diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch | 187 |
1 files changed, 187 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch new file mode 100644 index 0000000000..45dd974672 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_8.patch | |||
@@ -0,0 +1,187 @@ | |||
1 | From bae7501e87ab614115d9d3213b4dd18d96e604db Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sat, 1 Jul 2017 21:58:10 +0930 | ||
4 | Subject: [PATCH] Use bfd_malloc_and_get_section | ||
5 | |||
6 | It's nicer than xmalloc followed by bfd_get_section_contents, since | ||
7 | xmalloc exits on failure and needs a check that its size_t arg doesn't | ||
8 | lose high bits when converted from bfd_size_type. | ||
9 | |||
10 | PR binutils/21665 | ||
11 | * objdump.c (strtab): Make var a bfd_byte*. | ||
12 | (disassemble_section): Don't limit malloc size. Instead, use | ||
13 | bfd_malloc_and_get_section. | ||
14 | (read_section_stabs): Use bfd_malloc_and_get_section. Return | ||
15 | bfd_byte*. | ||
16 | (find_stabs_section): Remove now unnecessary cast. | ||
17 | * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free | ||
18 | contents on error return. | ||
19 | * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | CVE: CVE-2017-9955 #8 | ||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | binutils/ChangeLog | 13 +++++++++++++ | ||
27 | binutils/nlmconv.c | 6 ++---- | ||
28 | binutils/objcopy.c | 5 +++-- | ||
29 | binutils/objdump.c | 44 +++++++------------------------------------- | ||
30 | 4 files changed, 25 insertions(+), 43 deletions(-) | ||
31 | |||
32 | Index: git/binutils/ChangeLog | ||
33 | =================================================================== | ||
34 | --- git.orig/binutils/ChangeLog | ||
35 | +++ git/binutils/ChangeLog | ||
36 | @@ -1,3 +1,16 @@ | ||
37 | +2017-07-01 Alan Modra <amodra@gmail.com> | ||
38 | + | ||
39 | + PR binutils/21665 | ||
40 | + * objdump.c (strtab): Make var a bfd_byte*. | ||
41 | + (disassemble_section): Don't limit malloc size. Instead, use | ||
42 | + bfd_malloc_and_get_section. | ||
43 | + (read_section_stabs): Use bfd_malloc_and_get_section. Return | ||
44 | + bfd_byte*. | ||
45 | + (find_stabs_section): Remove now unnecessary cast. | ||
46 | + * objcopy.c (copy_object): Use bfd_malloc_and_get_section. Free | ||
47 | + contents on error return. | ||
48 | + * nlmconv.c (copy_sections): Use bfd_malloc_and_get_section. | ||
49 | + | ||
50 | 2017-06-30 Nick Clifton <nickc@redhat.com> | ||
51 | |||
52 | PR binutils/21665 | ||
53 | Index: git/binutils/nlmconv.c | ||
54 | =================================================================== | ||
55 | --- git.orig/binutils/nlmconv.c | ||
56 | +++ git/binutils/nlmconv.c | ||
57 | @@ -1224,7 +1224,7 @@ copy_sections (bfd *inbfd, asection *ins | ||
58 | const char *inname; | ||
59 | asection *outsec; | ||
60 | bfd_size_type size; | ||
61 | - void *contents; | ||
62 | + bfd_byte *contents; | ||
63 | long reloc_size; | ||
64 | bfd_byte buf[4]; | ||
65 | bfd_size_type add; | ||
66 | @@ -1240,9 +1240,7 @@ copy_sections (bfd *inbfd, asection *ins | ||
67 | contents = NULL; | ||
68 | else | ||
69 | { | ||
70 | - contents = xmalloc (size); | ||
71 | - if (! bfd_get_section_contents (inbfd, insec, contents, | ||
72 | - (file_ptr) 0, size)) | ||
73 | + if (!bfd_malloc_and_get_section (inbfd, insec, &contents)) | ||
74 | bfd_fatal (bfd_get_filename (inbfd)); | ||
75 | } | ||
76 | |||
77 | Index: git/binutils/objdump.c | ||
78 | =================================================================== | ||
79 | --- git.orig/binutils/objdump.c | ||
80 | +++ git/binutils/objdump.c | ||
81 | @@ -180,7 +180,7 @@ static long dynsymcount = 0; | ||
82 | static bfd_byte *stabs; | ||
83 | static bfd_size_type stab_size; | ||
84 | |||
85 | -static char *strtab; | ||
86 | +static bfd_byte *strtab; | ||
87 | static bfd_size_type stabstr_size; | ||
88 | |||
89 | static bfd_boolean is_relocatable = FALSE; | ||
90 | @@ -2112,29 +2112,6 @@ disassemble_section (bfd *abfd, asection | ||
91 | } | ||
92 | rel_ppend = rel_pp + rel_count; | ||
