diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch new file mode 100644 index 0000000000..b5511d7d8a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed, 28 Feb 2018 10:13:54 +0000 | ||
4 | Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1 | ||
5 | debug information. | ||
6 | |||
7 | PR 22894 | ||
8 | * dwarf1.c (parse_die): Check the length of form blocks before | ||
9 | advancing the data pointer. | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | Affects: <= 2.30 | ||
13 | CVE: CVE-2018-7568 patch2 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | bfd/ChangeLog | 6 ++++++ | ||
18 | bfd/dwarf1.c | 17 +++++++++++++++-- | ||
19 | 2 files changed, 21 insertions(+), 2 deletions(-) | ||
20 | |||
21 | Index: git/bfd/dwarf1.c | ||
22 | =================================================================== | ||
23 | --- git.orig/bfd/dwarf1.c | ||
24 | +++ git/bfd/dwarf1.c | ||
25 | @@ -213,6 +213,7 @@ parse_die (bfd * abfd, | ||
26 | /* Then the attributes. */ | ||
27 | while (xptr + 2 <= aDiePtrEnd) | ||
28 | { | ||
29 | + unsigned int block_len; | ||
30 | unsigned short attr; | ||
31 | |||
32 | /* Parse the attribute based on its form. This section | ||
33 | @@ -255,12 +256,24 @@ parse_die (bfd * abfd, | ||
34 | break; | ||
35 | case FORM_BLOCK2: | ||
36 | if (xptr + 2 <= aDiePtrEnd) | ||
37 | - xptr += bfd_get_16 (abfd, xptr); | ||
38 | + { | ||
39 | + block_len = bfd_get_16 (abfd, xptr); | ||
40 | + if (xptr + block_len > aDiePtrEnd | ||
41 | + || xptr + block_len < xptr) | ||
42 | + return FALSE; | ||
43 | + xptr += block_len; | ||
44 | + } | ||
45 | xptr += 2; | ||
46 | break; | ||
47 | case FORM_BLOCK4: | ||
48 | if (xptr + 4 <= aDiePtrEnd) | ||
49 | - xptr += bfd_get_32 (abfd, xptr); | ||
50 | + { | ||
51 | + block_len = bfd_get_32 (abfd, xptr); | ||
52 | + if (xptr + block_len > aDiePtrEnd | ||
53 | + || xptr + block_len < xptr) | ||
54 | + return FALSE; | ||
55 | + xptr += block_len; | ||
56 | + } | ||
57 | xptr += 4; | ||
58 | break; | ||
59 | case FORM_STRING: | ||
60 | Index: git/bfd/ChangeLog | ||
61 | =================================================================== | ||
62 | --- git.orig/bfd/ChangeLog | ||
63 | +++ git/bfd/ChangeLog | ||
64 | @@ -1,3 +1,9 @@ | ||
65 | +2018-02-28 Nick Clifton <nickc@redhat.com> | ||
66 | + | ||
67 | + PR 22894 | ||
68 | + * dwarf1.c (parse_die): Check the length of form blocks before | ||
69 | + advancing the data pointer. | ||
70 | + | ||
71 | 2017-09-25 Alan Modra <amodra@gmail.com> | ||
72 | |||
73 | PR 22202 | ||