summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 22:55:30 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commit2720b93220c957069c4d2f99b66b13c38e963104 (patch)
treede15ba41a9d8d03f23df882152ac6ccd44ba42ad
parent3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c (diff)
downloadpoky-2720b93220c957069c4d2f99b66b13c38e963104.tar.gz
binutls: Security fix for CVE-2017-16829
Affects: <= 2.29.1 (From OE-Core rev: 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch82
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ba60ecc..7966cc3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -56,6 +56,7 @@ SRC_URI = "\
56 file://CVE-2017-16827.patch \ 56 file://CVE-2017-16827.patch \
57 file://CVE-2017-16828_p1.patch \ 57 file://CVE-2017-16828_p1.patch \
58 file://CVE-2017-16828_p2.patch \ 58 file://CVE-2017-16828_p2.patch \
59 file://CVE-2017-16829.patch \
59" 60"
60S = "${WORKDIR}/git" 61S = "${WORKDIR}/git"
61 62
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
new file mode 100644
index 0000000..f9410e2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
@@ -0,0 +1,82 @@
1From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Tue, 17 Oct 2017 21:57:29 +1030
4Subject: [PATCH] PR22307, Heap out of bounds read in
5 _bfd_elf_parse_gnu_properties
6
7When adding an unbounded increment to a pointer, you can't just check
8against the end of the buffer but also must check that overflow
9doesn't result in "negative" pointer movement. Pointer comparisons
10are signed. Better, check the increment against the space left using
11an unsigned comparison.
12
13 PR 22307
14 * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
15 against size left rather than comparing pointers. Reorganise loop.
16
17Upstream-Status: Backport
18Affects: <= 2.29.1
19CVE: CVE-2017-16829
20Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22---
23 bfd/ChangeLog | 6 ++++++
24 bfd/elf-properties.c | 18 +++++++++---------
25 2 files changed, 15 insertions(+), 9 deletions(-)
26
27Index: git/bfd/elf-properties.c
28===================================================================
29--- git.orig/bfd/elf-properties.c
30+++ git/bfd/elf-properties.c
31@@ -93,15 +93,20 @@ bad_size:
32 return FALSE;
33 }
34
35- while (1)
36+ while (ptr != ptr_end)
37 {
38- unsigned int type = bfd_h_get_32 (abfd, ptr);
39- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
40+ unsigned int type;
41+ unsigned int datasz;
42 elf_property *prop;
43
44+ if ((size_t) (ptr_end - ptr) < 8)
45+ goto bad_size;
46+
47+ type = bfd_h_get_32 (abfd, ptr);
48+ datasz = bfd_h_get_32 (abfd, ptr + 4);
49 ptr += 8;
50
51- if ((ptr + datasz) > ptr_end)
52+ if (datasz > (size_t) (ptr_end - ptr))
53 {
54 _bfd_error_handler
55 (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
56@@ -182,11 +187,6 @@ bad_size:
57
58 next:
59 ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
60- if (ptr == ptr_end)
61- break;
62-
63- if (ptr > (ptr_end - 8))
64- goto bad_size;
65 }
66
67 return TRUE;
68Index: git/bfd/ChangeLog
69===================================================================
70--- git.orig/bfd/ChangeLog
71+++ git/bfd/ChangeLog
72@@ -1,4 +1,10 @@
73 2017-10-17 Alan Modra <amodra@gmail.com>
74+
75+ PR 22307
76+ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
77+ against size left rather than comparing pointers. Reorganise loop.
78+
79+2017-10-17 Alan Modra <amodra@gmail.com>
80
81 PR 22306
82 * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,