From 7d51055f445c6f91454fe3b05174ec1d6020e896 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 7 Aug 2018 16:06:49 -0700 Subject: binutls: Security fix for CVE-2017-16830 Affects: <= 2.29.1 (From OE-Core rev: 29c6da2092599145e5a4f00ccc6029f31ec724da) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 + .../binutils/binutils/CVE-2017-16830.patch | 91 ++++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 7966cc3248..4191482929 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -57,6 +57,7 @@ SRC_URI = "\ file://CVE-2017-16828_p1.patch \ file://CVE-2017-16828_p2.patch \ file://CVE-2017-16829.patch \ + file://CVE-2017-16830.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch new file mode 100644 index 0000000000..1382c8e3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch @@ -0,0 +1,91 @@ +From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 +From: Mingi Cho +Date: Thu, 2 Nov 2017 17:01:08 +0000 +Subject: [PATCH] Work around integer overflows when readelf is checking for + corrupt ELF notes when run on a 32-bit host. + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16830 +Signed-off-by: Armin Kuster + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 33 +++++++++++++++++---------------- + 2 files changed, 23 insertions(+), 16 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No + return; + } + +- while (1) ++ while (ptr < ptr_end) + { + unsigned int j; +- unsigned int type = byte_get (ptr, 4); +- unsigned int datasz = byte_get (ptr + 4, 4); ++ unsigned int type; ++ unsigned int datasz; ++ ++ if ((size_t) (ptr_end - ptr) < 8) ++ { ++ printf (_("\n"), pnote->descsz); ++ break; ++ } ++ ++ type = byte_get (ptr, 4); ++ datasz = byte_get (ptr + 4, 4); + + ptr += 8; + +- if ((ptr + datasz) > ptr_end) ++ if (datasz > (size_t) (ptr_end - ptr)) + { + printf (_("\n"), + type, datasz); +@@ -16520,19 +16529,11 @@ next: + ptr += ((datasz + (size - 1)) & ~ (size - 1)); + if (ptr == ptr_end) + break; +- else +- { +- if (do_wide) +- printf (", "); +- else +- printf ("\n\t"); +- } + +- if (ptr > (ptr_end - 8)) +- { +- printf (_("\n"), pnote->descsz); +- break; +- } ++ if (do_wide) ++ printf (", "); ++ else ++ printf ("\n\t"); + } + + printf ("\n"); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-02 Mingi Cho ++ ++ PR 22384 ++ * readelf.c (print_gnu_property_note): Improve overflow checks so ++ that they will work on a 32-bit host. ++ + 2017-10-05 Alan Modra + + PR 22239 -- cgit v1.2.3-54-g00ecf