meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91

From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001
From: Mingi Cho <mgcho.minic@gmail.com>
Date: Thu, 2 Nov 2017 17:01:08 +0000
Subject: [PATCH] Work around integer overflows when readelf is checking for
 corrupt ELF notes when run on a 32-bit host.

	PR 22384
	* readelf.c (print_gnu_property_note): Improve overflow checks so
	that they will work on a 32-bit host.

Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-16830
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 binutils/ChangeLog |  6 ++++++
 binutils/readelf.c | 33 +++++++++++++++++----------------
 2 files changed, 23 insertions(+), 16 deletions(-)

Index: git/binutils/readelf.c
===================================================================
--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No
       return;
     }
 
-  while (1)
+  while (ptr < ptr_end)
     {
       unsigned int j;
-      unsigned int type = byte_get (ptr, 4);
-      unsigned int datasz = byte_get (ptr + 4, 4);
+      unsigned int type;
+      unsigned int datasz;
+
+      if ((size_t) (ptr_end - ptr) < 8)
+	{
+	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
+	  break;
+	}
+
+      type = byte_get (ptr, 4);
+      datasz = byte_get (ptr + 4, 4);
 
       ptr += 8;
 
-      if ((ptr + datasz) > ptr_end)
+      if (datasz > (size_t) (ptr_end - ptr))
 	{
 	  printf (_("<corrupt type (%#x) datasz: %#x>\n"),
 		  type, datasz);
@@ -16520,19 +16529,11 @@ next:
       ptr += ((datasz + (size - 1)) & ~ (size - 1));
       if (ptr == ptr_end)
 	break;
-      else
-	{
-	  if (do_wide)
-	    printf (", ");
-	  else
-	    printf ("\n\t");
-	}
 
-      if (ptr > (ptr_end - 8))
-	{
-	  printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz);
-	  break;
-	}
+      if (do_wide)
+	printf (", ");
+      else
+	printf ("\n\t");
     }
 
   printf ("\n");
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,9 @@
+2017-11-02  Mingi Cho  <mgcho.minic@gmail.com>
+
+       PR 22384
+       * readelf.c (print_gnu_property_note): Improve overflow checks so
+       that they will work on a 32-bit host.
+
 2017-10-05  Alan Modra  <amodra@gmail.com>
 
        PR 22239