93 | |||
94 | - /* PR 21665: Check for overlarge datasizes. | ||
95 | - Note - we used to check for "datasize > bfd_get_file_size (abfd)" but | ||
96 | - this fails when using compressed sections or compressed file formats | ||
97 | - (eg MMO, tekhex). | ||
98 | - | ||
99 | - The call to xmalloc below will fail if too much memory is requested, | ||
100 | - which will catch the problem in the normal use case. But if a memory | ||
101 | - checker is in use, eg valgrind or sanitize, then an exception will | ||
102 | - be still generated, so we try to catch the problem first. | ||
103 | - | ||
104 | - Unfortunately there is no simple way to determine how much memory can | ||
105 | - be allocated by calling xmalloc. So instead we use a simple, arbitrary | ||
106 | - limit of 2Gb. Hopefully this should be enough for most users. If | ||
107 | - someone does start trying to disassemble sections larger then 2Gb in | ||
108 | - size they will doubtless complain and we can increase the limit. */ | ||
109 | -#define MAX_XMALLOC (1024 * 1024 * 1024 * 2UL) /* 2Gb */ | ||
110 | - if (datasize > MAX_XMALLOC) | ||
111 | - { | ||
112 | - non_fatal (_("Reading section %s failed because it is too big (%#lx)"), | ||
113 | - section->name, (unsigned long) datasize); | ||
114 | - return; | ||
115 | - } | ||
116 | - | ||
117 | data = (bfd_byte *) xmalloc (datasize); | ||
118 | |||
119 | bfd_get_section_contents (abfd, section, data, 0, datasize); | ||
120 | @@ -2652,12 +2629,11 @@ dump_dwarf (bfd *abfd) | ||
121 | /* Read ABFD's stabs section STABSECT_NAME, and return a pointer to | ||
122 | it. Return NULL on failure. */ | ||
123 | |||
124 | -static char * | ||
125 | +static bfd_byte * | ||
126 | read_section_stabs (bfd *abfd, const char *sect_name, bfd_size_type *size_ptr) | ||
127 | { | ||
128 | asection *stabsect; | ||
129 | - bfd_size_type size; | ||
130 | - char *contents; | ||
131 | + bfd_byte *contents; | ||
132 | |||
133 | stabsect = bfd_get_section_by_name (abfd, sect_name); | ||
134 | if (stabsect == NULL) | ||
135 | @@ -2666,10 +2642,7 @@ read_section_stabs (bfd *abfd, const cha | ||
136 | return FALSE; | ||
137 | } | ||
138 | |||
139 | - size = bfd_section_size (abfd, stabsect); | ||
140 | - contents = (char *) xmalloc (size); | ||
141 | - | ||
142 | - if (! bfd_get_section_contents (abfd, stabsect, contents, 0, size)) | ||
143 | + if (!bfd_malloc_and_get_section (abfd, stabsect, &contents)) | ||
144 | { | ||
145 | non_fatal (_("reading %s section of %s failed: %s"), | ||
146 | sect_name, bfd_get_filename (abfd), | ||
147 | @@ -2679,7 +2652,7 @@ read_section_stabs (bfd *abfd, const cha | ||
148 | return NULL; | ||
149 | } | ||
150 | |||
151 | - *size_ptr = size; | ||
152 | + *size_ptr = bfd_section_size (abfd, stabsect); | ||
153 | |||
154 | return contents; | ||
155 | } | ||
156 | @@ -2806,8 +2779,7 @@ find_stabs_section (bfd *abfd, asection | ||
157 | |||
158 | if (strtab) | ||
159 | { | ||
160 | - stabs = (bfd_byte *) read_section_stabs (abfd, section->name, | ||
161 | - &stab_size); | ||
162 | + stabs = read_section_stabs (abfd, section->name, &stab_size); | ||
163 | if (stabs) | ||
164 | print_section_stabs (abfd, section->name, &sought->string_offset); | ||
165 | } | ||
166 | Index: git/binutils/objcopy.c | ||
167 | =================================================================== | ||
168 | --- git.orig/binutils/objcopy.c | ||
169 | +++ git/binutils/objcopy.c | ||
170 | @@ -2186,14 +2186,15 @@ copy_object (bfd *ibfd, bfd *obfd, const | ||
171 | continue; | ||
172 | } | ||
173 | |||
174 | - bfd_byte * contents = xmalloc (size); | ||
175 | - if (bfd_get_section_contents (ibfd, sec, contents, 0, size)) | ||
176 | + bfd_byte *contents; | ||
177 | + if (bfd_malloc_and_get_section (ibfd, sec, &contents)) | ||
178 | { | ||
179 | if (fwrite (contents, 1, size, f) != size) | ||
180 | { | ||
181 | non_fatal (_("error writing section contents to %s (error: %s)"), | ||
182 | pdump->filename, | ||
183 | strerror (errno)); | ||
184 | + free (contents); | ||
185 | return FALSE; | ||
186 | } | ||
187 | } | ||