aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-08 12:07:35 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:30 +0100
commit64afab325facc55f4a49247e4033b1d3c8b22b67 (patch)
treef2f533a13d98507d975d320cb28bb0c5bbdf4a58
parent5fc41ff3341074497a1359969baf880d8035826b (diff)
downloadopenembedded-core-64afab325facc55f4a49247e4033b1d3c8b22b67.tar.gz
Binutils: Security fix for CVE-2018-13033
Affects: <= 2.30 Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch71
2 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 4d9983b984..2f9b4fee02 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -69,6 +69,7 @@ SRC_URI = "\
file://CVE-2018-10373.patch \
file://CVE-2018-10534.patch \
file://CVE-2018-10535.patch \
+ file://CVE-2018-13033.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
new file mode 100644
index 0000000000..3fa852c951
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-13033.patch
@@ -0,0 +1,71 @@
+From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 8 May 2018 12:51:06 +0100
+Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
+ fuzzed input file with corrupt string and attribute sections.
+
+ PR 22809
+ * elf.c (bfd_elf_get_str_section): Check for an excessively large
+ string section.
+ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+ attribute section is larger than the size of the file.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-13033
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 8 ++++++++
+ bfd/elf-attrs.c | 9 +++++++++
+ bfd/elf.c | 1 +
+ 3 files changed, 18 insertions(+)
+
+Index: git/bfd/elf-attrs.c
+===================================================================
+--- git.orig/bfd/elf-attrs.c
++++ git/bfd/elf-attrs.c
+@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
+ /* PR 17512: file: 2844a11d. */
+ if (hdr->sh_size == 0)
+ return;
++ if (hdr->sh_size > bfd_get_file_size (abfd))
++ {
++ /* xgettext:c-format */
++ _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
++ abfd, hdr->bfd_section, (long long) hdr->sh_size);
++ bfd_set_error (bfd_error_invalid_operation);
++ return;
++ }
++
+ contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
+ if (!contents)
+ return;
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -297,6 +297,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
+ /* Allocate and clear an extra byte at the end, to prevent crashes
+ in case the string table is not terminated. */
+ if (shstrtabsize + 1 <= 1
++ || shstrtabsize > bfd_get_file_size (abfd)
+ || bfd_seek (abfd, offset, SEEK_SET) != 0
+ || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
+ shstrtab = NULL;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2018-05-08 Nick Clifton <nickc@redhat.com>
++
++ PR 22809
++ * elf.c (bfd_elf_get_str_section): Check for an excessively large
++ string section.
++ * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
++ attribute section is larger than the size of the file.
++
+ 2018-04-24 Nick Clifton <nickc@redhat.com>
+
+ PR 23113