mirror of
https://git.yoctoproject.org/poky
synced 2026-05-09 05:29:32 +00:00
binutils: fix CVE-2019-17451
Backport upstream fix. No upstream release version of binutils it yet, so backport the fix independently. (From OE-Core rev: 3693a0a8b9461521b95613a76b7fd79c86a3bf8f) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Trevor Gamblin
committed by
Richard Purdie
Richard Purdie
parent
ab808af9fd
commit
efea2749d2
@@ -50,6 +50,7 @@ SRC_URI = "\
|
|||||||
file://CVE-2019-14250.patch \
|
file://CVE-2019-14250.patch \
|
||||||
file://CVE-2019-14444.patch \
|
file://CVE-2019-14444.patch \
|
||||||
file://CVE-2019-17450.patch \
|
file://CVE-2019-17450.patch \
|
||||||
|
file://CVE-2019-17451.patch \
|
||||||
"
|
"
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,51 @@
|
|||||||
|
From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alan Modra <amodra@gmail.com>
|
||||||
|
Date: Wed, 9 Oct 2019 10:47:13 +1030
|
||||||
|
Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
|
||||||
|
|
||||||
|
Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
|
||||||
|
file. There are newer versions of binutils, but none of them contain the
|
||||||
|
commit fixing CVE-2019-17451, so backport it to master and zeus.
|
||||||
|
|
||||||
|
Upstream-Status: Backport
|
||||||
|
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
|
||||||
|
CVE: CVE-2019-17451
|
||||||
|
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
|
||||||
|
|
||||||
|
|
||||||
|
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
|
||||||
|
and ffffd5555453b140 result in a total size of 1. Reading the first
|
||||||
|
section of course overflows the buffer and tramples on other memory.
|
||||||
|
|
||||||
|
PR 25070
|
||||||
|
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
|
||||||
|
total_size calculation.
|
||||||
|
---
|
||||||
|
bfd/dwarf2.c | 11 ++++++++++-
|
||||||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
|
||||||
|
index 0b4e485582..a91597b1d0 100644
|
||||||
|
--- a/bfd/dwarf2.c
|
||||||
|
+++ b/bfd/dwarf2.c
|
||||||
|
@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
|
||||||
|
for (total_size = 0;
|
||||||
|
msec;
|
||||||
|
msec = find_debug_info (debug_bfd, debug_sections, msec))
|
||||||
|
- total_size += msec->size;
|
||||||
|
+ {
|
||||||
|
+ /* Catch PR25070 testcase overflowing size calculation here. */
|
||||||
|
+ if (total_size + msec->size < total_size
|
||||||
|
+ || total_size + msec->size < msec->size)
|
||||||
|
+ {
|
||||||
|
+ bfd_set_error (bfd_error_no_memory);
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+ total_size += msec->size;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
|
||||||
|
if (stash->info_ptr_memory == NULL)
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
||||||
Reference in New Issue
Block a user