mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-03 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

binutls: Security fix for CVE-2017-16829

Browse Source 
Affects: <= 2.29.1

(From OE-Core rev: 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2018-08-07 15:55:30 -07:00
committed by Richard Purdie
parent 3a47233ad7
commit 2720b93220
2 changed files with 83 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/binutils/binutils-2.29.1.inc
+1
View File
@@ -56,6 +56,7 @@ SRC_URI = "\
file://CVE-2017-16827.patch \
file://CVE-2017-16828_p1.patch \
file://CVE-2017-16828_p2.patch \
file://CVE-2017-16829.patch \
"
S = "${WORKDIR}/git"
meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch
+82
View File
@@ -0,0 +1,82 @@
From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Tue, 17 Oct 2017 21:57:29 +1030
Subject: [PATCH] PR22307, Heap out of bounds read in
_bfd_elf_parse_gnu_properties
When adding an unbounded increment to a pointer, you can't just check
against the end of the buffer but also must check that overflow
doesn't result in "negative" pointer movement. Pointer comparisons
are signed. Better, check the increment against the space left using
an unsigned comparison.
PR 22307
* elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
against size left rather than comparing pointers. Reorganise loop.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-16829
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 6 ++++++
bfd/elf-properties.c | 18 +++++++++---------
2 files changed, 15 insertions(+), 9 deletions(-)
Index: git/bfd/elf-properties.c
===================================================================
--- git.orig/bfd/elf-properties.c
+++ git/bfd/elf-properties.c
@@ -93,15 +93,20 @@ bad_size:
return FALSE;
}
- while (1)
+ while (ptr != ptr_end)
{
- unsigned int type = bfd_h_get_32 (abfd, ptr);
- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4);
+ unsigned int type;
+ unsigned int datasz;
elf_property *prop;
+ if ((size_t) (ptr_end - ptr) < 8)
+ goto bad_size;
+
+ type = bfd_h_get_32 (abfd, ptr);
+ datasz = bfd_h_get_32 (abfd, ptr + 4);
ptr += 8;
- if ((ptr + datasz) > ptr_end)
+ if (datasz > (size_t) (ptr_end - ptr))
{
_bfd_error_handler
(_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"),
@@ -182,11 +187,6 @@ bad_size:
next:
ptr += (datasz + (align_size - 1)) & ~ (align_size - 1);
- if (ptr == ptr_end)
- break;
-
- if (ptr > (ptr_end - 8))
- goto bad_size;
}
return TRUE;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,4 +1,10 @@
2017-10-17 Alan Modra <amodra@gmail.com>
+
+ PR 22307
+ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz
+ against size left rather than comparing pointers. Reorganise loop.
+
+2017-10-17 Alan Modra <amodra@gmail.com>
PR 22306
* aoutx.h (aout_get_external_symbols): Handle stringsize of zero,