[OE-core] [zeus][PATCH] binutils: fix CVE-2019-17451
Trevor Gamblin
trevor.gamblin at windriver.com
Fri Oct 25 15:48:08 UTC 2019
On 10/25/19 11:41 AM, Trevor Gamblin wrote:
> Backport upstream fix to zeus.
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> ---
> .../binutils/binutils-2.32.inc | 1 +
> .../binutils/binutils/CVE-2019-17451.patch | 51 +++++++++++++++++++
> 2 files changed, 52 insertions(+)
> create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
> index 1e96cf494d..349c3e1154 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> @@ -50,6 +50,7 @@ SRC_URI = "\
> file://CVE-2019-14250.patch \
> file://CVE-2019-14444.patch \
> file://CVE-2019-17450.patch \
> + file://CVE-2019-17451.patch \
> "
> S = "${WORKDIR}/git"
>
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
> new file mode 100644
> index 0000000000..1ae50a8ef4
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
> @@ -0,0 +1,51 @@
> +From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra at gmail.com>
> +Date: Wed, 9 Oct 2019 10:47:13 +1030
> +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
> +
> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> +file. There are newer versions of binutils, but none of them contain the
> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> +
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
> +CVE: CVE-2019-17451
> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> +
> +
> +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
> +and ffffd5555453b140 result in a total size of 1. Reading the first
> +section of course overflows the buffer and tramples on other memory.
> +
> + PR 25070
> + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
> + total_size calculation.
> +---
> + bfd/dwarf2.c | 11 ++++++++++-
> + 1 file changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> +index 0b4e485582..a91597b1d0 100644
> +--- a/bfd/dwarf2.c
> ++++ b/bfd/dwarf2.c
> +@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
> + for (total_size = 0;
> + msec;
> + msec = find_debug_info (debug_bfd, debug_sections, msec))
> +- total_size += msec->size;
> ++ {
> ++ /* Catch PR25070 testcase overflowing size calculation here. */
> ++ if (total_size + msec->size < total_size
> ++ || total_size + msec->size < msec->size)
> ++ {
> ++ bfd_set_error (bfd_error_no_memory);
> ++ return FALSE;
> ++ }
> ++ total_size += msec->size;
> ++ }
> +
> + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
> + if (stash->info_ptr_memory == NULL)
> +--
> +2.23.0
> +
Patch file references the wrong CVE in the description. Sending a v2..
More information about the Openembedded-core
mailing list