diff options
| author |   Armin Kuster <akuster@mvista.com> | 2018-08-07 16:06:49 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 10:22:29 +0100 |
| commit | 29c6da2092599145e5a4f00ccc6029f31ec724da (patch) | |
| tree | 4ee15bf284bd600e4445fb25a0e3c9dc9a739401 | |
| parent | 7dc47bc3f3d66aea3b8bbc2fb6fb9bbb7d2dc0a0 (diff) | |
| download | openembedded-core-29c6da2092599145e5a4f00ccc6029f31ec724da.tar.gz | |
binutls: Security fix for CVE-2017-16830
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch | 91 |
2 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 7966cc3248..4191482929 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -57,6 +57,7 @@ SRC_URI = "\ file://CVE-2017-16828_p1.patch \ file://CVE-2017-16828_p2.patch \ file://CVE-2017-16829.patch \ + file://CVE-2017-16830.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch new file mode 100644 index 0000000000..1382c8e3e7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16830.patch @@ -0,0 +1,91 @@ +From 6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 Mon Sep 17 00:00:00 2001 +From: Mingi Cho <mgcho.minic@gmail.com> +Date: Thu, 2 Nov 2017 17:01:08 +0000 +Subject: [PATCH] Work around integer overflows when readelf is checking for + corrupt ELF notes when run on a 32-bit host. + + PR 22384 + * readelf.c (print_gnu_property_note): Improve overflow checks so + that they will work on a 32-bit host. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-16830 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/readelf.c | 33 +++++++++++++++++---------------- + 2 files changed, 23 insertions(+), 16 deletions(-) + +Index: git/binutils/readelf.c +=================================================================== +--- git.orig/binutils/readelf.c ++++ git/binutils/readelf.c +@@ -16431,15 +16431,24 @@ print_gnu_property_note (Elf_Internal_No + return; + } + +- while (1) ++ while (ptr < ptr_end) + { + unsigned int j; +- unsigned int type = byte_get (ptr, 4); +- unsigned int datasz = byte_get (ptr + 4, 4); ++ unsigned int type; ++ unsigned int datasz; ++ ++ if ((size_t) (ptr_end - ptr) < 8) ++ { ++ printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); ++ break; ++ } ++ ++ type = byte_get (ptr, 4); ++ datasz = byte_get (ptr + 4, 4); + + ptr += 8; + +- if ((ptr + datasz) > ptr_end) ++ if (datasz > (size_t) (ptr_end - ptr)) + { + printf (_("<corrupt type (%#x) datasz: %#x>\n"), + type, datasz); +@@ -16520,19 +16529,11 @@ next: + ptr += ((datasz + (size - 1)) & ~ (size - 1)); + if (ptr == ptr_end) + break; +- else +- { +- if (do_wide) +- printf (", "); +- else +- printf ("\n\t"); +- } + +- if (ptr > (ptr_end - 8)) +- { +- printf (_("<corrupt descsz: %#lx>\n"), pnote->descsz); +- break; +- } ++ if (do_wide) ++ printf (", "); ++ else ++ printf ("\n\t"); + } + + printf ("\n"); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2017-11-02 Mingi Cho <mgcho.minic@gmail.com> ++ ++ PR 22384 ++ * readelf.c (print_gnu_property_note): Improve overflow checks so ++ that they will work on a 32-bit host. ++ + 2017-10-05 Alan Modra <amodra@gmail.com> + + PR 22239 |