summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-08 20:53:40 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commitbdb39814660ec744aae1ddae0b09bbdc8847b823 (patch)
tree7a05ac4398495c25bf7b7b31df6aed1b5b2ac245
parent3552c38b32021aa24f6de6914cd37b622ab70f05 (diff)
downloadpoky-bdb39814660ec744aae1ddae0b09bbdc8847b823.tar.gz
Binutils: Security fix for CVE-2018-7569
Affects: <= 2.30 (From OE-Core rev: b99d1f2212ea73ddafd3fbf9426b37a04d89b809) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch120
2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ceb8e85..cfde35c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
75 file://CVE-2018-7208.patch \ 75 file://CVE-2018-7208.patch \
76 file://CVE-2018-7568_p1.patch \ 76 file://CVE-2018-7568_p1.patch \
77 file://CVE-2018-7568_p2.patch \ 77 file://CVE-2018-7568_p2.patch \
78 file://CVE-2018-7569.patch \
78" 79"
79S = "${WORKDIR}/git" 80S = "${WORKDIR}/git"
80 81
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000..e77118b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,120 @@
1From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 28 Feb 2018 11:50:49 +0000
4Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
5 FORM blocks.
6
7 PR 22895
8 PR 22893
9 * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
10 pointer. Drop unused abfd parameter. Check the size of the block
11 before initialising the data field. Return the end pointer if the
12 size is invalid.
13 (read_attribute_value): Adjust invocations of read_n_bytes.
14
15Upstream-Status: Backport
16Affects: <= 2.30
17CVE: CVE-2018-7569
18Signed-off-by: Armin Kuster <akuster@mvista.com>
19
20---
21 bfd/ChangeLog | 8 ++++++++
22 bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
23 2 files changed, 29 insertions(+), 15 deletions(-)
24
25Index: git/bfd/dwarf2.c
26===================================================================
27--- git.orig/bfd/dwarf2.c
28+++ git/bfd/dwarf2.c
29@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
30 }
31
32 static bfd_byte *
33-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
34- bfd_byte *buf,
35- bfd_byte *end,
36- unsigned int size ATTRIBUTE_UNUSED)
37-{
38- if (buf + size > end)
39- return NULL;
40- return buf;
41+read_n_bytes (bfd_byte * buf,
42+ bfd_byte * end,
43+ struct dwarf_block * block)
44+{
45+ unsigned int size = block->size;
46+ bfd_byte * block_end = buf + size;
47+
48+ if (block_end > end || block_end < buf)
49+ {
50+ block->data = NULL;
51+ block->size = 0;
52+ return end;
53+ }
54+ else
55+ {
56+ block->data = buf;
57+ return block_end;
58+ }
59 }
60
61 /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
62@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
63 return NULL;
64 blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
65 info_ptr += 2;
66- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
67- info_ptr += blk->size;
68+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
69 attr->u.blk = blk;
70 break;
71 case DW_FORM_block4:
72@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
73 return NULL;
74 blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
75 info_ptr += 4;
76- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
77- info_ptr += blk->size;
78+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
79 attr->u.blk = blk;
80 break;
81 case DW_FORM_data2:
82@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
83 blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
84 FALSE, info_ptr_end);
85 info_ptr += bytes_read;
86- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
87- info_ptr += blk->size;
88+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
89 attr->u.blk = blk;
90 break;
91 case DW_FORM_block1:
92@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
93 return NULL;
94 blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
95 info_ptr += 1;
96- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
97- info_ptr += blk->size;
98+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
99 attr->u.blk = blk;
100 break;
101 case DW_FORM_data1:
102Index: git/bfd/ChangeLog
103===================================================================
104--- git.orig/bfd/ChangeLog
105+++ git/bfd/ChangeLog
106@@ -1,4 +1,14 @@
107 2018-02-28 Nick Clifton <nickc@redhat.com>
108+
109+ PR 22895
110+ PR 22893
111+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
112+ pointer. Drop unused abfd parameter. Check the size of the block
113+ before initialising the data field. Return the end pointer if the
114+ size is invalid.
115+ (read_attribute_value): Adjust invocations of read_n_bytes.
116+
117+2018-02-28 Nick Clifton <nickc@redhat.com>
118
119 PR 22894
120 * dwarf1.c (parse_die): Check the length of form blocks before