Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 1a4b7ee28bf7413af6513fb45ad0d0736048f866^! / . / poky / meta / recipes-devtools / binutils / binutils / CVE-2018-17358.patch
commit1a4b7ee28bf7413af6513fb45ad0d0736048f866[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Sun Dec 16 17:11:34 2018 -0800
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Jan 08 18:21:44 2019 -0500
tree79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce
parent5b9ede0403237c7dace972affa65cf64a1aadd0e [diff] [blame]
reset upstream subtrees to yocto 2.6

Reset the following subtrees on thud HEAD:

  poky: 87e3a9739d
  meta-openembedded: 6094ae18c8
  meta-security: 31dc4e7532
  meta-raspberrypi: a48743dc36
  meta-xilinx: c42016e2e6

Also re-apply backports that didn't make it into thud:
  poky:
    17726d0 systemd-systemctl-native: handle Install wildcards

  meta-openembedded:
    4321a5d libtinyxml2: update to 7.0.1
    042f0a3 libcereal: Add native and nativesdk classes
    e23284f libcereal: Allow empty package
    030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
    179a1b9 gtest: update to 1.8.1

Squashed OpenBMC subtree compatibility updates:
  meta-aspeed:
    Brad Bishop (1):
          aspeed: add yocto 2.6 compatibility

  meta-ibm:
    Brad Bishop (1):
          ibm: prepare for yocto 2.6

  meta-ingrasys:
    Brad Bishop (1):
          ingrasys: set layer compatibility to yocto 2.6

  meta-openpower:
    Brad Bishop (1):
          openpower: set layer compatibility to yocto 2.6

  meta-phosphor:
    Brad Bishop (3):
          phosphor: set layer compatibility to thud
          phosphor: libgpg-error: drop patches
          phosphor: react to fitimage artifact rename

    Ed Tanous (4):
          Dropbear: upgrade options for latest upgrade
          yocto2.6: update openssl options
          busybox: remove upstream watchdog patch
          systemd: Rebase CONFIG_CGROUP_BPF patch

Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
new file mode 100644
index 0000000..8135091
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch

@@ -0,0 +1,144 @@
+From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 15:29:17 +0930
+Subject: [PATCH] Bug 23686, two segment faults in nm
+
+Fixes the bugs exposed by the testcases in the PR, plus two more bugs
+I noticed when looking at _bfd_stab_section_find_nearest_line.
+
+	PR 23686
+	* dwarf2.c (read_section): Error when attempting to malloc
+	"(bfd_size_type) -1".
+	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+	function_name.  Bounds check reloc address.  Formatting.  Ensure
+	.stabstr zero terminated.
+CVE: CVE-2018-17358 and CVE-2018-17359
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog |  9 +++++++++
+ bfd/dwarf2.c  |  9 ++++++++-
+ bfd/syms.c    | 22 ++++++++++++++++------
+ 3 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 04c0c2a..fef5479 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,12 @@
++2018-09-20  Alan Modra  <amodra@gmail.com>
++
++	PR 23686
++	* dwarf2.c (read_section): Error when attempting to malloc
++	"(bfd_size_type) -1".
++	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
++	function_name.  Bounds check reloc address.  Formatting.  Ensure
++	.stabstr zero terminated.
++
+ 2018-08-12  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+ 	PR ld/23428
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 3b28855..77a7368 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -527,6 +527,7 @@ read_section (bfd *	      abfd,
+   asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
++  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+@@ -549,7 +550,13 @@ read_section (bfd *	      abfd,
+       *section_size = msec->rawsize ? msec->rawsize : msec->size;
+       /* Paranoia - alloc one extra so that we can make sure a string
+ 	 section is NUL terminated.  */
+-      contents = (bfd_byte *) bfd_malloc (*section_size + 1);
++      amt = *section_size + 1;
++      if (amt == 0)
++	{
++	  bfd_set_error (bfd_error_no_memory);
++	  return FALSE;
++	}
++      contents = (bfd_byte *) bfd_malloc (amt);
+       if (contents == NULL)
+ 	return FALSE;
+       if (syms
+diff --git a/bfd/syms.c b/bfd/syms.c
+index 187071f..e09640a 100644
+--- a/bfd/syms.c
++++ b/bfd/syms.c
+@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 					 0, strsize))
+ 	return FALSE;
+ 
++      /* Stab strings ought to be nul terminated.  Ensure the last one
++	 is, to prevent running off the end of the buffer.  */
++      info->strs[strsize - 1] = 0;
++
+       /* If this is a relocatable object file, we have to relocate
+ 	 the entries in .stab.  This should always be simple 32 bit
+ 	 relocations against symbols defined in this object file, so
+@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		  || r->howto->bitsize != 32
+ 		  || r->howto->pc_relative
+ 		  || r->howto->bitpos != 0
+-		  || r->howto->dst_mask != 0xffffffff)
++		  || r->howto->dst_mask != 0xffffffff
++		  || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
+ 		{
+ 		  _bfd_error_handler
+ 		    (_("unsupported .stab relocation"));
+@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		{
+ 		  nul_fun = stab;
+ 		  nul_str = str;
+-		  if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++		  if (file_name >= (char *) info->strs + strsize
++		      || file_name < (char *) str)
+ 		    file_name = NULL;
+ 		  if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
+ 		      && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
+@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 		      directory_name = file_name;
+ 		      file_name = ((char *) str
+ 				   + bfd_get_32 (abfd, stab + STRDXOFF));
+-		      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++		      if (file_name >= (char *) info->strs + strsize
++			  || file_name < (char *) str)
+ 			file_name = NULL;
+ 		    }
+ 		}
+@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+ 	      /* PR 17512: file: 0c680a1f.  */
+ 	      /* PR 17512: file: 5da8aec4.  */
+-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++	      if (file_name >= (char *) info->strs + strsize
++		  || file_name < (char *) str)
+ 		file_name = NULL;
+ 	      break;
+ 
+@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	      function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+ 	      if (function_name == (char *) str)
+ 		continue;
+-	      if (function_name >= (char *) info->strs + strsize)
++	      if (function_name >= (char *) info->strs + strsize
++		  || function_name < (char *) str)
+ 		function_name = NULL;
+ 
+ 	      nul_fun = NULL;
+@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+ 	  if (val <= offset)
+ 	    {
+ 	      file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+-	      if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
++	      if (file_name >= (char *) info->strs + strsize
++		  || file_name < (char *) str)
+ 		file_name = NULL;
+ 	      *pline = 0;
+ 	    }
+-- 
+2.9.3