binutils: CVE-2017-7301

Source: git://sourceware.org/git/binutils-gdb.git MR: 74231 Type: Security Fix Disposition: Backport from binutils-2_28-branch ChangeID: 1fbae9f71e3ad90f930f8b25d550de964e05c259 Description: Fix seg-fault in linker parsing a corrupt input file. PR ld/20924 (aout_link_add_symbols): Fix off by one error checking for overflow of string offset. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 315608a626f9e21d198d1600ded69114ac1e16d1) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-04 16:34:32 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: 10e74c42ad77a5178fc42da5960cd61ecdb97150 (patch)
tree: 4d2107687d355d78dc00e658f018a430faa67289
parent: a880a7f8d762cdd488ab8336cd4574cb9172bb52 (diff)
download: poky-10e74c42ad77a5178fc42da5960cd61ecdb97150.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 54cdcc7bb5..59e46b8bf4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
     file://CVE-2017-7224.patch \
     file://CVE-2017-7225.patch \
     file://CVE-2017-7227.patch \
+     file://CVE-2017-7301.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch
new file mode 100644
index 0000000000..36b4259fde
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch
@@ -0,0 +1,52 @@
+commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Dec 5 12:25:34 2016 +0000
+    Fix seg-fault in linker parsing a corrupt input file.
+    
+        PR ld/20924
+        (aout_link_add_symbols): Fix off by one error checking for
+        overflow of string offset.
+Upstream-Status: Backport
+CVE: CVE-2017-7301
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-04 15:42:15.244812577 +0530
+++ git/bfd/ChangeLog   2017-09-04 15:51:36.573466525 +0530
+@@ -120,6 +120,10 @@
+        * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over
+        the end of the string buffer.
+ 
+       PR ld/20924
+       (aout_link_add_symbols): Fix off by one error checking for
+       overflow of string offset.
+
+ 2016-12-01  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/20891
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h        2017-09-04 15:42:15.244812577 +0530
+++ git/bfd/aoutx.h     2017-09-04 15:49:36.500479341 +0530
+@@ -3091,7 +3091,7 @@
+          BFD_ASSERT (p + 1 < pend);
+          ++p;
+          /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
+-         if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
+         if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
+            return FALSE;
+          string = strings + GET_WORD (abfd, p->e_strx);
+          section = bfd_ind_section_ptr;
+@@ -3127,7 +3127,7 @@
+          ++p;
+          string = name;
+          /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
+-         if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
+         if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
+            return FALSE;
+          name = strings + GET_WORD (abfd, p->e_strx);
+          section = bfd_und_section_ptr;
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-04 16:34:32 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	10e74c42ad77a5178fc42da5960cd61ecdb97150 (patch)
tree	4d2107687d355d78dc00e658f018a430faa67289
parent	a880a7f8d762cdd488ab8336cd4574cb9172bb52 (diff)
download	poky-10e74c42ad77a5178fc42da5960cd61ecdb97150.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 54cdcc7bb5..59e46b8bf4 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
63	file://CVE-2017-7224.patch \	63	file://CVE-2017-7224.patch \
64	file://CVE-2017-7225.patch \	64	file://CVE-2017-7225.patch \
65	file://CVE-2017-7227.patch \	65	file://CVE-2017-7227.patch \
		66	file://CVE-2017-7301.patch \
66	"	67	"
67	S = "${WORKDIR}/git"	68	S = "${WORKDIR}/git"
68		69


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch new file mode 100644 index 0000000000..36b4259fde --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch
@@ -0,0 +1,52 @@
		1	commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Mon Dec 5 12:25:34 2016 +0000
		4
		5	Fix seg-fault in linker parsing a corrupt input file.
		6
		7	PR ld/20924
		8	(aout_link_add_symbols): Fix off by one error checking for
		9	overflow of string offset.
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2017-7301
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16	Index: git/bfd/ChangeLog
		17	===================================================================
		18	--- git.orig/bfd/ChangeLog 2017-09-04 15:42:15.244812577 +0530
		19	+++ git/bfd/ChangeLog 2017-09-04 15:51:36.573466525 +0530
		20	@@ -120,6 +120,10 @@
		21	* peicode.h (pe_ILF_object_p): Use strnlen to avoid running over
		22	the end of the string buffer.
		23
		24	+ PR ld/20924
		25	+ (aout_link_add_symbols): Fix off by one error checking for
		26	+ overflow of string offset.
		27	+
		28	2016-12-01 Nick Clifton <nickc@redhat.com>
		29
		30	PR binutils/20891
		31	Index: git/bfd/aoutx.h
		32	===================================================================
		33	--- git.orig/bfd/aoutx.h 2017-09-04 15:42:15.244812577 +0530
		34	+++ git/bfd/aoutx.h 2017-09-04 15:49:36.500479341 +0530
		35	@@ -3091,7 +3091,7 @@
		36	BFD_ASSERT (p + 1 < pend);
		37	++p;
		38	/* PR 19629: Corrupt binaries can contain illegal string offsets. */
		39	- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
		40	+ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
		41	return FALSE;
		42	string = strings + GET_WORD (abfd, p->e_strx);
		43	section = bfd_ind_section_ptr;
		44	@@ -3127,7 +3127,7 @@
		45	++p;
		46	string = name;
		47	/* PR 19629: Corrupt binaries can contain illegal string offsets. */
		48	- if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
		49	+ if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
		50	return FALSE;
		51	name = strings + GET_WORD (abfd, p->e_strx);
		52	section = bfd_und_section_ptr;