[OE-core] [ROCKO][PATCH 26/27] binutls: Security fix for CVE-2017-17122
Armin Kuster
akuster808 at gmail.com
Wed Aug 8 15:35:21 UTC 2018
From: Armin Kuster <akuster at mvista.com>
Affects: <= 2.29.1
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
meta/recipes-devtools/binutils/binutils-2.29.1.inc | 1 +
.../binutils/binutils/CVE-2017-17122.patch | 58 ++++++++++++++++++++++
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index c1d5740..577bbf0 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -62,6 +62,7 @@ SRC_URI = "\
file://CVE-2017-16832.patch \
file://CVE-2017-17080.patch \
file://CVE-2017-17121.patch \
+ file://CVE-2017-17122.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
new file mode 100644
index 0000000..5ae749b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-17122.patch
@@ -0,0 +1,58 @@
+From d785b7d4b877ed465d04072e17ca19d0f47d840f Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Wed, 29 Nov 2017 12:40:43 +0000
+Subject: [PATCH] Stop objdump from attempting to allocate a huge chunk of
+ memory when parsing relocs in a corrupt file.
+
+ PR 22508
+ * objdump.c (dump_relocs_in_section): Also check the section's
+ relocation count to make sure that it is reasonable before
+ attempting to allocate space for the relocs.
+
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-17122
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ binutils/ChangeLog | 7 +++++++
+ binutils/objdump.c | 11 ++++++++++-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+Index: git/binutils/objdump.c
+===================================================================
+--- git.orig/binutils/objdump.c
++++ git/binutils/objdump.c
+@@ -3381,7 +3381,16 @@ dump_relocs_in_section (bfd *abfd,
+ }
+
+ if ((bfd_get_file_flags (abfd) & (BFD_IN_MEMORY | BFD_LINKER_CREATED)) == 0
+- && (ufile_ptr) relsize > bfd_get_file_size (abfd))
++ && (((ufile_ptr) relsize > bfd_get_file_size (abfd))
++ /* Also check the section's reloc count since if this is negative
++ (or very large) the computation in bfd_get_reloc_upper_bound
++ may have resulted in returning a small, positive integer.
++ See PR 22508 for a reproducer.
++
++ Note - we check against file size rather than section size as
++ it is possible for there to be more relocs that apply to a
++ section than there are bytes in that section. */
++ || (section->reloc_count > bfd_get_file_size (abfd))))
+ {
+ printf (" (too many: 0x%x)\n", section->reloc_count);
+ bfd_set_error (bfd_error_file_truncated);
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,10 @@
++2017-11-29 Nick Clifton <nickc at redhat.com>
++
++ PR 22508
++ * objdump.c (dump_relocs_in_section): Also check the section's
++ relocation count to make sure that it is reasonable before
++ attempting to allocate space for the relocs.
++
+ 2017-11-02 Mingi Cho <mgcho.minic at gmail.com>
+
+ PR 22384
--
2.7.4
More information about the Openembedded-core
mailing list