summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch')
-rw-r--r--meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch102
1 files changed, 102 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch
new file mode 100644
index 0000000000..ec3308b4f4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch
@@ -0,0 +1,102 @@
+Upstream-Status: Backport
+
+CVE-2014-8485 fix.
+
+[YOCTO #7084]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+From 493a33860c71cac998f1a56d6d87d6faa801fbaa Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 27 Oct 2014 12:43:16 +0000
+Subject: [PATCH] This patch closes a potential security hole in applications
+ that use the bfd library to parse binaries containing maliciously corrupt
+ section group headers.
+
+ PR binutils/17510
+ * elf.c (setup_group): Improve handling of corrupt group
+ sections.
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/elf.c | 34 ++++++++++++++++++++++++++++++----
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+Index: binutils-2.24/bfd/elf.c
+===================================================================
+--- binutils-2.24.orig/bfd/elf.c
++++ binutils-2.24/bfd/elf.c
+@@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ if (shdr->contents == NULL)
+ {
+ _bfd_error_handler
+- (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++ (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size);
+ bfd_set_error (bfd_error_bad_value);
+- return FALSE;
++ -- num_group;
++ continue;
+ }
+
+ memset (shdr->contents, 0, amt);
+@@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0
+ || (bfd_bread (shdr->contents, shdr->sh_size, abfd)
+ != shdr->sh_size))
+- return FALSE;
++ {
++ _bfd_error_handler
++ (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size);
++ bfd_set_error (bfd_error_bad_value);
++ -- num_group;
++ /* PR 17510: If the group contents are even partially
++ corrupt, do not allow any of the contents to be used. */
++ memset (shdr->contents, 0, amt);
++ continue;
++ }
+
+ /* Translate raw contents, a flag word followed by an
+ array of elf section indices all in target byte order,
+@@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ }
+ }
+ }
++
++ /* PR 17510: Corrupt binaries might contain invalid groups. */
++ if (num_group != (unsigned) elf_tdata (abfd)->num_group)
++ {
++ elf_tdata (abfd)->num_group = num_group;
++
++ /* If all groups are invalid then fail. */
++ if (num_group == 0)
++ {
++ elf_tdata (abfd)->group_sect_ptr = NULL;
++ elf_tdata (abfd)->num_group = num_group = -1;
++ (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd);
++ bfd_set_error (bfd_error_bad_value);
++ }
++ }
+ }
+ }
+
+@@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shd
+ {
+ (*_bfd_error_handler) (_("%B: no group info for section %A"),
+ abfd, newsect);
++ return FALSE;
+ }
+ return TRUE;
+ }
+Index: binutils-2.24/bfd/ChangeLog
+===================================================================
+--- binutils-2.24.orig/bfd/ChangeLog
++++ binutils-2.24/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2014-10-27 Nick Clifton <nickc@redhat.com>
++
++ PR binutils/17510
++ * elf.c (setup_group): Improve handling of corrupt group
++ sections.
++
+ 2014-08-29 Alan Modra <amodra@gmail.com>
+
+ * srec.c (srec_scan): Revert last change. Report an error for