aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-05 21:56:30 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-06 16:24:02 +0100
commit219deb5228e423684972854599e6d2b30e5bf2d9 (patch)
tree3efa57afc92d558f5ce945405deb88e7e112abb8
parent3db593919bcb10938d02f6eec1a026d16191b225 (diff)
downloadpoky-219deb5228e423684972854599e6d2b30e5bf2d9.tar.gz
poky-219deb5228e423684972854599e6d2b30e5bf2d9.tar.bz2
poky-219deb5228e423684972854599e6d2b30e5bf2d9.zip
binutls: Security fix CVE-2018-7569
Affects <= 2.30 (From OE-Core rev: f79f5162088ceb29cf4820d2c3ef2aff263d7967) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.30.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch119
2 files changed, 120 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
index 3a39d5f7b8..32eb44e08b 100644
--- a/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
file://CVE-2018-6759.patch \
file://CVE-2018-7642.patch \
file://CVE-2018-7208.patch \
+ file://CVE-2018-7569.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000000..96c0fd2422
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,119 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+
+ PR 22895
+ PR 22893
+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+ pointer. Drop unused abfd parameter. Check the size of the block
+ before initialising the data field. Return the end pointer if the
+ size is invalid.
+ (read_attribute_value): Adjust invocations of read_n_bytes.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 8 ++++++++
+ bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+- bfd_byte *buf,
+- bfd_byte *end,
+- unsigned int size ATTRIBUTE_UNUSED)
+-{
+- if (buf + size > end)
+- return NULL;
+- return buf;
++read_n_bytes (bfd_byte * buf,
++ bfd_byte * end,
++ struct dwarf_block * block)
++{
++ unsigned int size = block->size;
++ bfd_byte * block_end = buf + size;
++
++ if (block_end > end || block_end < buf)
++ {
++ block->data = NULL;
++ block->size = 0;
++ return end;
++ }
++ else
++ {
++ block->data = buf;
++ return block_end;
++ }
+ }
+
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
+ return NULL;
+ blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+ info_ptr += 2;
+- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+- info_ptr += blk->size;
++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+ attr->u.blk = blk;
+ break;
+ case DW_FORM_block4:
+@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
+ return NULL;
+ blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+ info_ptr += 4;
+- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+- info_ptr += blk->size;
++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+ attr->u.blk = blk;
+ break;
+ case DW_FORM_data2:
+@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
+ blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ FALSE, info_ptr_end);
+ info_ptr += bytes_read;
+- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+- info_ptr += blk->size;
++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+ attr->u.blk = blk;
+ break;
+ case DW_FORM_block1:
+@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
+ return NULL;
+ blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+ info_ptr += 1;
+- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+- info_ptr += blk->size;
++ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+ attr->u.blk = blk;
+ break;
+ case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -6,6 +6,14 @@
+
+ 2018-02-28 Alan Modra <amodra@gmail.com>
+
++ PR 22895
++ PR 22893
++ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
++ pointer. Drop unused abfd parameter. Check the size of the block
++ before initialising the data field. Return the end pointer if the
++ size is invalid.
++ (read_attribute_value): Adjust invocations of read_n_bytes.
++
+ PR 22887
+ * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+