[OE-core] [ROCKO][PATCH 11/12] Binutils: Security fix for CVE-2018-7569

Armin Kuster akuster808 at gmail.com
Wed Aug 8 21:54:18 UTC 2018 

From: Armin Kuster <akuster at mvista.com>

Affects: <= 2.30

Signed-off-by: Armin Kuster <akuster at mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   1 +
 .../binutils/binutils/CVE-2018-7569.patch          | 120 +++++++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ceb8e85..cfde35c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
      file://CVE-2018-7208.patch \
      file://CVE-2018-7568_p1.patch \
      file://CVE-2018-7568_p2.patch \
+     file://CVE-2018-7569.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000..e77118b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,120 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc at redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+
+	PR 22895
+	PR 22893
+	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+	pointer.  Drop unused abfd parameter.  Check the size of the block
+	before initialising the data field.  Return the end pointer if the
+	size is invalid.
+	(read_attribute_value): Adjust invocations of read_n_bytes.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-	      bfd_byte *buf,
+-	      bfd_byte *end,
+-	      unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
++read_n_bytes (bfd_byte *           buf,
++	      bfd_byte *           end,
++	      struct dwarf_block * block)
++{
++  unsigned int  size = block->size;
++  bfd_byte *    block_end = buf + size;
++
++  if (block_end > end || block_end < buf)
++    {
++      block->data = NULL;
++      block->size = 0;
++      return end;
++    }
++  else
++    {
++      block->data = buf;
++      return block_end;
++    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ 					 FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,4 +1,14 @@
+ 2018-02-28  Nick Clifton  <nickc at redhat.com>
++ 
++       PR 22895
++       PR 22893
++       * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
++       pointer.  Drop unused abfd parameter.  Check the size of the block
++       before initialising the data field.  Return the end pointer if the
++       size is invalid.
++       (read_attribute_value): Adjust invocations of read_n_bytes.
++
++2018-02-28  Nick Clifton  <nickc at redhat.com>
+ 
+        PR 22894
+        * dwarf1.c (parse_die): Check the length of form blocks before
-- 
2.7.4

More information about the Openembedded-core mailing list