summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch95
2 files changed, 96 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 73af74c0a8..e6cfe33859 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
53 file://CVE-2017-15939.patch \ 53 file://CVE-2017-15939.patch \
54 file://CVE-2017-15996.patch \ 54 file://CVE-2017-15996.patch \
55 file://CVE-2017-16826.patch \ 55 file://CVE-2017-16826.patch \
56 file://CVE-2017-16827.patch \
56" 57"
57S = "${WORKDIR}/git" 58S = "${WORKDIR}/git"
58 59
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
new file mode 100644
index 0000000000..dbc577c8e0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
@@ -0,0 +1,95 @@
1From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Tue, 17 Oct 2017 16:43:47 +1030
4Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
5
6 PR 22306
7 * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
8 and error for any other size that doesn't cover the header word.
9
10Upstream-Status: Backport
11Affects: <= 2.29.1
12CVE: CVE-2017-16827
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 bfd/ChangeLog | 6 ++++++
17 bfd/aoutx.h | 45 ++++++++++++++++++++++++++++++---------------
18 2 files changed, 36 insertions(+), 15 deletions(-)
19
20Index: git/bfd/aoutx.h
21===================================================================
22--- git.orig/bfd/aoutx.h
23+++ git/bfd/aoutx.h
24@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
25 || bfd_bread ((void *) string_chars, amt, abfd) != amt)
26 return FALSE;
27 stringsize = GET_WORD (abfd, string_chars);
28+ if (stringsize == 0)
29+ stringsize = 1;
30+ else if (stringsize < BYTES_IN_WORD
31+ || (size_t) stringsize != stringsize)
32+ {
33+ bfd_set_error (bfd_error_bad_value);
34+ return FALSE;
35+ }
36
37 #ifdef USE_MMAP
38- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
39- &obj_aout_string_window (abfd), TRUE))
40- return FALSE;
41- strings = (char *) obj_aout_string_window (abfd).data;
42-#else
43- strings = (char *) bfd_malloc (stringsize + 1);
44- if (strings == NULL)
45- return FALSE;
46-
47- /* Skip space for the string count in the buffer for convenience
48- when using indexes. */
49- amt = stringsize - BYTES_IN_WORD;
50- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
51+ if (stringsize >= BYTES_IN_WORD)
52 {
53- free (strings);
54- return FALSE;
55+ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
56+ &obj_aout_string_window (abfd), TRUE))
57+ return FALSE;
58+ strings = (char *) obj_aout_string_window (abfd).data;
59 }
60+ else
61 #endif
62+ {
63+ strings = (char *) bfd_malloc (stringsize);
64+ if (strings == NULL)
65+ return FALSE;
66
67+ if (stringsize >= BYTES_IN_WORD)
68+ {
69+ /* Keep the string count in the buffer for convenience
70+ when indexing with e_strx. */
71+ amt = stringsize - BYTES_IN_WORD;
72+ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
73+ {
74+ free (strings);
75+ return FALSE;
76+ }
77+ }
78+ }
79 /* Ensure that a zero index yields an empty string. */
80 strings[0] = '\0';
81
82Index: git/bfd/ChangeLog
83===================================================================
84--- git.orig/bfd/ChangeLog
85+++ git/bfd/ChangeLog
86@@ -1,3 +1,9 @@
87+2017-10-17 Alan Modra <amodra@gmail.com>
88+
89+ PR 22306
90+ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
91+ and error for any other size that doesn't cover the header word.
92+
93 2017-11-01 Nick Clifton <nickc@redhat.com>
94
95 PR 22376