diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch new file mode 100644 index 0000000000..310908f86d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 5 Oct 2017 17:32:18 +1030 | ||
4 | Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames | ||
5 | |||
6 | Pointer comparisons have traps for the unwary. After adding a large | ||
7 | unknown value to "start", the test "start < end" depends on where | ||
8 | "start" is originally in memory. | ||
9 | |||
10 | PR 22239 | ||
11 | * dwarf.c (read_cie): Don't compare "start" and "end" pointers | ||
12 | after adding a possibly wild length to "start", compare the length | ||
13 | to the difference of the pointers instead. Remove now redundant | ||
14 | "negative" length test. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | Affects: <= 2.29.1 | ||
18 | CVE: CVE-2017-16828 patch1 | ||
19 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
20 | |||
21 | --- | ||
22 | binutils/ChangeLog | 8 ++++++++ | ||
23 | binutils/dwarf.c | 15 ++++----------- | ||
24 | 2 files changed, 12 insertions(+), 11 deletions(-) | ||
25 | |||
26 | Index: git/binutils/dwarf.c | ||
27 | =================================================================== | ||
28 | --- git.orig/binutils/dwarf.c | ||
29 | +++ git/binutils/dwarf.c | ||
30 | @@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned | ||
31 | { | ||
32 | READ_ULEB (augmentation_data_len); | ||
33 | augmentation_data = start; | ||
34 | - start += augmentation_data_len; | ||
35 | /* PR 17512: file: 11042-2589-0.004. */ | ||
36 | - if (start > end) | ||
37 | + if (augmentation_data_len > (size_t) (end - start)) | ||
38 | { | ||
39 | warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"), | ||
40 | - augmentation_data_len, (long)((end - start) + augmentation_data_len)); | ||
41 | + augmentation_data_len, (unsigned long) (end - start)); | ||
42 | return end; | ||
43 | } | ||
44 | + start += augmentation_data_len; | ||
45 | } | ||
46 | |||
47 | if (augmentation_data_len) | ||
48 | @@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned | ||
49 | q = augmentation_data; | ||
50 | qend = q + augmentation_data_len; | ||
51 | |||
52 | - /* PR 17531: file: 015adfaa. */ | ||
53 | - if (qend < q) | ||
54 | - { | ||
55 | - warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len); | ||
56 | - augmentation_data_len = 0; | ||
57 | - } | ||
58 | - | ||
59 | - while (p < end && q < augmentation_data + augmentation_data_len) | ||
60 | + while (p < end && q < qend) | ||
61 | { | ||
62 | if (*p == 'L') | ||
63 | q++; | ||
64 | Index: git/binutils/ChangeLog | ||
65 | =================================================================== | ||
66 | --- git.orig/binutils/ChangeLog | ||
67 | +++ git/binutils/ChangeLog | ||
68 | @@ -1,3 +1,11 @@ | ||
69 | +2017-10-05 Alan Modra <amodra@gmail.com> | ||
70 | + | ||
71 | + PR 22239 | ||
72 | + * dwarf.c (read_cie): Don't compare "start" and "end" pointers | ||
73 | + after adding a possibly wild length to "start", compare the length | ||
74 | + to the difference of the pointers instead. Remove now redundant | ||
75 | + "negative" length test. | ||
76 | + | ||
77 | 2017-09-27 Nick Clifton <nickc@redhat.com> | ||
78 | |||
79 | PR 22219 | ||