diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch new file mode 100644 index 0000000000..7acd5e0f2f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16831.patch @@ -0,0 +1,77 @@ +From 6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 3 Nov 2017 11:55:21 +0000 +Subject: [PATCH] Fix excessive memory allocation attempts and possible integer + overfloaws when attempting to read a COFF binary with a corrupt symbol count. + + PR 22385 + * coffgen.c (_bfd_coff_get_external_symbols): Check for an + overlarge raw syment count. + (coff_get_normalized_symtab): Likewise. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16831 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + bfd/ChangeLog | 8 ++++++++ + bfd/coffgen.c | 17 +++++++++++++++-- + 2 files changed, 23 insertions(+), 2 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,11 @@ ++2017-11-03 Mingi Cho <mgcho.minic@gmail.com> ++ Nick Clifton <nickc@redhat.com> ++ ++ PR 22385 ++ * coffgen.c (_bfd_coff_get_external_symbols): Check for an ++ overlarge raw syment count. ++ (coff_get_normalized_symtab): Likewise. ++ + 2017-10-17 Alan Modra <amodra@gmail.com> + + PR 22307 +Index: git/bfd/coffgen.c +=================================================================== +--- git.orig/bfd/coffgen.c ++++ git/bfd/coffgen.c +@@ -1640,13 +1640,23 @@ _bfd_coff_get_external_symbols (bfd *abf + size = obj_raw_syment_count (abfd) * symesz; + if (size == 0) + return TRUE; ++ /* Check for integer overflow and for unreasonable symbol counts. */ ++ if (size < obj_raw_syment_count (abfd) ++ || (bfd_get_file_size (abfd) > 0 ++ && size > bfd_get_file_size (abfd))) ++ ++ { ++ _bfd_error_handler (_("%B: corrupt symbol count: %#Lx"), ++ abfd, obj_raw_syment_count (abfd)); ++ return FALSE; ++ } + + syms = bfd_malloc (size); + if (syms == NULL) + { + /* PR 21013: Provide an error message when the alloc fails. */ +- _bfd_error_handler (_("%B: Not enough memory to allocate space for %lu symbols"), +- abfd, size); ++ _bfd_error_handler (_("%B: not enough memory to allocate space for %#Lx symbols of size %#Lx"), ++ abfd, obj_raw_syment_count (abfd), symesz); + return FALSE; + } + +@@ -1790,6 +1800,9 @@ coff_get_normalized_symtab (bfd *abfd) + return NULL; + + size = obj_raw_syment_count (abfd) * sizeof (combined_entry_type); ++ /* Check for integer overflow. */ ++ if (size < obj_raw_syment_count (abfd)) ++ return NULL; + internal = (combined_entry_type *) bfd_zalloc (abfd, size); + if (internal == NULL && size != 0) + return NULL; |