diff options
| author |   Armin Kuster <akuster@mvista.com> | 2018-08-07 15:55:30 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:29 +0100 |
| commit | 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0 (patch) | |
| tree | 134289e704976ca30c3d21dbe1d655967ad0c71f /meta/recipes-devtools | |
| parent | 98e5e27514a19d31038aec22408e27b84514c5b8 (diff) | |
| download | openembedded-core-7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0.tar.gz | |
binutls: Security fix for CVE-2017-16829
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'meta/recipes-devtools')
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch | 82 |
2 files changed, 83 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index ba60eccf87..7966cc3248 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -56,6 +56,7 @@ SRC_URI = "\ file://CVE-2017-16827.patch \ file://CVE-2017-16828_p1.patch \ file://CVE-2017-16828_p2.patch \ + file://CVE-2017-16829.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch new file mode 100644 index 0000000000..f9410e2728 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16829.patch @@ -0,0 +1,82 @@ +From cf54ebff3b7361989712fd9c0128a9b255578163 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 17 Oct 2017 21:57:29 +1030 +Subject: [PATCH] PR22307, Heap out of bounds read in + _bfd_elf_parse_gnu_properties + +When adding an unbounded increment to a pointer, you can't just check +against the end of the buffer but also must check that overflow +doesn't result in "negative" pointer movement. Pointer comparisons +are signed. Better, check the increment against the space left using +an unsigned comparison. + + PR 22307 + * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz + against size left rather than comparing pointers. Reorganise loop. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16829 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf-properties.c | 18 +++++++++--------- + 2 files changed, 15 insertions(+), 9 deletions(-) + +Index: git/bfd/elf-properties.c +=================================================================== +--- git.orig/bfd/elf-properties.c ++++ git/bfd/elf-properties.c +@@ -93,15 +93,20 @@ bad_size: + return FALSE; + } + +- while (1) ++ while (ptr != ptr_end) + { +- unsigned int type = bfd_h_get_32 (abfd, ptr); +- unsigned int datasz = bfd_h_get_32 (abfd, ptr + 4); ++ unsigned int type; ++ unsigned int datasz; + elf_property *prop; + ++ if ((size_t) (ptr_end - ptr) < 8) ++ goto bad_size; ++ ++ type = bfd_h_get_32 (abfd, ptr); ++ datasz = bfd_h_get_32 (abfd, ptr + 4); + ptr += 8; + +- if ((ptr + datasz) > ptr_end) ++ if (datasz > (size_t) (ptr_end - ptr)) + { + _bfd_error_handler + (_("warning: %B: corrupt GNU_PROPERTY_TYPE (%ld) type (0x%x) datasz: 0x%x"), +@@ -182,11 +187,6 @@ bad_size: + + next: + ptr += (datasz + (align_size - 1)) & ~ (align_size - 1); +- if (ptr == ptr_end) +- break; +- +- if (ptr > (ptr_end - 8)) +- goto bad_size; + } + + return TRUE; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,4 +1,10 @@ + 2017-10-17 Alan Modra <amodra@gmail.com> ++ ++ PR 22307 ++ * elf-properties.c (_bfd_elf_parse_gnu_properties): Compare datasz ++ against size left rather than comparing pointers. Reorganise loop. ++ ++2017-10-17 Alan Modra <amodra@gmail.com> + + PR 22306 + * aoutx.h (aout_get_external_symbols): Handle stringsize of zero, |