diff options
| author |   Trevor Gamblin <trevor.gamblin@windriver.com> | 2019-10-25 10:11:45 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-10-31 16:07:11 +0000 |
| commit | 3693a0a8b9461521b95613a76b7fd79c86a3bf8f (patch) | |
| tree | dcf5493b7a5c4c6c2e4cef17a6fcc8b73a9bb3b6 /meta/recipes-devtools/binutils | |
| parent | a4ead72b958ded4941f96741029f4955930ba758 (diff) | |
| download | openembedded-core-contrib-3693a0a8b9461521b95613a76b7fd79c86a3bf8f.tar.gz | |
binutils: fix CVE-2019-17451
Backport upstream fix. No upstream release version of
binutils it yet, so backport the fix independently.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-devtools/binutils')
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.32.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch | 51 |
2 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index 1e96cf494d..349c3e1154 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc @@ -50,6 +50,7 @@ SRC_URI = "\ file://CVE-2019-14250.patch \ file://CVE-2019-14444.patch \ file://CVE-2019-17450.patch \ + file://CVE-2019-17451.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch new file mode 100644 index 0000000000..b36a532668 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch @@ -0,0 +1,51 @@ +From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 9 Oct 2019 10:47:13 +1030 +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line + +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog +file. There are newer versions of binutils, but none of them contain the +commit fixing CVE-2019-17451, so backport it to master and zeus. + +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848] +CVE: CVE-2019-17451 +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> + + +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 +and ffffd5555453b140 result in a total size of 1. Reading the first +section of course overflows the buffer and tramples on other memory. + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. +--- + bfd/dwarf2.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0b4e485582..a91597b1d0 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + for (total_size = 0; + msec; + msec = find_debug_info (debug_bfd, debug_sections, msec)) +- total_size += msec->size; ++ { ++ /* Catch PR25070 testcase overflowing size calculation here. */ ++ if (total_size + msec->size < total_size ++ || total_size + msec->size < msec->size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ total_size += msec->size; ++ } + + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); + if (stash->info_ptr_memory == NULL) +-- +2.23.0 + |