diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch new file mode 100644 index 0000000000..6dae0f6c24 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch @@ -0,0 +1,97 @@ +commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jun 19 14:52:36 2017 +0100 + + Fix address violations when reading corrupt VMS records. + + PR binutils/21618 + * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record + length. + (evax_bfd_print_eeom): Likewise. + (evax_bfd_print_egsd): Check for an overlarge record length. + (evax_bfd_print_etir): Likewise. + +Upstream-Status: Backport + +CVE: CVE-2017-12449_12455_12457 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-08-30 17:08:27.408159234 +0530 ++++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530 +@@ -5567,6 +5567,13 @@ + + fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); + ++ /* PR 21618: Check for invalid lengths. */ ++ if (rec_len < sizeof (* emh)) ++ { ++ fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); ++ return; ++ } ++ + switch (subtype) + { + case EMH__C_MHD: +@@ -5630,6 +5637,14 @@ + struct vms_eeom *eeom = (struct vms_eeom *)rec; + + fprintf (file, _(" EEOM (len=%u):\n"), rec_len); ++ ++ /* PR 21618: Check for invalid lengths. */ ++ if (rec_len < sizeof (* eeom)) ++ { ++ fprintf (file, _(" Error: The length is less than the length of an EEOM record\n")); ++ return; ++ } ++ + fprintf (file, _(" number of cond linkage pairs: %u\n"), + (unsigned)bfd_getl32 (eeom->total_lps)); + fprintf (file, _(" completion code: %u\n"), +@@ -5718,6 +5733,12 @@ + n, type, len); + n++; + ++ if (off + len > rec_len || off + len < off) ++ { ++ fprintf (file, _(" Error: length larger than remaining space in record\n")); ++ return; ++ } ++ + switch (type) + { + case EGSD__C_PSC: +@@ -5958,6 +5979,12 @@ + size = bfd_getl16 (etir->size); + buf = rec + off + sizeof (struct vms_etir); + ++ if (off + size > rec_len || off + size < off) ++ { ++ fprintf (file, _(" Error: length larger than remaining space in record\n")); ++ return; ++ } ++ + fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4); + switch (type) + { +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-08-30 17:08:43.612213596 +0530 ++++ git/bfd/ChangeLog 2017-08-30 17:13:27.217438742 +0530 +@@ -5,6 +5,15 @@ + correct magic bytes at the start, set the error to wrong format + and clear the format selector before returning NULL. + ++ 2017-06-19 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21618 ++ * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record ++ length. ++ (evax_bfd_print_eeom): Likewise. ++ (evax_bfd_print_egsd): Check for an overlarge record length. ++ (evax_bfd_print_etir): Likewise. ++ + 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> + + * readelf.c (process_mips_specific): Remove error reporting from |