diff options
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch new file mode 100644 index 0000000000..6cd86c2a30 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_1.patch @@ -0,0 +1,93 @@ +commit cfd14a500e0485374596234de4db10e88ebc7618 +Author: Nick Clifton <nickc@redhat.com> +Date: Mon Jun 26 15:25:08 2017 +0100 + + Fix address violations when atempting to parse fuzzed binaries. + + PR binutils/21665 + * compress.c (bfd_get_full_section_contents): Check for and reject + a section whoes size is greater than the size of the entire file. + * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not + contain a notes section. + + binutils* objdump.c (disassemble_section): Skip any section that is bigger + than the entire file. + +Upstream-Status: Backport + +CVE: CVE-2017-9955 +Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> + +Index: git/bfd/compress.c +=================================================================== +--- git.orig/bfd/compress.c 2017-09-21 17:32:51.645611404 +0530 ++++ git/bfd/compress.c 2017-09-21 17:32:52.965622987 +0530 +@@ -239,6 +239,12 @@ + *ptr = NULL; + return TRUE; + } ++ else if (bfd_get_file_size (abfd) > 0 ++ && sz > (bfd_size_type) bfd_get_file_size (abfd)) ++ { ++ *ptr = NULL; ++ return FALSE; ++ } + + switch (sec->compress_status) + { +Index: git/bfd/elf32-v850.c +=================================================================== +--- git.orig/bfd/elf32-v850.c 2017-09-21 17:32:35.053465773 +0530 ++++ git/bfd/elf32-v850.c 2017-09-21 17:32:52.965622987 +0530 +@@ -2448,7 +2448,9 @@ + BFD_ASSERT (bfd_malloc_and_get_section (ibfd, inotes, & icont)); + + if ((ocont = elf_section_data (onotes)->this_hdr.contents) == NULL) +- BFD_ASSERT (bfd_malloc_and_get_section (obfd, onotes, & ocont)); ++ /* If the output is being stripped then it is possible for ++ the notes section to disappear. In this case do nothing. */ ++ return; + + /* Copy/overwrite notes from the input to the output. */ + memcpy (ocont, icont, bfd_section_size (obfd, onotes)); +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c 2017-09-21 17:32:52.337617476 +0530 ++++ git/binutils/objdump.c 2017-09-21 17:32:52.965622987 +0530 +@@ -1973,7 +1973,7 @@ + return; + + datasize = bfd_get_section_size (section); +- if (datasize == 0) ++ if (datasize == 0 || datasize >= (bfd_size_type) bfd_get_file_size (abfd)) + return; + + if (start_address == (bfd_vma) -1 +@@ -2839,7 +2839,7 @@ + static void + dump_section (bfd *abfd, asection *section, void *dummy ATTRIBUTE_UNUSED) + { +- bfd_byte *data = 0; ++ bfd_byte *data = NULL; + bfd_size_type datasize; + bfd_vma addr_offset; + bfd_vma start_offset; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 17:32:52.909622495 +0530 ++++ git/bfd/ChangeLog 2017-09-21 17:35:57.863164167 +0530 +@@ -11,6 +11,14 @@ + of end pointer. + (evax_bfd_print_emh): Check for invalid string lengths. + ++2017-06-26 Nick Clifton <nickc@redhat.com> ++ ++ PR binutils/21665 ++ * compress.c (bfd_get_full_section_contents): Check for and reject ++ a section whoes size is greater than the size of the entire file. ++ * elf32-v850.c (v850_elf_copy_notes): Allow for the ouput to not ++ contain a notes section. ++ + 2017-07-24 Nick Clifton <nickc@redhat.com> + + PR 21813 |