[OE-core] [ROCKO][PATCH 18/27] binutls: Security fix for CVE-2017-16827
Armin Kuster
akuster808 at gmail.com
Wed Aug 8 15:35:13 UTC 2018
From: Armin Kuster <akuster at mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-16827.patch | 95 ++++++++++++++++++++++
2 files changed, 96 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index d75ec50..7d05046 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -53,6 +53,7 @@ SRC_URI = "\
file://CVE-2017-15939.patch \
file://CVE-2017-15996.patch \
file://CVE-2017-16826.patch \
+ file://CVE-2017-16827.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
new file mode 100644
index 0000000..dbc577c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16827.patch
@@ -0,0 +1,95 @@
+From 0301ce1486b1450f219202677f30d0fa97335419 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra at gmail.com>
+Date: Tue, 17 Oct 2017 16:43:47 +1030
+Subject: [PATCH] PR22306, Invalid free() in slurp_symtab()
+
+ PR 22306
+ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
+ and error for any other size that doesn't cover the header word.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16827
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/aoutx.h | 45 ++++++++++++++++++++++++++++++---------------
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h
++++ git/bfd/aoutx.h
+@@ -1352,27 +1352,42 @@ aout_get_external_symbols (bfd *abfd)
+ || bfd_bread ((void *) string_chars, amt, abfd) != amt)
+ return FALSE;
+ stringsize = GET_WORD (abfd, string_chars);
++ if (stringsize == 0)
++ stringsize = 1;
++ else if (stringsize < BYTES_IN_WORD
++ || (size_t) stringsize != stringsize)
++ {
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
+
+ #ifdef USE_MMAP
+- if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
+- &obj_aout_string_window (abfd), TRUE))
+- return FALSE;
+- strings = (char *) obj_aout_string_window (abfd).data;
+-#else
+- strings = (char *) bfd_malloc (stringsize + 1);
+- if (strings == NULL)
+- return FALSE;
+-
+- /* Skip space for the string count in the buffer for convenience
+- when using indexes. */
+- amt = stringsize - BYTES_IN_WORD;
+- if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
++ if (stringsize >= BYTES_IN_WORD)
+ {
+- free (strings);
+- return FALSE;
++ if (! bfd_get_file_window (abfd, obj_str_filepos (abfd), stringsize,
++ &obj_aout_string_window (abfd), TRUE))
++ return FALSE;
++ strings = (char *) obj_aout_string_window (abfd).data;
+ }
++ else
+ #endif
++ {
++ strings = (char *) bfd_malloc (stringsize);
++ if (strings == NULL)
++ return FALSE;
+
++ if (stringsize >= BYTES_IN_WORD)
++ {
++ /* Keep the string count in the buffer for convenience
++ when indexing with e_strx. */
++ amt = stringsize - BYTES_IN_WORD;
++ if (bfd_bread (strings + BYTES_IN_WORD, amt, abfd) != amt)
++ {
++ free (strings);
++ return FALSE;
++ }
++ }
++ }
+ /* Ensure that a zero index yields an empty string. */
+ strings[0] = '\0';
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2017-10-17 Alan Modra <amodra at gmail.com>
++
++ PR 22306
++ * aoutx.h (aout_get_external_symbols): Handle stringsize of zero,
++ and error for any other size that doesn't cover the header word.
++
+ 2017-11-01 Nick Clifton <nickc at redhat.com>
+
+ PR 22376
--
2.7.4
More information about the Openembedded-core
mailing list