summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch')
-rw-r--r--external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch180
1 files changed, 0 insertions, 180 deletions
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
deleted file mode 100644
index ff853511..00000000
--- a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
-From: Alan Modra <amodra@gmail.com>
-Date: Sun, 16 Dec 2018 23:02:50 +1030
-Subject: [PATCH] PR23994, libbfd integer overflow
-
- PR 23994
- * aoutx.h: Include limits.h.
- (get_reloc_upper_bound): Detect long overflow and return a file
- too big error if it occurs.
- * elf.c: Include limits.h.
- (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
- a file too big error if it occurs.
- (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
- (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
-
-CVE: CVE-2018-1000876
-Upstream-Status: Backport
-[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
-
-Signed-off-by: Dan Tran <dantran@microsoft.com>
----
- bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
- bfd/elf.c | 32 ++++++++++++++++++++++++--------
- 2 files changed, 45 insertions(+), 27 deletions(-)
-
-diff --git a/bfd/aoutx.h b/bfd/aoutx.h
-index 023843b0be..78eaa9c503 100644
---- a/bfd/aoutx.h
-+++ b/bfd/aoutx.h
-@@ -117,6 +117,7 @@ DESCRIPTION
- #define KEEPIT udata.i
-
- #include "sysdep.h"
-+#include <limits.h>
- #include "bfd.h"
- #include "safe-ctype.h"
- #include "bfdlink.h"
-@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
- long
- NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
- {
-+ bfd_size_type count;
-+
- if (bfd_get_format (abfd) != bfd_object)
- {
- bfd_set_error (bfd_error_invalid_operation);
-@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
- }
-
- if (asect->flags & SEC_CONSTRUCTOR)
-- return sizeof (arelent *) * (asect->reloc_count + 1);
--
-- if (asect == obj_datasec (abfd))
-- return sizeof (arelent *)
-- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
-- + 1);
--
-- if (asect == obj_textsec (abfd))
-- return sizeof (arelent *)
-- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
-- + 1);
--
-- if (asect == obj_bsssec (abfd))
-- return sizeof (arelent *);
--
-- if (asect == obj_bsssec (abfd))
-- return 0;
-+ count = asect->reloc_count;
-+ else if (asect == obj_datasec (abfd))
-+ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
-+ else if (asect == obj_textsec (abfd))
-+ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
-+ else if (asect == obj_bsssec (abfd))
-+ count = 0;
-+ else
-+ {
-+ bfd_set_error (bfd_error_invalid_operation);
-+ return -1;
-+ }
-
-- bfd_set_error (bfd_error_invalid_operation);
-- return -1;
-+ if (count >= LONG_MAX / sizeof (arelent *))
-+ {
-+ bfd_set_error (bfd_error_file_too_big);
-+ return -1;
-+ }
-+ return (count + 1) * sizeof (arelent *);
- }
-
- long
-diff --git a/bfd/elf.c b/bfd/elf.c
-index 828241d48a..10037176a3 100644
---- a/bfd/elf.c
-+++ b/bfd/elf.c
-@@ -35,6 +35,7 @@ SECTION
- /* For sparc64-cross-sparc32. */
- #define _SYSCALL32
- #include "sysdep.h"
-+#include <limits.h>
- #include "bfd.h"
- #include "bfdlink.h"
- #include "libbfd.h"
-@@ -8114,11 +8115,16 @@ error_return:
- long
- _bfd_elf_get_symtab_upper_bound (bfd *abfd)
- {
-- long symcount;
-+ bfd_size_type symcount;
- long symtab_size;
- Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
-
- symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
-+ if (symcount >= LONG_MAX / sizeof (asymbol *))
-+ {
-+ bfd_set_error (bfd_error_file_too_big);
-+ return -1;
-+ }
- symtab_size = (symcount + 1) * (sizeof (asymbol *));
- if (symcount > 0)
- symtab_size -= sizeof (asymbol *);
-@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
- long
- _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
- {
-- long symcount;
-+ bfd_size_type symcount;
- long symtab_size;
- Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
-
-@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
- }
-
- symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
-+ if (symcount >= LONG_MAX / sizeof (asymbol *))
-+ {
-+ bfd_set_error (bfd_error_file_too_big);
-+ return -1;
-+ }
- symtab_size = (symcount + 1) * (sizeof (asymbol *));
- if (symcount > 0)
- symtab_size -= sizeof (asymbol *);
-@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
- long
- _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
- {
-- long ret;
-+ bfd_size_type count;
- asection *s;
-
- if (elf_dynsymtab (abfd) == 0)
-@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
- return -1;
- }
-
-- ret = sizeof (arelent *);
-+ count = 1;
- for (s = abfd->sections; s != NULL; s = s->next)
- if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
- && (elf_section_data (s)->this_hdr.sh_type == SHT_REL
- || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
-- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
-- * sizeof (arelent *));
--
-- return ret;
-+ {
-+ count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
-+ if (count > LONG_MAX / sizeof (arelent *))
-+ {
-+ bfd_set_error (bfd_error_file_too_big);
-+ return -1;
-+ }
-+ }
-+ return count * sizeof (arelent *);
- }
-
- /* Canonicalize the dynamic relocation entries. Note that we return the
---
-2.22.0.vfs.1.1.57.gbaf16c8
-