diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch new file mode 100644 index 0000000000..35cf328a14 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 45a0eaf77022963d639d6d19871dbab7b79703fc Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Tue, 23 Oct 2018 19:02:06 +1030 | ||
4 | Subject: [PATCH] PR23806, NULL pointer dereference in merge_strings | ||
5 | |||
6 | PR 23806 | ||
7 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
8 | sections with ridiculously large alignments. | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | CVE: CVE-2018-18606 | ||
12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
13 | --- | ||
14 | bfd/ChangeLog | 6 ++++++ | ||
15 | bfd/merge.c | 15 +++++++++++---- | ||
16 | 2 files changed, 17 insertions(+), 4 deletions(-) | ||
17 | |||
18 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
19 | index 1f3fc1c..c5f7ec7 100644 | ||
20 | --- a/bfd/ChangeLog | ||
21 | +++ b/bfd/ChangeLog | ||
22 | @@ -1,5 +1,11 @@ | ||
23 | 2018-10-23 Alan Modra <amodra@gmail.com> | ||
24 | |||
25 | + PR 23806 | ||
26 | + * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
27 | + sections with ridiculously large alignments. | ||
28 | + | ||
29 | +2018-10-23 Alan Modra <amodra@gmail.com> | ||
30 | + | ||
31 | PR 23804 | ||
32 | * merge.c (_bfd_add_merge_section): Don't attempt to merge | ||
33 | sections where size is not a multiple of entsize. | ||
34 | diff --git a/bfd/merge.c b/bfd/merge.c | ||
35 | index 5e3bba0..7de0c88 100644 | ||
36 | --- a/bfd/merge.c | ||
37 | +++ b/bfd/merge.c | ||
38 | @@ -24,6 +24,7 @@ | ||
39 | as used in ELF SHF_MERGE. */ | ||
40 | |||
41 | #include "sysdep.h" | ||
42 | +#include <limits.h> | ||
43 | #include "bfd.h" | ||
44 | #include "elf-bfd.h" | ||
45 | #include "libbfd.h" | ||
46 | @@ -385,12 +386,18 @@ _bfd_add_merge_section (bfd *abfd, void **psinfo, asection *sec, | ||
47 | return TRUE; | ||
48 | } | ||
49 | |||
50 | - align = sec->alignment_power; | ||
51 | - if ((sec->entsize < (unsigned) 1 << align | ||
52 | +#ifndef CHAR_BIT | ||
53 | +#define CHAR_BIT 8 | ||
54 | +#endif | ||
55 | + if (sec->alignment_power >= sizeof (align) * CHAR_BIT) | ||
56 | + return TRUE; | ||
57 | + | ||
58 | + align = 1u << sec->alignment_power; | ||
59 | + if ((sec->entsize < align | ||
60 | && ((sec->entsize & (sec->entsize - 1)) | ||
61 | || !(sec->flags & SEC_STRINGS))) | ||
62 | - || (sec->entsize > (unsigned) 1 << align | ||
63 | - && (sec->entsize & (((unsigned) 1 << align) - 1)))) | ||
64 | + || (sec->entsize > align | ||
65 | + && (sec->entsize & (align - 1)))) | ||
66 | { | ||
67 | /* Sanity check. If string character size is smaller than | ||
68 | alignment, then we require character size to be a power | ||
69 | -- | ||
70 | 2.9.3 | ||