diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch | 240 |
1 files changed, 240 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch new file mode 100644 index 0000000000..d7512b3829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch | |||
@@ -0,0 +1,240 @@ | |||
1 | commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu Jul 27 12:04:50 2017 +0100 | ||
4 | |||
5 | Fix address violation issues encountered when parsing corrupt binaries. | ||
6 | |||
7 | PR 21840 | ||
8 | * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab | ||
9 | size is -1. | ||
10 | * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion | ||
11 | with error return. | ||
12 | * section.c (bfd_make_section_with_flags): Fail if the name or bfd | ||
13 | are NULL. | ||
14 | * vms-alpha.c (bfd_make_section_with_flags): Correct computation | ||
15 | of end pointer. | ||
16 | (evax_bfd_print_emh): Check for invalid string lengths. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | CVE: CVE-2017-12449_12455_12457 | ||
21 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
22 | |||
23 | Index: git/bfd/mach-o.c | ||
24 | =================================================================== | ||
25 | --- git.orig/bfd/mach-o.c 2017-08-30 17:21:59.684671218 +0530 | ||
26 | +++ git/bfd/mach-o.c 2017-08-30 17:22:19.136813620 +0530 | ||
27 | @@ -3739,6 +3739,9 @@ | ||
28 | } | ||
29 | else | ||
30 | { | ||
31 | + /* See PR 21840 for a reproducer. */ | ||
32 | + if ((sym->strsize + 1) == 0) | ||
33 | + return FALSE; | ||
34 | sym->strtab = bfd_alloc (abfd, sym->strsize + 1); | ||
35 | if (sym->strtab == NULL) | ||
36 | return FALSE; | ||
37 | Index: git/bfd/nlmcode.h | ||
38 | =================================================================== | ||
39 | --- git.orig/bfd/nlmcode.h 2017-08-30 17:21:59.688671247 +0530 | ||
40 | +++ git/bfd/nlmcode.h 2017-08-30 17:22:19.140813649 +0530 | ||
41 | @@ -351,7 +351,9 @@ | ||
42 | bfd_byte *contents; | ||
43 | bfd_byte *p, *pend; | ||
44 | |||
45 | - BFD_ASSERT (hdrLength == 0 && hdr == NULL); | ||
46 | + /* See PR 21840 for a reproducer. */ | ||
47 | + if (hdrLength != 0 || hdr != NULL) | ||
48 | + return FALSE; | ||
49 | |||
50 | pos = bfd_tell (abfd); | ||
51 | if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0) | ||
52 | Index: git/bfd/section.c | ||
53 | =================================================================== | ||
54 | --- git.orig/bfd/section.c 2017-08-30 17:21:59.708671392 +0530 | ||
55 | +++ git/bfd/section.c 2017-08-30 17:22:19.140813649 +0530 | ||
56 | @@ -1240,7 +1240,7 @@ | ||
57 | struct section_hash_entry *sh; | ||
58 | asection *newsect; | ||
59 | |||
60 | - if (abfd->output_has_begun) | ||
61 | + if (abfd == NULL || name == NULL || abfd->output_has_begun) | ||
62 | { | ||
63 | bfd_set_error (bfd_error_invalid_operation); | ||
64 | return NULL; | ||
65 | Index: git/bfd/vms-alpha.c | ||
66 | =================================================================== | ||
67 | --- git.orig/bfd/vms-alpha.c 2017-08-30 17:22:19.080813209 +0530 | ||
68 | +++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530 | ||
69 | @@ -5562,8 +5562,9 @@ | ||
70 | { | ||
71 | struct vms_emh_common *emh = (struct vms_emh_common *)rec; | ||
72 | unsigned int subtype; | ||
73 | + int extra; | ||
74 | |||
75 | - subtype = (unsigned)bfd_getl16 (emh->subtyp); | ||
76 | + subtype = (unsigned) bfd_getl16 (emh->subtyp); | ||
77 | |||
78 | fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); | ||
79 | |||
80 | @@ -5573,58 +5574,82 @@ | ||
81 | fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); | ||
82 | return; | ||
83 | } | ||
84 | - | ||
85 | + extra = rec_len - sizeof (struct vms_emh_common); | ||
86 | + | ||
87 | switch (subtype) | ||
88 | { | ||
89 | case EMH__C_MHD: | ||
90 | { | ||
91 | - struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec; | ||
92 | - const char *name; | ||
93 | + struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec; | ||
94 | + const char * name; | ||
95 | + const char * nextname; | ||
96 | + const char * maxname; | ||
97 | |||
98 | + /* PR 21840: Check for invalid lengths. */ | ||
99 | + if (rec_len < sizeof (* mhd)) | ||
100 | + { | ||
101 | + fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n")); | ||
102 | + return; | ||
103 | + } | ||
104 | fprintf (file, _("Module header\n")); | ||
105 | fprintf (file, _(" structure level: %u\n"), mhd->strlvl); | ||
106 | fprintf (file, _(" max record size: %u\n"), | ||
107 | - (unsigned)bfd_getl32 (mhd->recsiz)); | ||
108 | + (unsigned) bfd_getl32 (mhd->recsiz)); | ||
109 | name = (char *)(mhd + 1); | ||
110 | + maxname = (char *) rec + rec_len; | ||
111 | + if (name > maxname - 2) | ||
112 | + { | ||
113 | + fprintf (file, _(" Error: The module name is missing\n")); | ||
114 | + return; | ||
115 | + } | ||
116 | + nextname = name + name[0] + 1; | ||
117 | + if (nextname >= maxname) | ||
118 | + { | ||
119 | + fprintf (file, _(" Error: The module name is too long\n")); | ||
