diff options
author | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
---|---|---|
committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch | |
parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) |
agl-basesystem
Diffstat (limited to 'external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch new file mode 100644 index 00000000..d5a1ea1d --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch @@ -0,0 +1,121 @@ +From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 20 Sep 2018 15:29:17 +0930 +Subject: [PATCH] Bug 23686, two segment faults in nm + +Fixes the bugs exposed by the testcases in the PR, plus two more bugs +I noticed when looking at _bfd_stab_section_find_nearest_line. + + PR 23686 + * dwarf2.c (read_section): Error when attempting to malloc + "(bfd_size_type) -1". + * syms.c (_bfd_stab_section_find_nearest_line): Bounds check + function_name. Bounds check reloc address. Formatting. Ensure + .stabstr zero terminated. +CVE: CVE-2018-17358 and CVE-2018-17359 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> +--- + bfd/ChangeLog | 9 +++++++++ + bfd/dwarf2.c | 9 ++++++++- + bfd/syms.c | 22 ++++++++++++++++------ + 3 files changed, 33 insertions(+), 7 deletions(-) + +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -527,6 +527,7 @@ read_section (bfd * abfd, + asection *msec; + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; ++ bfd_size_type amt; + + /* The section may have already been read. */ + if (contents == NULL) +@@ -549,7 +550,13 @@ read_section (bfd * abfd, + *section_size = msec->rawsize ? msec->rawsize : msec->size; + /* Paranoia - alloc one extra so that we can make sure a string + section is NUL terminated. */ +- contents = (bfd_byte *) bfd_malloc (*section_size + 1); ++ amt = *section_size + 1; ++ if (amt == 0) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ contents = (bfd_byte *) bfd_malloc (amt); + if (contents == NULL) + return FALSE; + if (syms +--- a/bfd/syms.c ++++ b/bfd/syms.c +@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd + 0, strsize)) + return FALSE; + ++ /* Stab strings ought to be nul terminated. Ensure the last one ++ is, to prevent running off the end of the buffer. */ ++ info->strs[strsize - 1] = 0; ++ + /* If this is a relocatable object file, we have to relocate + the entries in .stab. This should always be simple 32 bit + relocations against symbols defined in this object file, so +@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd + || r->howto->bitsize != 32 + || r->howto->pc_relative + || r->howto->bitpos != 0 +- || r->howto->dst_mask != 0xffffffff) ++ || r->howto->dst_mask != 0xffffffff ++ || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize) + { + _bfd_error_handler + (_("unsupported .stab relocation")); +@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd + { + nul_fun = stab; + nul_str = str; +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize + && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO) +@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd + directory_name = file_name; + file_name = ((char *) str + + bfd_get_32 (abfd, stab + STRDXOFF)); +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + } + } +@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd + file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); + /* PR 17512: file: 0c680a1f. */ + /* PR 17512: file: 5da8aec4. */ +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + break; + +@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd + function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); + if (function_name == (char *) str) + continue; +- if (function_name >= (char *) info->strs + strsize) ++ if (function_name >= (char *) info->strs + strsize ++ || function_name < (char *) str) + function_name = NULL; + + nul_fun = NULL; +@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd + if (val <= offset) + { + file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); +- if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) ++ if (file_name >= (char *) info->strs + strsize ++ || file_name < (char *) str) + file_name = NULL; + *pline = 0; + } |