From 45de3690367c8e0adf443a2f2630ecf8791789d6 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster@mvista.com>
Date: Mon, 6 Aug 2018 14:16:09 -0700
Subject: binutls: Security fix for CVE-2017-14938

Affects: <= 2.29.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |  1 +
 .../binutils/binutils/CVE-2017-14938.patch         | 64 ++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch

(limited to 'meta/recipes-devtools')

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 1962f5c303..c7c755fcb3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
      file://CVE-2017-14933_p1.patch \
      file://CVE-2017-14933_p2.patch \
      file://CVE-2017-14934.patch \
+     file://CVE-2017-14938.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch
new file mode 100644
index 0000000000..e62c73c06d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14938.patch
@@ -0,0 +1,64 @@
+From bd61e135492ecf624880e6b78e5fcde3c9716df6 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:34:57 +0930
+Subject: [PATCH] PR22166, SHT_GNU_verneed memory allocation
+
+The sanity check covers the previous minimim size, plus that the size
+is at least enough for sh_info verneed entries.
+
+Also, since we write all verneed fields or exit with an error, there
+isn't any need to zero the memory allocated for verneed entries.
+
+	PR 22166
+	* elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
+	SHT_GNU_verneed section for sanity.  Don't zalloc memory for
+	verref.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14938
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 7 +++++++
+ bfd/elf.c     | 5 +++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -8198,7 +8198,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd
+ 
+       hdr = &elf_tdata (abfd)->dynverref_hdr;
+ 
+-      if (hdr->sh_info == 0 || hdr->sh_size < sizeof (Elf_External_Verneed))
++      if (hdr->sh_info == 0
++	  || hdr->sh_info > hdr->sh_size / sizeof (Elf_External_Verneed))
+ 	{
+ error_return_bad_verref:
+ 	  _bfd_error_handler
+@@ -8219,7 +8220,7 @@ error_return_verref:
+ 	goto error_return_verref;
+ 
+       elf_tdata (abfd)->verref = (Elf_Internal_Verneed *)
+-	bfd_zalloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed));
++	bfd_alloc2 (abfd, hdr->sh_info, sizeof (Elf_Internal_Verneed));
+ 
+       if (elf_tdata (abfd)->verref == NULL)
+ 	goto error_return_verref;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-24  Alan Modra  <amodra@gmail.com>
++
++       PR 22166
++       * elf.c (_bfd_elf_slurp_version_tables): Test sh_info on
++       SHT_GNU_verneed section for sanity.  Don't zalloc memory for
++       verref.
++
+ 2017-09-26  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR 22210
-- 
cgit 1.2.3-korg