diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 0000000000..ff853511f9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch | |||
@@ -0,0 +1,180 @@ | |||
1 | From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sun, 16 Dec 2018 23:02:50 +1030 | ||
4 | Subject: [PATCH] PR23994, libbfd integer overflow | ||
5 | |||
6 | PR 23994 | ||
7 | * aoutx.h: Include limits.h. | ||
8 | (get_reloc_upper_bound): Detect long overflow and return a file | ||
9 | too big error if it occurs. | ||
10 | * elf.c: Include limits.h. | ||
11 | (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return | ||
12 | a file too big error if it occurs. | ||
13 | (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. | ||
14 | (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. | ||
15 | |||
16 | CVE: CVE-2018-1000876 | ||
17 | Upstream-Status: Backport | ||
18 | [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] | ||
19 | |||
20 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
21 | --- | ||
22 | bfd/aoutx.h | 40 +++++++++++++++++++++------------------- | ||
23 | bfd/elf.c | 32 ++++++++++++++++++++++++-------- | ||
24 | 2 files changed, 45 insertions(+), 27 deletions(-) | ||
25 | |||
26 | diff --git a/bfd/aoutx.h b/bfd/aoutx.h | ||
27 | index 023843b0be..78eaa9c503 100644 | ||
28 | --- a/bfd/aoutx.h | ||
29 | +++ b/bfd/aoutx.h | ||
30 | @@ -117,6 +117,7 @@ DESCRIPTION | ||
31 | #define KEEPIT udata.i | ||
32 | |||
33 | #include "sysdep.h" | ||
34 | +#include <limits.h> | ||
35 | #include "bfd.h" | ||
36 | #include "safe-ctype.h" | ||
37 | #include "bfdlink.h" | ||
38 | @@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, | ||
39 | long | ||
40 | NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) | ||
41 | { | ||
42 | + bfd_size_type count; | ||
43 | + | ||
44 | if (bfd_get_format (abfd) != bfd_object) | ||
45 | { | ||
46 | bfd_set_error (bfd_error_invalid_operation); | ||
47 | @@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) | ||
48 | } | ||
49 | |||
50 | if (asect->flags & SEC_CONSTRUCTOR) | ||
51 | - return sizeof (arelent *) * (asect->reloc_count + 1); | ||
52 | - | ||
53 | - if (asect == obj_datasec (abfd)) | ||
54 | - return sizeof (arelent *) | ||
55 | - * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) | ||
56 | - + 1); | ||
57 | - | ||
58 | - if (asect == obj_textsec (abfd)) | ||
59 | - return sizeof (arelent *) | ||
60 | - * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) | ||
61 | - + 1); | ||
62 | - | ||
63 | - if (asect == obj_bsssec (abfd)) | ||
64 | - return sizeof (arelent *); | ||
65 | - | ||
66 | - if (asect == obj_bsssec (abfd)) | ||
67 | - return 0; | ||
68 | + count = asect->reloc_count; | ||
69 | + else if (asect == obj_datasec (abfd)) | ||
70 | + count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); | ||
71 | + else if (asect == obj_textsec (abfd)) | ||
72 | + count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); | ||
73 | + else if (asect == obj_bsssec (abfd)) | ||
74 | + count = 0; | ||
75 | + else | ||
76 | + { | ||
77 | + bfd_set_error (bfd_error_invalid_operation); | ||
78 | + return -1; | ||
79 | + } | ||
80 | |||
81 | - bfd_set_error (bfd_error_invalid_operation); | ||
82 | - return -1; | ||
83 | + if (count >= LONG_MAX / sizeof (arelent *)) | ||
84 | + { | ||
85 | + bfd_set_error (bfd_error_file_too_big); | ||
86 | + return -1; | ||
87 | + } | ||
88 | + return (count + 1) * sizeof (arelent *); | ||
89 | } | ||
90 | |||
91 | long | ||
92 | diff --git a/bfd/elf.c b/bfd/elf.c | ||
93 | index 828241d48a..10037176a3 100644 | ||
94 | --- a/bfd/elf.c | ||
95 | +++ b/bfd/elf.c | ||
96 | @@ -35,6 +35,7 @@ SECTION | ||
97 | /* For sparc64-cross-sparc32. */ | ||
98 | #define _SYSCALL32 | ||
99 | #include "sysdep.h" | ||
100 | +#include <limits.h> | ||
101 | #include "bfd.h" | ||
102 | #include "bfdlink.h" | ||
103 | #include "libbfd.h" | ||
104 | @@ -8114,11 +8115,16 @@ error_return: | ||
105 | long | ||
106 | _bfd_elf_get_symtab_upper_bound (bfd *abfd) | ||
107 | { | ||
108 | - long symcount; | ||
109 | + bfd_size_type symcount; | ||
110 | long symtab_size; | ||
111 | Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr; | ||
112 | |||
113 | symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; | ||
114 | + if (symcount >= LONG_MAX / sizeof (asymbol *)) | ||
115 | + { | ||
116 | + bfd_set_error (bfd_error_file_too_big); | ||
117 | + return -1; | ||
118 | + } | ||
119 | symtab_size = (symcount + 1) * (sizeof (asymbol *)); | ||
120 | if (symcount > 0) | ||
121 | symtab_size -= sizeof (asymbol *); | ||
122 | @@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd) | ||
123 | long | ||
124 | _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) | ||
125 | { | ||
126 | - long symcount; | ||
127 | + bfd_size_type symcount; | ||
128 | long symtab_size; | ||
129 | Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr; | ||
130 | |||
131 | @@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) | ||
132 | } | ||
133 | |||
134 | symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; | ||
135 | + if (symcount >= LONG_MAX / sizeof (asymbol *)) | ||
136 | + { | ||
137 | + bfd_set_error (bfd_error_file_too_big); | ||
138 | + return -1; | ||
139 | + } | ||
140 | symtab_size = (symcount + 1) * (sizeof (asymbol *)); | ||
141 | if (symcount > 0) | ||
142 | symtab_size -= sizeof (asymbol *); | ||
143 | @@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd, | ||
144 | long | ||
145 | _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) | ||
146 | { | ||
147 | - long ret; | ||
148 | + bfd_size_type count; | ||
149 | asection *s; | ||
150 | |||
151 | if (elf_dynsymtab (abfd) == 0) | ||
152 | @@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) | ||
153 | return -1; | ||
154 | } | ||
155 | |||
156 | - ret = sizeof (arelent *); | ||
157 | + count = 1; | ||
158 | for (s = abfd->sections; s != NULL; s = s->next) | ||
159 | if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd) | ||
160 | && (elf_section_data (s)->this_hdr.sh_type == SHT_REL | ||
161 | || elf_section_data (s)->this_hdr.sh_type == SHT_RELA)) | ||
162 | - ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) | ||
163 | - * sizeof (arelent *)); | ||
164 | - | ||
165 | - return ret; | ||
166 | + { | ||
167 | + count += s->size / elf_section_data (s)->this_hdr.sh_entsize; | ||
168 | + if (count > LONG_MAX / sizeof (arelent *)) | ||
169 | + { | ||
170 | + bfd_set_error (bfd_error_file_too_big); | ||
171 | + return -1; | ||
172 | + } | ||
173 | + } | ||
174 | + return count * sizeof (arelent *); | ||
175 | } | ||
176 | |||
177 | /* Canonicalize the dynamic relocation entries. Note that we return the | ||
178 | -- | ||
179 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
180 | |||