mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-11 17:59:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e1a49c7e83f2be3967fb9aa4a1c6034152b4f8bb
poky/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
Armin Kuster 3a47233ad7 binutls: Security fix for CVE-2017-16828 
Affects: <= 2.29.1

(From OE-Core rev: 98e5e27514a19d31038aec22408e27b84514c5b8)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-08-15 10:22:45 +01:00

80 lines
2.6 KiB
Diff
Raw Blame History

From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Thu, 5 Oct 2017 17:32:18 +1030
Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
Pointer comparisons have traps for the unwary. After adding a large
unknown value to "start", the test "start < end" depends on where
"start" is originally in memory.
PR 22239
* dwarf.c (read_cie): Don't compare "start" and "end" pointers
after adding a possibly wild length to "start", compare the length
to the difference of the pointers instead. Remove now redundant
"negative" length test.
Upstream-Status: Backport
Affects: <= 2.29.1
CVE: CVE-2017-16828 patch1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
binutils/ChangeLog | 8 ++++++++
binutils/dwarf.c | 15 ++++-----------
2 files changed, 12 insertions(+), 11 deletions(-)
Index: git/binutils/dwarf.c
===================================================================
--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
{
READ_ULEB (augmentation_data_len);
augmentation_data = start;
- start += augmentation_data_len;
/* PR 17512: file: 11042-2589-0.004. */
- if (start > end)
+ if (augmentation_data_len > (size_t) (end - start))
{
warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
- augmentation_data_len, (long)((end - start) + augmentation_data_len));
+ augmentation_data_len, (unsigned long) (end - start));
return end;
}
+ start += augmentation_data_len;
}
if (augmentation_data_len)
@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
q = augmentation_data;
qend = q + augmentation_data_len;
- /* PR 17531: file: 015adfaa. */
- if (qend < q)
- {
- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
- augmentation_data_len = 0;
- }
-
- while (p < end && q < augmentation_data + augmentation_data_len)
+ while (p < end && q < qend)
{
if (*p == 'L')
q++;
Index: git/binutils/ChangeLog
===================================================================
--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
@@ -1,3 +1,11 @@
+2017-10-05 Alan Modra <amodra@gmail.com>
+
+ PR 22239
+ * dwarf.c (read_cie): Don't compare "start" and "end" pointers
+ after adding a possibly wild length to "start", compare the length
+ to the difference of the pointers instead. Remove now redundant
+ "negative" length test.
+
2017-09-27 Nick Clifton <nickc@redhat.com>
PR 22219
Reference in New Issue View Git Blame Copy Permalink