summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-08 20:14:17 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commit5281adb8856934e003d37fb941070a329a9958fc (patch)
tree1f659641d3f9c4883a6ecebbb87aac25c868a820
parent53df81889a241cd1eee8b25c06800076736cbcd3 (diff)
downloadpoky-5281adb8856934e003d37fb941070a329a9958fc.tar.gz
Binutils: Security fix for CVE-2018-6759
Affects: <= 2.30 (From OE-Core rev: 7baa3e4c8e920caa09082f88e412687cc1590454) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch108
2 files changed, 109 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index db7305a..c668e63 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -71,6 +71,7 @@ SRC_URI = "\
71 file://CVE-2018-10535.patch \ 71 file://CVE-2018-10535.patch \
72 file://CVE-2018-13033.patch \ 72 file://CVE-2018-13033.patch \
73 file://CVE-2018-6323.patch \ 73 file://CVE-2018-6323.patch \
74 file://CVE-2018-6759.patch \
74" 75"
75S = "${WORKDIR}/git" 76S = "${WORKDIR}/git"
76 77
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
new file mode 100644
index 0000000..3b0e98a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
@@ -0,0 +1,108 @@
1From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Tue, 6 Feb 2018 15:48:29 +0000
4Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
5 chacking the size of debuglink sections.
6
7 PR 22794
8 * opncls.c (bfd_get_debug_link_info_1): Check the size of the
9 section before attempting to read it in.
10 (bfd_get_alt_debug_link_info): Likewise.
11
12Upstream-Status: Backport
13Affects: <= 2.30
14CVE: CVE-2018-6759
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16
17---
18 bfd/ChangeLog | 7 +++++++
19 bfd/opncls.c | 22 +++++++++++++++++-----
20 2 files changed, 24 insertions(+), 5 deletions(-)
21
22Index: git/bfd/opncls.c
23===================================================================
24--- git.orig/bfd/opncls.c
25+++ git/bfd/opncls.c
26@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
27 bfd_byte *contents;
28 unsigned int crc_offset;
29 char *name;
30+ bfd_size_type size;
31
32 BFD_ASSERT (abfd);
33 BFD_ASSERT (crc32_out);
34@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
35 if (sect == NULL)
36 return NULL;
37
38+ size = bfd_get_section_size (sect);
39+
40+ /* PR 22794: Make sure that the section has a reasonable size. */
41+ if (size < 8 || size >= bfd_get_size (abfd))
42+ return NULL;
43+
44 if (!bfd_malloc_and_get_section (abfd, sect, &contents))
45 {
46 if (contents != NULL)
47@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
48
49 /* CRC value is stored after the filename, aligned up to 4 bytes. */
50 name = (char *) contents;
51- /* PR 17597: avoid reading off the end of the buffer. */
52- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
53+ /* PR 17597: Avoid reading off the end of the buffer. */
54+ crc_offset = strnlen (name, size) + 1;
55 crc_offset = (crc_offset + 3) & ~3;
56- if (crc_offset + 4 > bfd_get_section_size (sect))
57+ if (crc_offset + 4 > size)
58 return NULL;
59
60 *crc32 = bfd_get_32 (abfd, contents + crc_offset);
61@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
62 bfd_byte *contents;
63 unsigned int buildid_offset;
64 char *name;
65+ bfd_size_type size;
66
67 BFD_ASSERT (abfd);
68 BFD_ASSERT (buildid_len);
69@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
70 if (sect == NULL)
71 return NULL;
72
73+ size = bfd_get_section_size (sect);
74+ if (size < 8 || size >= bfd_get_size (abfd))
75+ return NULL;
76+
77 if (!bfd_malloc_and_get_section (abfd, sect, & contents))
78 {
79 if (contents != NULL)
80@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
81
82 /* BuildID value is stored after the filename. */
83 name = (char *) contents;
84- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
85+ buildid_offset = strnlen (name, size) + 1;
86 if (buildid_offset >= bfd_get_section_size (sect))
87 return NULL;
88
89- *buildid_len = bfd_get_section_size (sect) - buildid_offset;
90+ *buildid_len = size - buildid_offset;
91 *buildid_out = bfd_malloc (*buildid_len);
92 memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
93
94Index: git/bfd/ChangeLog
95===================================================================
96--- git.orig/bfd/ChangeLog
97+++ git/bfd/ChangeLog
98@@ -1,3 +1,10 @@
99+2018-02-06 Nick Clifton <nickc@redhat.com>
100+
101+ PR 22794
102+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the
103+ section before attempting to read it in.
104+ (bfd_get_alt_debug_link_info): Likewise.
105+
106 2018-01-25 Alan Modra <amodra@gmail.com>
107
108 PR 22746