summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-08 19:07:35 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commit1b202d632b1c12cb3fb4683c53098e245ba99f23 (patch)
treece1f3e62092879cef3d9b15262457be6a96b37ea
parent8eeacb689b934c989a1cfad882559cd2d5c5f901 (diff)
downloadpoky-1b202d632b1c12cb3fb4683c53098e245ba99f23.tar.gz
Binutils: Security fix for CVE-2018-13033
Affects: <= 2.30 (From OE-Core rev: 64afab325facc55f4a49247e4033b1d3c8b22b67) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 4d9983b..2f9b4fe 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
69 file://CVE-2018-10373.patch \ 69 file://CVE-2018-10373.patch \
70 file://CVE-2018-10534.patch \ 70 file://CVE-2018-10534.patch \
71 file://CVE-2018-10535.patch \ 71 file://CVE-2018-10535.patch \
72 file://CVE-2018-13033.patch \
72" 73"
73S = "${WORKDIR}/git" 74S = "${WORKDIR}/git"
74 75
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
new file mode 100644
index 0000000..3fa852c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
@@ -0,0 +1,71 @@
1From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Tue, 8 May 2018 12:51:06 +0100
4Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
5 fuzzed input file with corrupt string and attribute sections.
6
7 PR 22809
8 * elf.c (bfd_elf_get_str_section): Check for an excessively large
9 string section.
10 * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
11 attribute section is larger than the size of the file.
12
13Upstream-Status: Backport
14Affects: <= 2.30
15CVE: CVE-2018-13033
16Signed-off-by: Armin Kuster <akuster@mvista.com>
17
18---
19 bfd/ChangeLog | 8 ++++++++
20 bfd/elf-attrs.c | 9 +++++++++
21 bfd/elf.c | 1 +
22 3 files changed, 18 insertions(+)
23
24Index: git/bfd/elf-attrs.c
25===================================================================
26--- git.orig/bfd/elf-attrs.c
27+++ git/bfd/elf-attrs.c
28@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
29 /* PR 17512: file: 2844a11d. */
30 if (hdr->sh_size == 0)
31 return;
32+ if (hdr->sh_size > bfd_get_file_size (abfd))
33+ {
34+ /* xgettext:c-format */
35+ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
36+ abfd, hdr->bfd_section, (long long) hdr->sh_size);
37+ bfd_set_error (bfd_error_invalid_operation);
38+ return;
39+ }
40+
41 contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
42 if (!contents)
43 return;
44Index: git/bfd/elf.c
45===================================================================
46--- git.orig/bfd/elf.c
47+++ git/bfd/elf.c
48@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
49 /* Allocate and clear an extra byte at the end, to prevent crashes
50 in case the string table is not terminated. */
51 if (shstrtabsize + 1 <= 1
52+ || shstrtabsize > bfd_get_file_size (abfd)
53 || bfd_seek (abfd, offset, SEEK_SET) != 0
54 || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
55 shstrtab = NULL;
56Index: git/bfd/ChangeLog
57===================================================================
58--- git.orig/bfd/ChangeLog
59+++ git/bfd/ChangeLog
60@@ -1,3 +1,11 @@
61+2018-05-08 Nick Clifton <nickc@redhat.com>
62+
63+ PR 22809
64+ * elf.c (bfd_elf_get_str_section): Check for an excessively large
65+ string section.
66+ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
67+ attribute section is larger than the size of the file.
68+
69 2018-04-24 Nick Clifton <nickc@redhat.com>
70
71 PR 23113