diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch new file mode 100644 index 0000000000..05af65bad1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8502 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Tue, 28 Oct 2014 15:42:56 +0000 | ||
12 | Subject: [PATCH] More fixes for corrupt binaries crashing the binutils. | ||
13 | |||
14 | PR binutils/17512 | ||
15 | * elf.c (bfd_section_from_shdr): Allocate and free the recursion | ||
16 | detection table on a per-bfd basis. | ||
17 | * peXXigen.c (pe_print_edata): Handle binaries with a truncated | ||
18 | export table. | ||
19 | --- | ||
20 | bfd/ChangeLog | 8 ++++++++ | ||
21 | bfd/elf.c | 16 +++++++++++++--- | ||
22 | bfd/peXXigen.c | 9 +++++++++ | ||
23 | 3 files changed, 30 insertions(+), 3 deletions(-) | ||
24 | |||
25 | Index: binutils-2.24/bfd/peXXigen.c | ||
26 | =================================================================== | ||
27 | --- binutils-2.24.orig/bfd/peXXigen.c | ||
28 | +++ binutils-2.24/bfd/peXXigen.c | ||
29 | @@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile | ||
30 | } | ||
31 | } | ||
32 | |||
33 | + /* PR 17512: Handle corrupt PE binaries. */ | ||
34 | + if (datasize < 36) | ||
35 | + { | ||
36 | + fprintf (file, | ||
37 | + _("\nThere is an export table in %s, but it is too small (%d)\n"), | ||
38 | + section->name, (int) datasize); | ||
39 | + return TRUE; | ||
40 | + } | ||
41 | + | ||
42 | fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), | ||
43 | section->name, (unsigned long) addr); | ||
44 | |||
45 | Index: binutils-2.24/bfd/elf.c | ||
46 | =================================================================== | ||
47 | --- binutils-2.24.orig/bfd/elf.c | ||
48 | +++ binutils-2.24/bfd/elf.c | ||
49 | @@ -1576,6 +1576,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
50 | const char *name; | ||
51 | bfd_boolean ret = TRUE; | ||
52 | static bfd_boolean * sections_being_created = NULL; | ||
53 | + static bfd * sections_being_created_abfd = NULL; | ||
54 | static unsigned int nesting = 0; | ||
55 | |||
56 | if (shindex >= elf_numsections (abfd)) | ||
57 | @@ -1588,13 +1589,20 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
58 | loop. Detect this here, by refusing to load a section that we are | ||
59 | already in the process of loading. We only trigger this test if | ||
60 | we have nested at least three sections deep as normal ELF binaries | ||
61 | - can expect to recurse at least once. */ | ||
62 | + can expect to recurse at least once. | ||
63 | + | ||
64 | + FIXME: It would be better if this array was attached to the bfd, | ||
65 | + rather than being held in a static pointer. */ | ||
66 | + | ||
67 | + if (sections_being_created_abfd != abfd) | ||
68 | + sections_being_created = NULL; | ||
69 | |||
70 | if (sections_being_created == NULL) | ||
71 | { | ||
72 | /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ | ||
73 | sections_being_created = (bfd_boolean *) | ||
74 | bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); | ||
75 | + sections_being_created_abfd = abfd; | ||
76 | } | ||
77 | if (sections_being_created [shindex]) | ||
78 | { | ||
79 | @@ -2098,7 +2106,10 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
80 | if (sections_being_created) | ||
81 | sections_being_created [shindex] = FALSE; | ||
82 | if (-- nesting == 0) | ||
83 | + { | ||
84 | sections_being_created = NULL; | ||
85 | + sections_being_created_abfd = abfd; | ||
86 | + } | ||
87 | return ret; | ||
88 | } | ||
89 | |||