diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch new file mode 100644 index 0000000000..f95295f183 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f Mon Sep 17 00:00:00 2001 | ||
2 | From: "H.J. Lu" <hjl.tools@gmail.com> | ||
3 | Date: Mon, 26 Jun 2017 09:24:49 -0700 | ||
4 | Subject: [PATCH] Check file size before getting section contents | ||
5 | |||
6 | Don't check the section size in bfd_get_full_section_contents since | ||
7 | the size of a decompressed section may be larger than the file size. | ||
8 | Instead, check file size in _bfd_generic_get_section_contents. | ||
9 | |||
10 | PR binutils/21665 | ||
11 | * compress.c (bfd_get_full_section_contents): Don't check the | ||
12 | file size here. | ||
13 | * libbfd.c (_bfd_generic_get_section_contents): Check for and | ||
14 | reject a section whoes size + offset is greater than the size | ||
15 | of the entire file. | ||
16 | (_bfd_generic_get_section_contents_in_window): Likewise. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2017-9955 #2 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | bfd/ChangeLog | 10 +++++++++- | ||
24 | bfd/compress.c | 8 +------- | ||
25 | bfd/libbfd.c | 17 ++++++++++++++++- | ||
26 | 3 files changed, 26 insertions(+), 9 deletions(-) | ||
27 | |||
28 | Index: git/bfd/compress.c | ||
29 | =================================================================== | ||
30 | --- git.orig/bfd/compress.c | ||
31 | +++ git/bfd/compress.c | ||
32 | @@ -239,12 +239,6 @@ bfd_get_full_section_contents (bfd *abfd | ||
33 | *ptr = NULL; | ||
34 | return TRUE; | ||
35 | } | ||
36 | - else if (bfd_get_file_size (abfd) > 0 | ||
37 | - && sz > (bfd_size_type) bfd_get_file_size (abfd)) | ||
38 | - { | ||
39 | - *ptr = NULL; | ||
40 | - return FALSE; | ||
41 | - } | ||
42 | |||
43 | switch (sec->compress_status) | ||
44 | { | ||
45 | @@ -260,7 +254,7 @@ bfd_get_full_section_contents (bfd *abfd | ||
46 | /* xgettext:c-format */ | ||
47 | (_("error: %B(%A) is too large (%#lx bytes)"), | ||
48 | abfd, sec, (long) sz); | ||
49 | - return FALSE; | ||
50 | + return FALSE; | ||
51 | } | ||
52 | } | ||
53 | |||
54 | Index: git/bfd/libbfd.c | ||
55 | =================================================================== | ||
56 | --- git.orig/bfd/libbfd.c | ||
57 | +++ git/bfd/libbfd.c | ||
58 | @@ -780,6 +780,7 @@ _bfd_generic_get_section_contents (bfd * | ||
59 | bfd_size_type count) | ||
60 | { | ||
61 | bfd_size_type sz; | ||
62 | + file_ptr filesz; | ||
63 | if (count == 0) | ||
64 | return TRUE; | ||
65 | |||
66 | @@ -802,8 +803,15 @@ _bfd_generic_get_section_contents (bfd * | ||
67 | sz = section->rawsize; | ||
68 | else | ||
69 | sz = section->size; | ||
70 | + filesz = bfd_get_file_size (abfd); | ||
71 | + if (filesz < 0) | ||
72 | + { | ||
73 | + /* This should never happen. */ | ||
74 | + abort (); | ||
75 | + } | ||
76 | if (offset + count < count | ||
77 | - || offset + count > sz) | ||
78 | + || offset + count > sz | ||
79 | + || (section->filepos + offset + sz) > (bfd_size_type) filesz) | ||
80 | { | ||
81 | bfd_set_error (bfd_error_invalid_operation); | ||
82 | return FALSE; | ||
83 | @@ -826,6 +834,7 @@ _bfd_generic_get_section_contents_in_win | ||
84 | { | ||
85 | #ifdef USE_MMAP | ||
86 | bfd_size_type sz; | ||
87 | + file_ptr filesz; | ||
88 | |||
89 | if (count == 0) | ||
90 | return TRUE; | ||
91 | @@ -858,7 +867,13 @@ _bfd_generic_get_section_contents_in_win | ||
92 | sz = section->rawsize; | ||
93 | else | ||
94 | sz = section->size; | ||
95 | + filesz = bfd_get_file_size (abfd); | ||
96 | + { | ||
97 | + /* This should never happen. */ | ||
98 | + abort (); | ||
99 | + } | ||
100 | if (offset + count > sz | ||
101 | + || (section->filepos + offset + sz) > (bfd_size_type) filesz | ||
102 | || ! bfd_get_file_window (abfd, section->filepos + offset, count, w, | ||
103 | TRUE)) | ||
104 | return FALSE; | ||
105 | Index: git/bfd/ChangeLog | ||
106 | =================================================================== | ||
107 | --- git.orig/bfd/ChangeLog | ||
108 | +++ git/bfd/ChangeLog | ||
109 | @@ -1,3 +1,13 @@ | ||
110 | +2017-06-26 H.J. Lu <hongjiu.lu@intel.com> | ||
111 | + | ||
112 | + PR binutils/21665 | ||
113 | + * compress.c (bfd_get_full_section_contents): Don't check the | ||
114 | + file size here. | ||
115 | + * libbfd.c (_bfd_generic_get_section_contents): Check for and | ||
116 | + reject a section whoes size + offset is greater than the size | ||
117 | + of the entire file. | ||
118 | + (_bfd_generic_get_section_contents_in_window): Likewise. | ||
119 | + | ||
120 | 2017-06-26 Nick Clifton <nickc@redhat.com> | ||
121 | |||
122 | PR binutils/21665 | ||