[OE-core] [SUMO][PATCH 07/12] binutls: Security fix CVE-2018-7569

Armin Kuster akuster808 at gmail.com
Mon Aug 6 14:29:13 UTC 2018 

From: Armin Kuster <akuster at mvista.com>

Affects <= 2.30

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.30.inc   |   1 +
 .../binutils/binutils/CVE-2018-7569.patch          | 119 +++++++++++++++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.30.inc b/meta/recipes-devtools/binutils/binutils-2.30.inc
index 3a39d5f..32eb44e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -41,6 +41,7 @@ SRC_URI = "\
      file://CVE-2018-6759.patch \
      file://CVE-2018-7642.patch \
      file://CVE-2018-7208.patch \
+     file://CVE-2018-7569.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000..96c0fd2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,119 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+
+	PR 22895
+	PR 22893
+	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+	pointer.  Drop unused abfd parameter.  Check the size of the block
+	before initialising the data field.  Return the end pointer if the
+	size is invalid.
+	(read_attribute_value): Adjust invocations of read_n_bytes.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-	      bfd_byte *buf,
+-	      bfd_byte *end,
+-	      unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
++read_n_bytes (bfd_byte *           buf,
++	      bfd_byte *           end,
++	      struct dwarf_block * block)
++{
++  unsigned int  size = block->size;
++  bfd_byte *    block_end = buf + size;
++
++  if (block_end > end || block_end < buf)
++    {
++      block->data = NULL;
++      block->size = 0;
++      return end;
++    }
++  else
++    {
++      block->data = buf;
++      return block_end;
++    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ 					 FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -6,6 +6,14 @@
+ 
+ 2018-02-28  Alan Modra  <amodra at gmail.com>
+ 
++       PR 22895
++       PR 22893
++       * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
++       pointer.  Drop unused abfd parameter.  Check the size of the block
++       before initialising the data field.  Return the end pointer if the
++       size is invalid.
++       (read_attribute_value): Adjust invocations of read_n_bytes.
++
+        PR 22887
+        * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+ 
-- 
2.7.4

More information about the Openembedded-core mailing list