mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-14 01:53:48 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
e1f6d40f1d255c4b645ce1b82ef7e56cb4b3eecd
poky/meta/recipes-devtools/binutils/binutils/CVE-2017-9955_2.patch
Thiruvadi Rajaraman e7f53f5fe5 binutils: CVE-2017-9955 
Source: binutils-gdb.git
MR: 73893
Type: Security Fix
Disposition: Backport from 'binutils-gdb.git/master' branch
ChangeID: 94c3ef8c1fa2e84e84ad76fb45307848d98817c8
Description:

PR 21665 : Fixed multiple heap based buffer overflow

Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: a36978f0dd372ec836f63942f965652ca3716e3f)

Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-01-07 17:10:09 +00:00

113 lines
3.3 KiB
Diff
Raw Blame History

commit 0630b49c470ca2e3c3f74da4c7e4ff63440dd71f
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Mon Jun 26 09:24:49 2017 -0700
Check file size before getting section contents
Don't check the section size in bfd_get_full_section_contents since
the size of a decompressed section may be larger than the file size.
Instead, check file size in _bfd_generic_get_section_contents.
PR binutils/21665
* compress.c (bfd_get_full_section_contents): Don't check the
file size here.
* libbfd.c (_bfd_generic_get_section_contents): Check for and
reject a section whoes size + offset is greater than the size
of the entire file.
(_bfd_generic_get_section_contents_in_window): Likewise.
Upstream-Status: Backport
CVE: CVE-2017-9955
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Index: git/bfd/libbfd.c
===================================================================
--- git.orig/bfd/libbfd.c 2017-09-21 17:41:59.457841691 +0530
+++ git/bfd/libbfd.c 2017-09-21 17:42:18.269987768 +0530
@@ -780,6 +780,7 @@
bfd_size_type count)
{
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -801,8 +802,15 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ if (filesz < 0)
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count < count
- || offset + count > sz)
+ || offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz)
{
bfd_set_error (bfd_error_invalid_operation);
return FALSE;
@@ -825,6 +833,7 @@
{
#ifdef USE_MMAP
bfd_size_type sz;
+ file_ptr filesz;
if (count == 0)
return TRUE;
@@ -857,7 +866,13 @@
sz = section->rawsize;
else
sz = section->size;
+ filesz = bfd_get_file_size (abfd);
+ {
+ /* This should never happen. */
+ abort ();
+ }
if (offset + count > sz
+ || (section->filepos + offset + sz) > (bfd_size_type) filesz
|| ! bfd_get_file_window (abfd, section->filepos + offset, count, w,
TRUE))
return FALSE;
Index: git/bfd/compress.c
===================================================================
--- git.orig/bfd/compress.c 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/compress.c 2017-09-21 17:45:17.107399434 +0530
@@ -239,12 +239,6 @@
*ptr = NULL;
return TRUE;
}
- else if (bfd_get_file_size (abfd) > 0
- && sz > (bfd_size_type) bfd_get_file_size (abfd))
- {
- *ptr = NULL;
- return FALSE;
- }
switch (sec->compress_status)
{
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog 2017-09-21 17:42:18.213987332 +0530
+++ git/bfd/ChangeLog 2017-09-21 17:47:03.668256850 +0530
@@ -11,6 +11,16 @@
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
+2017-06-26 H.J. Lu <hongjiu.lu@intel.com>
+
+ PR binutils/21665
+ * compress.c (bfd_get_full_section_contents): Don't check the
+ file size here.
+ * libbfd.c (_bfd_generic_get_section_contents): Check for and
+ reject a section whoes size + offset is greater than the size
+ of the entire file.
+ (_bfd_generic_get_section_contents_in_window): Likewise.
+
2017-06-26 Nick Clifton <nickc@redhat.com>
PR binutils/21665
Reference in New Issue View Git Blame Copy Permalink