summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch')
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch120
1 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000000..e77118bc13
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,120 @@
1From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 28 Feb 2018 11:50:49 +0000
4Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
5 FORM blocks.
6
7 PR 22895
8 PR 22893
9 * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
10 pointer. Drop unused abfd parameter. Check the size of the block
11 before initialising the data field. Return the end pointer if the
12 size is invalid.
13 (read_attribute_value): Adjust invocations of read_n_bytes.
14
15Upstream-Status: Backport
16Affects: <= 2.30
17CVE: CVE-2018-7569
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 bfd/ChangeLog | 8 ++++++++
22 bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
23 2 files changed, 29 insertions(+), 15 deletions(-)
24
25Index: git/bfd/dwarf2.c
26===================================================================
27--- git.orig/bfd/dwarf2.c
28+++ git/bfd/dwarf2.c
29@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
30 }
31
32 static bfd_byte *
33-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
34- bfd_byte *buf,
35- bfd_byte *end,
36- unsigned int size ATTRIBUTE_UNUSED)
37-{
38- if (buf + size > end)
39- return NULL;
40- return buf;
41+read_n_bytes (bfd_byte * buf,
42+ bfd_byte * end,
43+ struct dwarf_block * block)
44+{
45+ unsigned int size = block->size;
46+ bfd_byte * block_end = buf + size;
47+
48+ if (block_end > end || block_end < buf)
49+ {
50+ block->data = NULL;
51+ block->size = 0;
52+ return end;
53+ }
54+ else
55+ {
56+ block->data = buf;
57+ return block_end;
58+ }
59 }
60
61 /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
62@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
63 return NULL;
64 blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
65 info_ptr += 2;
66- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
67- info_ptr += blk->size;
68+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
69 attr->u.blk = blk;
70 break;
71 case DW_FORM_block4:
72@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
73 return NULL;
74 blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
75 info_ptr += 4;
76- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
77- info_ptr += blk->size;
78+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
79 attr->u.blk = blk;
80 break;
81 case DW_FORM_data2:
82@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
83 blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
84 FALSE, info_ptr_end);
85 info_ptr += bytes_read;
86- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
87- info_ptr += blk->size;
88+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
89 attr->u.blk = blk;
90 break;
91 case DW_FORM_block1:
92@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
93 return NULL;
94 blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
95 info_ptr += 1;
96- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
97- info_ptr += blk->size;
98+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
99 attr->u.blk = blk;
100 break;
101 case DW_FORM_data1:
102Index: git/bfd/ChangeLog
103===================================================================
104--- git.orig/bfd/ChangeLog
105+++ git/bfd/ChangeLog
106@@ -1,4 +1,14 @@
107 2018-02-28 Nick Clifton <nickc@redhat.com>
108+
109+ PR 22895
110+ PR 22893
111+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
112+ pointer. Drop unused abfd parameter. Check the size of the block
113+ before initialising the data field. Return the end pointer if the
114+ size is invalid.
115+ (read_attribute_value): Adjust invocations of read_n_bytes.
116+
117+2018-02-28 Nick Clifton <nickc@redhat.com>
118
119 PR 22894
120 * dwarf1.c (parse_die): Check the length of form blocks before