diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch new file mode 100644 index 0000000000..6dae0f6c24 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon Jun 19 14:52:36 2017 +0100 | ||
4 | |||
5 | Fix address violations when reading corrupt VMS records. | ||
6 | |||
7 | PR binutils/21618 | ||
8 | * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record | ||
9 | length. | ||
10 | (evax_bfd_print_eeom): Likewise. | ||
11 | (evax_bfd_print_egsd): Check for an overlarge record length. | ||
12 | (evax_bfd_print_etir): Likewise. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE: CVE-2017-12449_12455_12457 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | Index: git/bfd/vms-alpha.c | ||
20 | =================================================================== | ||
21 | --- git.orig/bfd/vms-alpha.c 2017-08-30 17:08:27.408159234 +0530 | ||
22 | +++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530 | ||
23 | @@ -5567,6 +5567,13 @@ | ||
24 | |||
25 | fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); | ||
26 | |||
27 | + /* PR 21618: Check for invalid lengths. */ | ||
28 | + if (rec_len < sizeof (* emh)) | ||
29 | + { | ||
30 | + fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); | ||
31 | + return; | ||
32 | + } | ||
33 | + | ||
34 | switch (subtype) | ||
35 | { | ||
36 | case EMH__C_MHD: | ||
37 | @@ -5630,6 +5637,14 @@ | ||
38 | struct vms_eeom *eeom = (struct vms_eeom *)rec; | ||
39 | |||
40 | fprintf (file, _(" EEOM (len=%u):\n"), rec_len); | ||
41 | + | ||
42 | + /* PR 21618: Check for invalid lengths. */ | ||
43 | + if (rec_len < sizeof (* eeom)) | ||
44 | + { | ||
45 | + fprintf (file, _(" Error: The length is less than the length of an EEOM record\n")); | ||
46 | + return; | ||
47 | + } | ||
48 | + | ||
49 | fprintf (file, _(" number of cond linkage pairs: %u\n"), | ||
50 | (unsigned)bfd_getl32 (eeom->total_lps)); | ||
51 | fprintf (file, _(" completion code: %u\n"), | ||
52 | @@ -5718,6 +5733,12 @@ | ||
53 | n, type, len); | ||
54 | n++; | ||
55 | |||
56 | + if (off + len > rec_len || off + len < off) | ||
57 | + { | ||
58 | + fprintf (file, _(" Error: length larger than remaining space in record\n")); | ||
59 | + return; | ||
60 | + } | ||
61 | + | ||
62 | switch (type) | ||
63 | { | ||
64 | case EGSD__C_PSC: | ||
65 | @@ -5958,6 +5979,12 @@ | ||
66 | size = bfd_getl16 (etir->size); | ||
67 | buf = rec + off + sizeof (struct vms_etir); | ||
68 | |||
69 | + if (off + size > rec_len || off + size < off) | ||
70 | + { | ||
71 | + fprintf (file, _(" Error: length larger than remaining space in record\n")); | ||
72 | + return; | ||
73 | + } | ||
74 | + | ||
75 | fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4); | ||
76 | switch (type) | ||
77 | { | ||
78 | Index: git/bfd/ChangeLog | ||
79 | =================================================================== | ||
80 | --- git.orig/bfd/ChangeLog 2017-08-30 17:08:43.612213596 +0530 | ||
81 | +++ git/bfd/ChangeLog 2017-08-30 17:13:27.217438742 +0530 | ||
82 | @@ -5,6 +5,15 @@ | ||
83 | correct magic bytes at the start, set the error to wrong format | ||
84 | and clear the format selector before returning NULL. | ||
85 | |||
86 | + 2017-06-19 Nick Clifton <nickc@redhat.com> | ||
87 | + | ||
88 | + PR binutils/21618 | ||
89 | + * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record | ||
90 | + length. | ||
91 | + (evax_bfd_print_eeom): Likewise. | ||
92 | + (evax_bfd_print_egsd): Check for an overlarge record length. | ||
93 | + (evax_bfd_print_etir): Likewise. | ||
94 | + | ||
95 | 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> | ||
96 | |||
97 | * readelf.c (process_mips_specific): Remove error reporting from | ||