mirror of
https://git.yoctoproject.org/poky
synced 2026-02-09 02:03:04 +01:00
binutils: fix CVE-2019-17451
Backport upstream fix. No upstream release version of binutils it yet, so backport the fix independently. (From OE-Core rev: 3693a0a8b9461521b95613a76b7fd79c86a3bf8f) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Trevor Gamblin
committed by
Richard Purdie
Richard Purdie
parent
ab808af9fd
commit
efea2749d2
@@ -50,6 +50,7 @@ SRC_URI = "\
|
||||
file://CVE-2019-14250.patch \
|
||||
file://CVE-2019-14444.patch \
|
||||
file://CVE-2019-17450.patch \
|
||||
file://CVE-2019-17451.patch \
|
||||
"
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
|
||||
51
meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
Normal file
51
meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
Normal file
@@ -0,0 +1,51 @@
|
||||
From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Modra <amodra@gmail.com>
|
||||
Date: Wed, 9 Oct 2019 10:47:13 +1030
|
||||
Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
|
||||
|
||||
Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
|
||||
file. There are newer versions of binutils, but none of them contain the
|
||||
commit fixing CVE-2019-17451, so backport it to master and zeus.
|
||||
|
||||
Upstream-Status: Backport
|
||||
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
|
||||
CVE: CVE-2019-17451
|
||||
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
|
||||
|
||||
|
||||
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
|
||||
and ffffd5555453b140 result in a total size of 1. Reading the first
|
||||
section of course overflows the buffer and tramples on other memory.
|
||||
|
||||
PR 25070
|
||||
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
|
||||
total_size calculation.
|
||||
---
|
||||
bfd/dwarf2.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
|
||||
index 0b4e485582..a91597b1d0 100644
|
||||
--- a/bfd/dwarf2.c
|
||||
+++ b/bfd/dwarf2.c
|
||||
@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
|
||||
for (total_size = 0;
|
||||
msec;
|
||||
msec = find_debug_info (debug_bfd, debug_sections, msec))
|
||||
- total_size += msec->size;
|
||||
+ {
|
||||
+ /* Catch PR25070 testcase overflowing size calculation here. */
|
||||
+ if (total_size + msec->size < total_size
|
||||
+ || total_size + msec->size < msec->size)
|
||||
+ {
|
||||
+ bfd_set_error (bfd_error_no_memory);
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ total_size += msec->size;
|
||||
+ }
|
||||
|
||||
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
|
||||
if (stash->info_ptr_memory == NULL)
|
||||
--
|
||||
2.23.0
|
||||
|
||||
Reference in New Issue
Block a user