diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 20 Sep 2018 18:23:17 +0930 | ||
4 | Subject: [PATCH] PR23685, buffer overflow | ||
5 | |||
6 | PR 23685 | ||
7 | * peXXigen.c (pe_print_edata): Correct export address table | ||
8 | overflow checks. Check dataoff against section size too. | ||
9 | |||
10 | CVE: CVE-2018-17360 | ||
11 | Upstream-Status: Backport | ||
12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
13 | --- | ||
14 | bfd/ChangeLog | 6 ++++++ | ||
15 | bfd/peXXigen.c | 11 ++++++----- | ||
16 | 2 files changed, 12 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
19 | index fef5479..81b9e56 100644 | ||
20 | --- a/bfd/ChangeLog | ||
21 | +++ b/bfd/ChangeLog | ||
22 | @@ -1,5 +1,11 @@ | ||
23 | 2018-09-20 Alan Modra <amodra@gmail.com> | ||
24 | |||
25 | + PR 23685 | ||
26 | + * peXXigen.c (pe_print_edata): Correct export address table | ||
27 | + overflow checks. Check dataoff against section size too. | ||
28 | + | ||
29 | +2018-09-20 Alan Modra <amodra@gmail.com> | ||
30 | + | ||
31 | PR 23686 | ||
32 | * dwarf2.c (read_section): Error when attempting to malloc | ||
33 | "(bfd_size_type) -1". | ||
34 | diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c | ||
35 | index 598f2ca..1645ef4 100644 | ||
36 | --- a/bfd/peXXigen.c | ||
37 | +++ b/bfd/peXXigen.c | ||
38 | @@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile) | ||
39 | |||
40 | dataoff = addr - section->vma; | ||
41 | datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; | ||
42 | - if (datasize > section->size - dataoff) | ||
43 | + if (dataoff > section->size | ||
44 | + || datasize > section->size - dataoff) | ||
45 | { | ||
46 | fprintf (file, | ||
47 | _("\nThere is an export table in %s, but it does not fit into that section\n"), | ||
48 | @@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile) | ||
49 | edt.base); | ||
50 | |||
51 | /* PR 17512: Handle corrupt PE binaries. */ | ||
52 | - if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize | ||
53 | + /* PR 17512 file: 140-165018-0.004. */ | ||
54 | + if (edt.eat_addr - adj >= datasize | ||
55 | /* PR 17512: file: 092b1829 */ | ||
56 | - || (edt.num_functions * 4) < edt.num_functions | ||
57 | - /* PR 17512 file: 140-165018-0.004. */ | ||
58 | - || data + edt.eat_addr - adj < data) | ||
59 | + || (edt.num_functions + 1) * 4 < edt.num_functions | ||
60 | + || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize) | ||
61 | fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), | ||
62 | (long) edt.eat_addr, | ||
63 | (long) edt.num_functions); | ||
64 | -- | ||
65 | 2.9.3 | ||