diff options
author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2018-10-16 00:55:04 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-16 20:25:37 +0100 |
commit | 2683d8287d6878868d3aa15ce6e6a80ce28d8737 (patch) | |
tree | 74a4d060601e3f2b7d288e9e6f695a912c537443 /meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch | |
parent | e0cc1dc6f1c14babe29a29a7211dc1c69d782b95 (diff) | |
download | openembedded-core-contrib-2683d8287d6878868d3aa15ce6e6a80ce28d8737.tar.gz |
binutils: fix three CVE issues
Backport the CVE patches from the upstream:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
h=30838132997e6a3cfe3ec11c58b32b22f6f6b102
h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d
[BZ 23686] https://sourceware.org/bugzilla/show_bug.cgi?id=23686
[BZ 23685] https://sourceware.org/bugzilla/show_bug.cgi?id=23685
The one is for CVE-2018-17358 and CVE-2018-17359, and the another
is for CVE-2018-17360.
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch @@ -0,0 +1,65 @@ +From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 20 Sep 2018 18:23:17 +0930 +Subject: [PATCH] PR23685, buffer overflow + + PR 23685 + * peXXigen.c (pe_print_edata): Correct export address table + overflow checks. Check dataoff against section size too. + +CVE: CVE-2018-17360 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + bfd/ChangeLog | 6 ++++++ + bfd/peXXigen.c | 11 ++++++----- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index fef5479..81b9e56 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,5 +1,11 @@ + 2018-09-20 Alan Modra <amodra@gmail.com> + ++ PR 23685 ++ * peXXigen.c (pe_print_edata): Correct export address table ++ overflow checks. Check dataoff against section size too. ++ ++2018-09-20 Alan Modra <amodra@gmail.com> ++ + PR 23686 + * dwarf2.c (read_section): Error when attempting to malloc + "(bfd_size_type) -1". +diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c +index 598f2ca..1645ef4 100644 +--- a/bfd/peXXigen.c ++++ b/bfd/peXXigen.c +@@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile) + + dataoff = addr - section->vma; + datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; +- if (datasize > section->size - dataoff) ++ if (dataoff > section->size ++ || datasize > section->size - dataoff) + { + fprintf (file, + _("\nThere is an export table in %s, but it does not fit into that section\n"), +@@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile) + edt.base); + + /* PR 17512: Handle corrupt PE binaries. */ +- if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize ++ /* PR 17512 file: 140-165018-0.004. */ ++ if (edt.eat_addr - adj >= datasize + /* PR 17512: file: 092b1829 */ +- || (edt.num_functions * 4) < edt.num_functions +- /* PR 17512 file: 140-165018-0.004. */ +- || data + edt.eat_addr - adj < data) ++ || (edt.num_functions + 1) * 4 < edt.num_functions ++ || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize) + fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), + (long) edt.eat_addr, + (long) edt.num_functions); +-- +2.9.3 |