
44 | PR c++/70498 | ||
45 | * cplus-dem.c (gnu_special): Handle case where consume_count returns | ||
46 | -1. | ||
47 | diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c | ||
48 | index abba234..7514e57 100644 | ||
49 | --- a/libiberty/cplus-dem.c | ||
50 | +++ b/libiberty/cplus-dem.c | ||
51 | @@ -56,6 +56,13 @@ void * malloc (); | ||
52 | void * realloc (); | ||
53 | #endif | ||
54 | |||
55 | +#ifdef HAVE_LIMITS_H | ||
56 | +#include <limits.h> | ||
57 | +#endif | ||
58 | +#ifndef INT_MAX | ||
59 | +# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */ | ||
60 | +#endif | ||
61 | + | ||
62 | #include <demangle.h> | ||
63 | #undef CURRENT_DEMANGLING_STYLE | ||
64 | #define CURRENT_DEMANGLING_STYLE work->options | ||
65 | @@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len) | ||
66 | } | ||
67 | else | ||
68 | { | ||
69 | + if (work -> typevec_size > INT_MAX / 2) | ||
70 | + xmalloc_failed (INT_MAX); | ||
71 | work -> typevec_size *= 2; | ||
72 | work -> typevec | ||
73 | = XRESIZEVEC (char *, work->typevec, work->typevec_size); | ||
74 | @@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len) | ||
75 | } | ||
76 | else | ||
77 | { | ||
78 | + if (work -> ksize > INT_MAX / 2) | ||
79 | + xmalloc_failed (INT_MAX); | ||
80 | work -> ksize *= 2; | ||
81 | work -> ktypevec | ||
82 | = XRESIZEVEC (char *, work->ktypevec, work->ksize); | ||
83 | @@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work) | ||
84 | } | ||
85 | else | ||
86 | { | ||
87 | + if (work -> bsize > INT_MAX / 2) | ||
88 | + xmalloc_failed (INT_MAX); | ||
89 | work -> bsize *= 2; | ||
90 | work -> btypevec | ||
91 | = XRESIZEVEC (char *, work->btypevec, work->bsize); | ||
92 | @@ -4771,6 +4784,8 @@ string_need (string *s, int n) | ||
93 | else if (s->e - s->p < n) | ||
94 | { | ||
95 | tem = s->p - s->b; | ||
96 | + if (n > INT_MAX / 2 - tem) | ||
97 | + xmalloc_failed (INT_MAX); | ||
98 | n += tem; | ||
99 | n *= 2; | ||
100 | s->b = XRESIZEVEC (char, s->b, n); | ||
101 | -- | ||
102 | 2.3.5 | ||
103 | |||