binutls: Security fix for CVE-2017-16832

Affects: <= 2.29.1 (From OE-Core rev: ec8861a2f280a3210f9423fd1b687bca6340b8ca) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-07 16:22:27 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 1abb9cc58e4be1c5de0e763b3cc34c3e0640679d (patch)
tree: 0690c18706226e4504eaaba8b78009bfe176e98f
parent: d40d4bf86f5f4cec5dc7e11227020f63684301df (diff)
download: poky-1abb9cc58e4be1c5de0e763b3cc34c3e0640679d.tar.gz
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d5db6e8da4..6611fdc3a6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
     file://CVE-2017-16829.patch \
     file://CVE-2017-16830.patch \
     file://CVE-2017-16831.patch \
+     file://CVE-2017-16832.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
new file mode 100644
index 0000000000..9044bccf95
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
@@ -0,0 +1,61 @@
+From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 31 Oct 2017 14:29:40 +0000
+Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary
+ with a corrupt data dictionary.
+        PR 22373
+        * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+        offset values.
+Upstrem-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16832
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/peicode.h | 9 ++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+Index: git/bfd/peicode.h
+===================================================================
+--- git.orig/bfd/peicode.h
+++ git/bfd/peicode.h
+@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
+   bfd_byte *data = 0;
+   bfd_size_type dataoff;
+   unsigned int i;
+-
+   bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
+   bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
+ 
+@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
+ 
+   dataoff = addr - section->vma;
+ 
+-  /* PR 20605: Make sure that the data is really there.  */
+-  if (dataoff + size > section->size)
+  /* PR 20605 and 22373: Make sure that the data is really there.
+     Note - since we are dealing with unsigned quantities we have
+     to be careful to check for potential overflows.  */
+  if (dataoff > section->size
+      || size > section->size
+      || dataoff + size > section->size)
+     {
+       _bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
+                          abfd);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2017-10-31  Nick Clifton  <nickc@redhat.com>
+
+       PR 22373
+       * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
+       offset values.
+
+ 2017-11-03  Mingi Cho  <mgcho.minic@gmail.com>
+            Nick Clifton  <nickc@redhat.com>
+
author	Armin Kuster <akuster@mvista.com>	2018-08-07 16:22:27 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	1abb9cc58e4be1c5de0e763b3cc34c3e0640679d (patch)
tree	0690c18706226e4504eaaba8b78009bfe176e98f
parent	d40d4bf86f5f4cec5dc7e11227020f63684301df (diff)
download	poky-1abb9cc58e4be1c5de0e763b3cc34c3e0640679d.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index d5db6e8da4..6611fdc3a6 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
59	file://CVE-2017-16829.patch \	59	file://CVE-2017-16829.patch \
60	file://CVE-2017-16830.patch \	60	file://CVE-2017-16830.patch \
61	file://CVE-2017-16831.patch \	61	file://CVE-2017-16831.patch \
		62	file://CVE-2017-16832.patch \
62	"	63	"
63	S = "${WORKDIR}/git"	64	S = "${WORKDIR}/git"
64		65


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch new file mode 100644 index 0000000000..9044bccf95 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16832.patch
@@ -0,0 +1,61 @@
		1	From 0bb6961f18b8e832d88b490d421ca56cea16c45b Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 31 Oct 2017 14:29:40 +0000
		4	Subject: [PATCH] Fix illegal memory access triggered when parsing a PE binary
		5	with a corrupt data dictionary.
		6
		7	PR 22373
		8	* peicode.h (pe_bfd_read_buildid): Check for invalid size and data
		9	offset values.
		10
		11	Upstrem-Status: Backport
		12	Affects: <= 2.29.1
		13	CVE: CVE-2017-16832
		14	Signed-off-by: Armin Kuster <akuster@mvista.com>
		15
		16	---
		17	bfd/ChangeLog \| 6 ++++++
		18	bfd/peicode.h \| 9 ++++++---
		19	2 files changed, 12 insertions(+), 3 deletions(-)
		20
		21	Index: git/bfd/peicode.h
		22	===================================================================
		23	--- git.orig/bfd/peicode.h
		24	+++ git/bfd/peicode.h
		25	@@ -1303,7 +1303,6 @@ pe_bfd_read_buildid (bfd *abfd)
		26	bfd_byte *data = 0;
		27	bfd_size_type dataoff;
		28	unsigned int i;
		29	-
		30	bfd_vma addr = extra->DataDirectory[PE_DEBUG_DATA].VirtualAddress;
		31	bfd_size_type size = extra->DataDirectory[PE_DEBUG_DATA].Size;
		32
		33	@@ -1327,8 +1326,12 @@ pe_bfd_read_buildid (bfd *abfd)
		34
		35	dataoff = addr - section->vma;
		36
		37	- /* PR 20605: Make sure that the data is really there. */
		38	- if (dataoff + size > section->size)
		39	+ /* PR 20605 and 22373: Make sure that the data is really there.
		40	+ Note - since we are dealing with unsigned quantities we have
		41	+ to be careful to check for potential overflows. */
		42	+ if (dataoff > section->size
		43	+ \|\| size > section->size
		44	+ \|\| dataoff + size > section->size)
		45	{
		46	_bfd_error_handler (_("%B: Error: Debug Data ends beyond end of debug directory."),
		47	abfd);
		48	Index: git/bfd/ChangeLog
		49	===================================================================
		50	--- git.orig/bfd/ChangeLog
		51	+++ git/bfd/ChangeLog
		52	@@ -1,3 +1,9 @@
		53	+2017-10-31 Nick Clifton <nickc@redhat.com>
		54	+
		55	+ PR 22373
		56	+ * peicode.h (pe_bfd_read_buildid): Check for invalid size and data
		57	+ offset values.
		58	+
		59	2017-11-03 Mingi Cho <mgcho.minic@gmail.com>
		60	Nick Clifton <nickc@redhat.com>
		61