120 | + return; | ||
121 | + } | ||
122 | fprintf (file, _(" module name : %.*s\n"), name[0], name + 1); | ||
123 | - name += name[0] + 1; | ||
124 | + name = nextname; | ||
125 | + if (name > maxname - 2) | ||
126 | + { | ||
127 | + fprintf (file, _(" Error: The module version is missing\n")); | ||
128 | + return; | ||
129 | + } | ||
130 | + nextname = name + name[0] + 1; | ||
131 | + if (nextname >= maxname) | ||
132 | + { | ||
133 | + fprintf (file, _(" Error: The module version is too long\n")); | ||
134 | + return; | ||
135 | + } | ||
136 | fprintf (file, _(" module version : %.*s\n"), name[0], name + 1); | ||
137 | - name += name[0] + 1; | ||
138 | - fprintf (file, _(" compile date : %.17s\n"), name); | ||
139 | + name = nextname; | ||
140 | + if ((maxname - name) < 17 && maxname[-1] != 0) | ||
141 | + fprintf (file, _(" Error: The compile date is truncated\n")); | ||
142 | + else | ||
143 | + fprintf (file, _(" compile date : %.17s\n"), name); | ||
144 | } | ||
145 | break; | ||
146 | + | ||
147 | case EMH__C_LNM: | ||
148 | - { | ||
149 | - fprintf (file, _("Language Processor Name\n")); | ||
150 | - fprintf (file, _(" language name: %.*s\n"), | ||
151 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
152 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
153 | - } | ||
154 | + fprintf (file, _("Language Processor Name\n")); | ||
155 | + fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1)); | ||
156 | break; | ||
157 | + | ||
158 | case EMH__C_SRC: | ||
159 | - { | ||
160 | - fprintf (file, _("Source Files Header\n")); | ||
161 | - fprintf (file, _(" file: %.*s\n"), | ||
162 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
163 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
164 | - } | ||
165 | + fprintf (file, _("Source Files Header\n")); | ||
166 | + fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1)); | ||
167 | break; | ||
168 | + | ||
169 | case EMH__C_TTL: | ||
170 | - { | ||
171 | - fprintf (file, _("Title Text Header\n")); | ||
172 | - fprintf (file, _(" title: %.*s\n"), | ||
173 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
174 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
175 | - } | ||
176 | + fprintf (file, _("Title Text Header\n")); | ||
177 | + fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1)); | ||
178 | break; | ||
179 | + | ||
180 | case EMH__C_CPR: | ||
181 | - { | ||
182 | - fprintf (file, _("Copyright Header\n")); | ||
183 | - fprintf (file, _(" copyright: %.*s\n"), | ||
184 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
185 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
186 | - } | ||
187 | + fprintf (file, _("Copyright Header\n")); | ||
188 | + fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1)); | ||
189 | break; | ||
190 | + | ||
191 | default: | ||
192 | fprintf (file, _("unhandled emh subtype %u\n"), subtype); | ||
193 | break; | ||
194 | Index: git/bfd/vms-misc.c | ||
195 | =================================================================== | ||
196 | --- git.orig/bfd/vms-misc.c 2017-08-30 17:21:59.716671451 +0530 | ||
197 | +++ git/bfd/vms-misc.c 2017-08-30 17:22:19.140813649 +0530 | ||
198 | @@ -135,8 +135,8 @@ | ||
199 | #endif | ||
200 | |||
201 | |||
202 | -/* Copy sized string (string with fixed size) to new allocated area | ||
203 | - size is string size (size of record) */ | ||
204 | +/* Copy sized string (string with fixed size) to new allocated area. | ||
205 | + Size is string size (size of record). */ | ||
206 | |||
207 | char * | ||
208 | _bfd_vms_save_sized_string (unsigned char *str, int size) | ||
209 | @@ -151,8 +151,8 @@ | ||
210 | return newstr; | ||
211 | } | ||
212 | |||
213 | -/* Copy counted string (string with size at first byte) to new allocated area | ||
214 | - ptr points to size byte on entry */ | ||
215 | +/* Copy counted string (string with size at first byte) to new allocated area. | ||
216 | + PTR points to size byte on entry. */ | ||
217 | |||
218 | char * | ||
219 | _bfd_vms_save_counted_string (unsigned char *ptr) | ||
220 | Index: git/bfd/ChangeLog | ||
221 | =================================================================== | ||
222 | --- git.orig/bfd/ChangeLog 2017-08-30 17:22:19.080813209 +0530 | ||
223 | +++ git/bfd/ChangeLog 2017-08-30 17:23:51.069502425 +0530 | ||
224 | @@ -1,3 +1,16 @@ | ||
225 | +2017-07-27 Nick Clifton <nickc@redhat.com> | ||
226 | + | ||
227 | + PR 21840 | ||
228 | + * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab | ||
229 | + size is -1. | ||
230 | + * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion | ||
231 | + with error return. | ||
232 | + * section.c (bfd_make_section_with_flags): Fail if the name or bfd | ||
233 | + are NULL. | ||
234 | + * vms-alpha.c (bfd_make_section_with_flags): Correct computation | ||
235 | + of end pointer. | ||
236 | + (evax_bfd_print_emh): Check for invalid string lengths. | ||
237 | + | ||
238 | 2017-07-19 Nick Clifton <nickc@redhat.com> | ||
239 | |||
240 | PR 21787 | ||