diff options
Diffstat (limited to 'poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch')
-rw-r--r-- | poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch | 108 |
1 files changed, 0 insertions, 108 deletions
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch deleted file mode 100644 index fff497942..000000000 --- a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001 -From: Nick Clifton <nickc@redhat.com> -Date: Tue, 6 Feb 2018 15:48:29 +0000 -Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by - chacking the size of debuglink sections. - - PR 22794 - * opncls.c (bfd_get_debug_link_info_1): Check the size of the - section before attempting to read it in. - (bfd_get_alt_debug_link_info): Likewise. - -Upstream-Status: Backport -Affects: Binutils <= 2.30 -CVE: CVE-2018-6759 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - bfd/ChangeLog | 7 +++++++ - bfd/opncls.c | 22 +++++++++++++++++----- - 2 files changed, 24 insertions(+), 5 deletions(-) - -Index: git/bfd/opncls.c -=================================================================== ---- git.orig/bfd/opncls.c -+++ git/bfd/opncls.c -@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo - bfd_byte *contents; - unsigned int crc_offset; - char *name; -+ bfd_size_type size; - - BFD_ASSERT (abfd); - BFD_ASSERT (crc32_out); -@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo - if (sect == NULL) - return NULL; - -+ size = bfd_get_section_size (sect); -+ -+ /* PR 22794: Make sure that the section has a reasonable size. */ -+ if (size < 8 || size >= bfd_get_size (abfd)) -+ return NULL; -+ - if (!bfd_malloc_and_get_section (abfd, sect, &contents)) - { - if (contents != NULL) -@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo - - /* CRC value is stored after the filename, aligned up to 4 bytes. */ - name = (char *) contents; -- /* PR 17597: avoid reading off the end of the buffer. */ -- crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1; -+ /* PR 17597: Avoid reading off the end of the buffer. */ -+ crc_offset = strnlen (name, size) + 1; - crc_offset = (crc_offset + 3) & ~3; -- if (crc_offset + 4 > bfd_get_section_size (sect)) -+ if (crc_offset + 4 > size) - return NULL; - - *crc32 = bfd_get_32 (abfd, contents + crc_offset); -@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, - bfd_byte *contents; - unsigned int buildid_offset; - char *name; -+ bfd_size_type size; - - BFD_ASSERT (abfd); - BFD_ASSERT (buildid_len); -@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, - if (sect == NULL) - return NULL; - -+ size = bfd_get_section_size (sect); -+ if (size < 8 || size >= bfd_get_size (abfd)) -+ return NULL; -+ - if (!bfd_malloc_and_get_section (abfd, sect, & contents)) - { - if (contents != NULL) -@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, - - /* BuildID value is stored after the filename. */ - name = (char *) contents; -- buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1; -+ buildid_offset = strnlen (name, size) + 1; - if (buildid_offset >= bfd_get_section_size (sect)) - return NULL; - -- *buildid_len = bfd_get_section_size (sect) - buildid_offset; -+ *buildid_len = size - buildid_offset; - *buildid_out = bfd_malloc (*buildid_len); - memcpy (*buildid_out, contents + buildid_offset, *buildid_len); - -Index: git/bfd/ChangeLog -=================================================================== ---- git.orig/bfd/ChangeLog -+++ git/bfd/ChangeLog -@@ -1,3 +1,10 @@ -+2018-02-06 Nick Clifton <nickc@redhat.com> -+ -+ PR 22794 -+ * opncls.c (bfd_get_debug_link_info_1): Check the size of the -+ section before attempting to read it in. -+ (bfd_get_alt_debug_link_info): Likewise. -+ - 2018-02-09 Nick Clifton <nickc@redhat.com> - - Import patch from mainline: |