mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-03 13:49:49 +00:00
Code Issues Projects Releases Wiki Activity

Binutils: Security fix for CVE-2018-7569

Browse Source 
Affects: <= 2.30

(From OE-Core rev: b99d1f2212ea73ddafd3fbf9426b37a04d89b809)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2018-08-08 13:53:40 -07:00
committed by Richard Purdie
parent 3552c38b32
commit bdb3981466
2 changed files with 121 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-devtools/binutils/binutils-2.29.1.inc
+1
View File
@@ -75,6 +75,7 @@ SRC_URI = "\
file://CVE-2018-7208.patch \ file://CVE-2018-7208.patch \
file://CVE-2018-7568_p1.patch \ file://CVE-2018-7568_p1.patch \
file://CVE-2018-7568_p2.patch \ file://CVE-2018-7568_p2.patch \
file://CVE-2018-7569.patch \
" "
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
+120
View File
@@ -0,0 +1,120 @@
From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
From: Nick Clifton <nickc@redhat.com>
Date: Wed, 28 Feb 2018 11:50:49 +0000
Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
FORM blocks.
PR 22895
PR 22893
* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
pointer. Drop unused abfd parameter. Check the size of the block
before initialising the data field. Return the end pointer if the
size is invalid.
(read_attribute_value): Adjust invocations of read_n_bytes.
Upstream-Status: Backport
Affects: <= 2.30
CVE: CVE-2018-7569
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
bfd/ChangeLog | 8 ++++++++
bfd/dwarf2.c | 36 +++++++++++++++++++++---------------
2 files changed, 29 insertions(+), 15 deletions(-)
Index: git/bfd/dwarf2.c
===================================================================
--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
}
static bfd_byte *
-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
- bfd_byte *buf,
- bfd_byte *end,
- unsigned int size ATTRIBUTE_UNUSED)
-{
- if (buf + size > end)
- return NULL;
- return buf;
+read_n_bytes (bfd_byte * buf,
+ bfd_byte * end,
+ struct dwarf_block * block)
+{
+ unsigned int size = block->size;
+ bfd_byte * block_end = buf + size;
+
+ if (block_end > end || block_end < buf)
+ {
+ block->data = NULL;
+ block->size = 0;
+ return end;
+ }
+ else
+ {
+ block->data = buf;
+ return block_end;
+ }
}
/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 2;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block4:
@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
info_ptr += 4;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data2:
@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
FALSE, info_ptr_end);
info_ptr += bytes_read;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_block1:
@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
return NULL;
blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
info_ptr += 1;
- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
- info_ptr += blk->size;
+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
attr->u.blk = blk;
break;
case DW_FORM_data1:
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
@@ -1,4 +1,14 @@
2018-02-28 Nick Clifton <nickc@redhat.com>
+
+ PR 22895
+ PR 22893
+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+ pointer. Drop unused abfd parameter. Check the size of the block
+ before initialising the data field. Return the end pointer if the
+ size is invalid.
+ (read_attribute_value): Adjust invocations of read_n_bytes.
+
+2018-02-28 Nick Clifton <nickc@redhat.com>
PR 22894
* dwarf1.c (parse_die): Check the length of form blocks before