diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch')
-rw-r--r-- | external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch new file mode 100644 index 00000000..ff853511 --- /dev/null +++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch @@ -0,0 +1,180 @@ +From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 16 Dec 2018 23:02:50 +1030 +Subject: [PATCH] PR23994, libbfd integer overflow + + PR 23994 + * aoutx.h: Include limits.h. + (get_reloc_upper_bound): Detect long overflow and return a file + too big error if it occurs. + * elf.c: Include limits.h. + (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return + a file too big error if it occurs. + (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise. + (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise. + +CVE: CVE-2018-1000876 +Upstream-Status: Backport +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f] + +Signed-off-by: Dan Tran <dantran@microsoft.com> +--- + bfd/aoutx.h | 40 +++++++++++++++++++++------------------- + bfd/elf.c | 32 ++++++++++++++++++++++++-------- + 2 files changed, 45 insertions(+), 27 deletions(-) + +diff --git a/bfd/aoutx.h b/bfd/aoutx.h +index 023843b0be..78eaa9c503 100644 +--- a/bfd/aoutx.h ++++ b/bfd/aoutx.h +@@ -117,6 +117,7 @@ DESCRIPTION + #define KEEPIT udata.i + + #include "sysdep.h" ++#include <limits.h> + #include "bfd.h" + #include "safe-ctype.h" + #include "bfdlink.h" +@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd, + long + NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + { ++ bfd_size_type count; ++ + if (bfd_get_format (abfd) != bfd_object) + { + bfd_set_error (bfd_error_invalid_operation); +@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect) + } + + if (asect->flags & SEC_CONSTRUCTOR) +- return sizeof (arelent *) * (asect->reloc_count + 1); +- +- if (asect == obj_datasec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_textsec (abfd)) +- return sizeof (arelent *) +- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd)) +- + 1); +- +- if (asect == obj_bsssec (abfd)) +- return sizeof (arelent *); +- +- if (asect == obj_bsssec (abfd)) +- return 0; ++ count = asect->reloc_count; ++ else if (asect == obj_datasec (abfd)) ++ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_textsec (abfd)) ++ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd); ++ else if (asect == obj_bsssec (abfd)) ++ count = 0; ++ else ++ { ++ bfd_set_error (bfd_error_invalid_operation); ++ return -1; ++ } + +- bfd_set_error (bfd_error_invalid_operation); +- return -1; ++ if (count >= LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ return (count + 1) * sizeof (arelent *); + } + + long +diff --git a/bfd/elf.c b/bfd/elf.c +index 828241d48a..10037176a3 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -35,6 +35,7 @@ SECTION + /* For sparc64-cross-sparc32. */ + #define _SYSCALL32 + #include "sysdep.h" ++#include <limits.h> + #include "bfd.h" + #include "bfdlink.h" + #include "libbfd.h" +@@ -8114,11 +8115,16 @@ error_return: + long + _bfd_elf_get_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr; + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd) + long + _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + { +- long symcount; ++ bfd_size_type symcount; + long symtab_size; + Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr; + +@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd) + } + + symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym; ++ if (symcount >= LONG_MAX / sizeof (asymbol *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } + symtab_size = (symcount + 1) * (sizeof (asymbol *)); + if (symcount > 0) + symtab_size -= sizeof (asymbol *); +@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd, + long + _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + { +- long ret; ++ bfd_size_type count; + asection *s; + + if (elf_dynsymtab (abfd) == 0) +@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd) + return -1; + } + +- ret = sizeof (arelent *); ++ count = 1; + for (s = abfd->sections; s != NULL; s = s->next) + if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd) + && (elf_section_data (s)->this_hdr.sh_type == SHT_REL + || elf_section_data (s)->this_hdr.sh_type == SHT_RELA)) +- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize) +- * sizeof (arelent *)); +- +- return ret; ++ { ++ count += s->size / elf_section_data (s)->this_hdr.sh_entsize; ++ if (count > LONG_MAX / sizeof (arelent *)) ++ { ++ bfd_set_error (bfd_error_file_too_big); ++ return -1; ++ } ++ } ++ return count * sizeof (arelent *); + } + + /* Canonicalize the dynamic relocation entries. Note that we return the +-- +2.22.0.vfs.1.1.57.gbaf16c8 + |