From 10e74c42ad77a5178fc42da5960cd61ecdb97150 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Mon, 4 Sep 2017 16:34:32 +0530 Subject: binutils: CVE-2017-7301 Source: git://sourceware.org/git/binutils-gdb.git MR: 74231 Type: Security Fix Disposition: Backport from binutils-2_28-branch ChangeID: 1fbae9f71e3ad90f930f8b25d550de964e05c259 Description: Fix seg-fault in linker parsing a corrupt input file. PR ld/20924 (aout_link_add_symbols): Fix off by one error checking for overflow of string offset. Affects: <= 2.28 Author: Nick Clifton (From OE-Core rev: 315608a626f9e21d198d1600ded69114ac1e16d1) Signed-off-by: Thiruvadi Rajaraman Reviewed-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.27.inc | 1 + .../binutils/binutils/CVE-2017-7301.patch | 52 ++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 54cdcc7bb5..59e46b8bf4 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc @@ -63,6 +63,7 @@ SRC_URI = "\ file://CVE-2017-7224.patch \ file://CVE-2017-7225.patch \ file://CVE-2017-7227.patch \ + file://CVE-2017-7301.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch new file mode 100644 index 0000000000..36b4259fde --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch @@ -0,0 +1,52 @@ +commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d +Author: Nick Clifton +Date: Mon Dec 5 12:25:34 2016 +0000 + + Fix seg-fault in linker parsing a corrupt input file. + + PR ld/20924 + (aout_link_add_symbols): Fix off by one error checking for + overflow of string offset. + +Upstream-Status: Backport + +CVE: CVE-2017-7301 +Signed-off-by: Thiruvadi Rajaraman + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-04 15:42:15.244812577 +0530 ++++ git/bfd/ChangeLog 2017-09-04 15:51:36.573466525 +0530 +@@ -120,6 +120,10 @@ + * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over + the end of the string buffer. + ++ PR ld/20924 ++ (aout_link_add_symbols): Fix off by one error checking for ++ overflow of string offset. ++ + 2016-12-01 Nick Clifton + + PR binutils/20891 +Index: git/bfd/aoutx.h +=================================================================== +--- git.orig/bfd/aoutx.h 2017-09-04 15:42:15.244812577 +0530 ++++ git/bfd/aoutx.h 2017-09-04 15:49:36.500479341 +0530 +@@ -3091,7 +3091,7 @@ + BFD_ASSERT (p + 1 < pend); + ++p; + /* PR 19629: Corrupt binaries can contain illegal string offsets. */ +- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) ++ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) + return FALSE; + string = strings + GET_WORD (abfd, p->e_strx); + section = bfd_ind_section_ptr; +@@ -3127,7 +3127,7 @@ + ++p; + string = name; + /* PR 19629: Corrupt binaries can contain illegal string offsets. */ +- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd)) ++ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd)) + return FALSE; + name = strings + GET_WORD (abfd, p->e_strx); + section = bfd_und_section_ptr; -- cgit v1.2.3-54-g00ecf