diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch new file mode 100644 index 0000000000..1382c8e3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch | |||
@@ -0,0 +1,91 @@ | |||
1 | From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mingi Cho <mgcho.minic@gmail.com> | ||
3 | Date: Thu, 2 Nov 2017 17:01:08 +0000 | ||
4 | Subject: [PATCH] Work around integer overflows when readelf is checking for | ||
5 | corrupt ELF notes when run on a 32-bit host. | ||
6 | |||
7 | PR 22384 | ||
8 | * readelf.c (print_gnu_property_note): Improve overflow checks so | ||
9 | that they will work on a 32-bit host. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | Affects: <= 2.29.1 | ||
13 | CVE: CVE-2017-16830 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | binutils/ChangeLog | 6 ++++++ | ||
18 | binutils/readelf.c | 33 +++++++++++++++++---------------- | ||
19 | 2 files changed, 23 insertions(+), 16 deletions(-) | ||
20 | |||
21 | Index: git/binutils/readelf.c | ||
22 | =================================================================== | ||
23 | --- git.orig/binutils/readelf.c | ||
24 | +++ git/binutils/readelf.c | ||
25 | @@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No | ||
26 | return; | ||
27 | } | ||
28 | |||
29 | - while (1) | ||
30 | + while (ptr < ptr_end) | ||
31 | { | ||
32 | unsigned int j; | ||
33 | - unsigned int type = byte_get (ptr, 4); | ||
34 | - unsigned int datasz = byte_get (ptr + 4, 4); | ||
35 | + unsigned int type; | ||
36 | + unsigned int datasz; | ||
37 | + | ||
38 | + if ((size_t) (ptr_end - ptr) < 8) | ||
39 | + { | ||
40 | + printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); | ||
41 | + break; | ||
42 | + } | ||
43 | + | ||
44 | + type = byte_get (ptr, 4); | ||
45 | + datasz = byte_get (ptr + 4, 4); | ||
46 | |||
47 | ptr += 8; | ||
48 | |||
49 | - if ((ptr + datasz) > ptr_end) | ||
50 | + if (datasz > (size_t) (ptr_end - ptr)) | ||
51 | { | ||
52 | printf (_("<corrupt type (%#x) datasz: %#x>\n"), | ||
53 | type, datasz); | ||
54 | @@ -16520,19 +16529,11 @@ next: | ||
55 | ptr += ((datasz + (size - 1)) & ~ (size - 1)); | ||
56 | if (ptr == ptr_end) | ||
57 | break; | ||
58 | - else | ||
59 | - { | ||
60 | - if (do_wide) | ||
61 | - printf (", "); | ||
62 | - else | ||
63 | - printf ("\n\t"); | ||
64 | - } | ||
65 | |||
66 | - if (ptr > (ptr_end - 8)) | ||
67 | - { | ||
68 | - printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); | ||
69 | - break; | ||
70 | - } | ||
71 | + if (do_wide) | ||
72 | + printf (", "); | ||
73 | + else | ||
74 | + printf ("\n\t"); | ||
75 | } | ||
76 | |||
77 | printf ("\n"); | ||
78 | Index: git/binutils/ChangeLog | ||
79 | =================================================================== | ||
80 | --- git.orig/binutils/ChangeLog | ||
81 | +++ git/binutils/ChangeLog | ||
82 | @@ -1,3 +1,9 @@ | ||
83 | +2017-11-02 Mingi Cho <mgcho.minic@gmail.com> | ||
84 | + | ||
85 | + PR 22384 | ||
86 | + * readelf.c (print_gnu_property_note): Improve overflow checks so | ||
87 | + that they will work on a 32-bit host. | ||
88 | + | ||
89 | 2017-10-05 Alan Modra <amodra@gmail.com> | ||
90 | |||
91 | PR 22239 | ||