summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch')
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch79
1 files changed, 79 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
new file mode 100644
index 0000000..310908f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
1From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 5 Oct 2017 17:32:18 +1030
4Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
5
6Pointer comparisons have traps for the unwary. After adding a large
7unknown value to "start", the test "start < end" depends on where
8"start" is originally in memory.
9
10 PR 22239
11 * dwarf.c (read_cie): Don't compare "start" and "end" pointers
12 after adding a possibly wild length to "start", compare the length
13 to the difference of the pointers instead. Remove now redundant
14 "negative" length test.
15
16Upstream-Status: Backport
17Affects: <= 2.29.1
18CVE: CVE-2017-16828 patch1
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 binutils/ChangeLog | 8 ++++++++
23 binutils/dwarf.c | 15 ++++-----------
24 2 files changed, 12 insertions(+), 11 deletions(-)
25
26Index: git/binutils/dwarf.c
27===================================================================
28--- git.orig/binutils/dwarf.c
29+++ git/binutils/dwarf.c
30@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
31 {
32 READ_ULEB (augmentation_data_len);
33 augmentation_data = start;
34- start += augmentation_data_len;
35 /* PR 17512: file: 11042-2589-0.004. */
36- if (start > end)
37+ if (augmentation_data_len > (size_t) (end - start))
38 {
39 warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
40- augmentation_data_len, (long)((end - start) + augmentation_data_len));
41+ augmentation_data_len, (unsigned long) (end - start));
42 return end;
43 }
44+ start += augmentation_data_len;
45 }
46
47 if (augmentation_data_len)
48@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
49 q = augmentation_data;
50 qend = q + augmentation_data_len;
51
52- /* PR 17531: file: 015adfaa. */
53- if (qend < q)
54- {
55- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
56- augmentation_data_len = 0;
57- }
58-
59- while (p < end && q < augmentation_data + augmentation_data_len)
60+ while (p < end && q < qend)
61 {
62 if (*p == 'L')
63 q++;
64Index: git/binutils/ChangeLog
65===================================================================
66--- git.orig/binutils/ChangeLog
67+++ git/binutils/ChangeLog
68@@ -1,3 +1,11 @@
69+2017-10-05 Alan Modra <amodra@gmail.com>
70+
71+ PR 22239
72+ * dwarf.c (read_cie): Don't compare "start" and "end" pointers
73+ after adding a possibly wild length to "start", compare the length
74+ to the difference of the pointers instead. Remove now redundant
75+ "negative" length test.
76+
77 2017-09-27 Nick Clifton <nickc@redhat.com>
78
79 PR 22219