diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch deleted file mode 100644 index bcb1310f16..0000000000 --- a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch +++ /dev/null | |||
@@ -1,119 +0,0 @@ | |||
1 | From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Wed, 20 Feb 2019 08:21:24 +1030 | ||
4 | Subject: [PATCH] PR24236, Heap buffer overflow in | ||
5 | _bfd_archive_64_bit_slurp_armap | ||
6 | |||
7 | PR 24236 | ||
8 | * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding | ||
9 | sentinel NUL to string buffer nearer to loop where it is used. | ||
10 | Don't go past sentinel when scanning strings, and don't write | ||
11 | NUL again. | ||
12 | * archive.c (do_slurp_coff_armap): Simplify string handling to | ||
13 | archive64.c style. | ||
14 | |||
15 | Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49] | ||
16 | CVE: CVE-2019-9075 | ||
17 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
18 | --- | ||
19 | bfd/ChangeLog | 10 ++++++++++ | ||
20 | bfd/archive.c | 17 +++++++---------- | ||
21 | bfd/archive64.c | 10 +++++----- | ||
22 | 3 files changed, 22 insertions(+), 15 deletions(-) | ||
23 | |||
24 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
25 | index 72c87c7..e39bb12 100644 | ||
26 | --- a/bfd/ChangeLog | ||
27 | +++ b/bfd/ChangeLog | ||
28 | @@ -1,3 +1,13 @@ | ||
29 | +2019-02-20 Alan Modra <amodra@gmail.com> | ||
30 | + | ||
31 | + PR 24236 | ||
32 | + * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding | ||
33 | + sentinel NUL to string buffer nearer to loop where it is used. | ||
34 | + Don't go past sentinel when scanning strings, and don't write | ||
35 | + NUL again. | ||
36 | + * archive.c (do_slurp_coff_armap): Simplify string handling to | ||
37 | + archive64.c style. | ||
38 | + | ||
39 | 2019-02-19 Alan Modra <amodra@gmail.com> | ||
40 | |||
41 | PR 24235 | ||
42 | diff --git a/bfd/archive.c b/bfd/archive.c | ||
43 | index d2d9b72..68a92a3 100644 | ||
44 | --- a/bfd/archive.c | ||
45 | +++ b/bfd/archive.c | ||
46 | @@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd) | ||
47 | int *raw_armap, *rawptr; | ||
48 | struct artdata *ardata = bfd_ardata (abfd); | ||
49 | char *stringbase; | ||
50 | + char *stringend; | ||
51 | bfd_size_type stringsize; | ||
52 | bfd_size_type parsed_size; | ||
53 | carsym *carsyms; | ||
54 | @@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd) | ||
55 | } | ||
56 | |||
57 | /* OK, build the carsyms. */ | ||
58 | - for (i = 0; i < nsymz && stringsize > 0; i++) | ||
59 | + stringend = stringbase + stringsize; | ||
60 | + *stringend = 0; | ||
61 | + for (i = 0; i < nsymz; i++) | ||
62 | { | ||
63 | - bfd_size_type len; | ||
64 | - | ||
65 | rawptr = raw_armap + i; | ||
66 | carsyms->file_offset = swap ((bfd_byte *) rawptr); | ||
67 | carsyms->name = stringbase; | ||
68 | - /* PR 17512: file: 4a1d50c1. */ | ||
69 | - len = strnlen (stringbase, stringsize); | ||
70 | - if (len < stringsize) | ||
71 | - len ++; | ||
72 | - stringbase += len; | ||
73 | - stringsize -= len; | ||
74 | + stringbase += strlen (stringbase); | ||
75 | + if (stringbase != stringend) | ||
76 | + ++stringbase; | ||
77 | carsyms++; | ||
78 | } | ||
79 | - *stringbase = 0; | ||
80 | |||
81 | ardata->symdef_count = nsymz; | ||
82 | ardata->first_file_filepos = bfd_tell (abfd); | ||
83 | diff --git a/bfd/archive64.c b/bfd/archive64.c | ||
84 | index 312bf82..42f6ed9 100644 | ||
85 | --- a/bfd/archive64.c | ||
86 | +++ b/bfd/archive64.c | ||
87 | @@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) | ||
88 | return FALSE; | ||
89 | carsyms = ardata->symdefs; | ||
90 | stringbase = ((char *) ardata->symdefs) + carsym_size; | ||
91 | - stringbase[stringsize] = 0; | ||
92 | - stringend = stringbase + stringsize; | ||
93 | |||
94 | raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize); | ||
95 | if (raw_armap == NULL) | ||
96 | @@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd) | ||
97 | goto release_raw_armap; | ||
98 | } | ||
99 | |||
100 | + stringend = stringbase + stringsize; | ||
101 | + *stringend = 0; | ||
102 | for (i = 0; i < nsymz; i++) | ||
103 | { | ||
104 | carsyms->file_offset = bfd_getb64 (raw_armap + i * 8); | ||
105 | carsyms->name = stringbase; | ||
106 | - if (stringbase < stringend) | ||
107 | - stringbase += strlen (stringbase) + 1; | ||
108 | + stringbase += strlen (stringbase); | ||
109 | + if (stringbase != stringend) | ||
110 | + ++stringbase; | ||
111 | ++carsyms; | ||
112 | } | ||
113 | - *stringbase = '\0'; | ||
114 | |||
115 | ardata->symdef_count = nsymz; | ||
116 | ardata->first_file_filepos = bfd_tell (abfd); | ||
117 | -- | ||
118 | 2.7.4 | ||
119 | |||