From 1b202d632b1c12cb3fb4683c53098e245ba99f23 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 8 Aug 2018 12:07:35 -0700 Subject: Binutils: Security fix for CVE-2018-13033 Affects: <= 2.30 (From OE-Core rev: 64afab325facc55f4a49247e4033b1d3c8b22b67) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 + .../binutils/binutils/CVE-2018-13033.patch | 71 ++++++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 4d9983b984..2f9b4fee02 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -69,6 +69,7 @@ SRC_URI = "\ file://CVE-2018-10373.patch \ file://CVE-2018-10534.patch \ file://CVE-2018-10535.patch \ + file://CVE-2018-13033.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch new file mode 100644 index 0000000000..3fa852c951 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch @@ -0,0 +1,71 @@ +From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Tue, 8 May 2018 12:51:06 +0100 +Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a + fuzzed input file with corrupt string and attribute sections. + + PR 22809 + * elf.c (bfd_elf_get_str_section): Check for an excessively large + string section. + * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the + attribute section is larger than the size of the file. + +Upstream-Status: Backport +Affects: <= 2.30 +CVE: CVE-2018-13033 +Signed-off-by: Armin Kuster + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/elf-attrs.c | 9 +++++++++ + bfd/elf.c | 1 + + 3 files changed, 18 insertions(+) + +Index: git/bfd/elf-attrs.c +=================================================================== +--- git.orig/bfd/elf-attrs.c ++++ git/bfd/elf-attrs.c +@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El + /* PR 17512: file: 2844a11d. */ + if (hdr->sh_size == 0) + return; ++ if (hdr->sh_size > bfd_get_file_size (abfd)) ++ { ++ /* xgettext:c-format */ ++ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"), ++ abfd, hdr->bfd_section, (long long) hdr->sh_size); ++ bfd_set_error (bfd_error_invalid_operation); ++ return; ++ } ++ + contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1); + if (!contents) + return; +Index: git/bfd/elf.c +=================================================================== +--- git.orig/bfd/elf.c ++++ git/bfd/elf.c +@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi + /* Allocate and clear an extra byte at the end, to prevent crashes + in case the string table is not terminated. */ + if (shstrtabsize + 1 <= 1 ++ || shstrtabsize > bfd_get_file_size (abfd) + || bfd_seek (abfd, offset, SEEK_SET) != 0 + || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL) + shstrtab = NULL; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2018-05-08 Nick Clifton ++ ++ PR 22809 ++ * elf.c (bfd_elf_get_str_section): Check for an excessively large ++ string section. ++ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the ++ attribute section is larger than the size of the file. ++ + 2018-04-24 Nick Clifton + + PR 23113 -- cgit v1.2.3-54-g00ecf