poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch - openbmc/openbmc - Gitiles

 From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
 From: Nick Clifton <nickc@redhat.com>
 Date: Wed, 28 Feb 2018 10:13:54 +0000
 Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
  debug information.

 	PR 22894
 	* dwarf1.c (parse_die): Check the length of form blocks before
 	advancing the data pointer.

 Upstream-Status: Backport
 Affects: Binutils <= 2.30
 CVE: CVE-2018-7568
 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  bfd/ChangeLog |  6 ++++++
  bfd/dwarf1.c  | 17 +++++++++++++++--
  2 files changed, 21 insertions(+), 2 deletions(-)

 Index: git/bfd/dwarf1.c
 ===================================================================
 --- git.orig/bfd/dwarf1.c
 +++ git/bfd/dwarf1.c
 @@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
    /* Then the attributes.  */
    while (xptr + 2 <= aDiePtrEnd)
      {
 +      unsigned int   block_len;
        unsigned short attr;

        /* Parse the attribute based on its form.  This section
 @@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
  	  break;
  	case FORM_BLOCK2:
  	  if (xptr + 2 <= aDiePtrEnd)
 -	    xptr += bfd_get_16 (abfd, xptr);
 +	    {
 +	      block_len = bfd_get_16 (abfd, xptr);
 +	      if (xptr + block_len > aDiePtrEnd
 +		  || xptr + block_len < xptr)
 +		return FALSE;
 +	      xptr += block_len;
 +	    }
  	  xptr += 2;
  	  break;
  	case FORM_BLOCK4:
  	  if (xptr + 4 <= aDiePtrEnd)
 -	    xptr += bfd_get_32 (abfd, xptr);
 +	    {
 +	      block_len = bfd_get_32 (abfd, xptr);
 +	      if (xptr + block_len > aDiePtrEnd
 +		  || xptr + block_len < xptr)
 +		return FALSE;
 +	      xptr += block_len;
 +	    }
  	  xptr += 4;
  	  break;
  	case FORM_STRING:
 Index: git/bfd/ChangeLog
 ===================================================================
 --- git.orig/bfd/ChangeLog
 +++ git/bfd/ChangeLog
 @@ -4,7 +4,11 @@
         * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
         range before converting to a symbol table pointer.

 -2018-02-28  Alan Modra  <amodra@gmail.com>
 +2018-02-28  Nick Clifton  <nickc@redhat.com>
 +
 +       PR 22894
 +       * dwarf1.c (parse_die): Check the length of form blocks before
 +       advancing the data pointer.

         PR 22895
         PR 22893
 @@ -14,6 +18,8 @@
         size is invalid.
         (read_attribute_value): Adjust invocations of read_n_bytes.

 +2018-02-28  Alan Modra  <amodra@gmail.com>
 +
         PR 22887
         * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
	From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
	From: Nick Clifton <nickc@redhat.com>
	Date: Wed, 28 Feb 2018 10:13:54 +0000
	Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
	debug information.

	PR 22894
	* dwarf1.c (parse_die): Check the length of form blocks before
	advancing the data pointer.

	Upstream-Status: Backport
	Affects: Binutils <= 2.30
	CVE: CVE-2018-7568
	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	bfd/ChangeLog \| 6 ++++++
	bfd/dwarf1.c \| 17 +++++++++++++++--
	2 files changed, 21 insertions(+), 2 deletions(-)

	Index: git/bfd/dwarf1.c
	===================================================================
	--- git.orig/bfd/dwarf1.c
	+++ git/bfd/dwarf1.c
	@@ -213,6 +213,7 @@ parse_die (bfd * abfd,
	/* Then the attributes. */
	while (xptr + 2 <= aDiePtrEnd)
	{
	+ unsigned int block_len;
	unsigned short attr;

	/* Parse the attribute based on its form. This section
	@@ -255,12 +256,24 @@ parse_die (bfd * abfd,
	break;
	case FORM_BLOCK2:
	if (xptr + 2 <= aDiePtrEnd)
	- xptr += bfd_get_16 (abfd, xptr);
	+ {
	+ block_len = bfd_get_16 (abfd, xptr);
	+ if (xptr + block_len > aDiePtrEnd
	+ \|\| xptr + block_len < xptr)
	+ return FALSE;
	+ xptr += block_len;
	+ }
	xptr += 2;
	break;
	case FORM_BLOCK4:
	if (xptr + 4 <= aDiePtrEnd)
	- xptr += bfd_get_32 (abfd, xptr);
	+ {
	+ block_len = bfd_get_32 (abfd, xptr);
	+ if (xptr + block_len > aDiePtrEnd
	+ \|\| xptr + block_len < xptr)
	+ return FALSE;
	+ xptr += block_len;
	+ }
	xptr += 4;
	break;
	case FORM_STRING:
	Index: git/bfd/ChangeLog
	===================================================================
	--- git.orig/bfd/ChangeLog
	+++ git/bfd/ChangeLog
	@@ -4,7 +4,11 @@
	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
	range before converting to a symbol table pointer.

	-2018-02-28 Alan Modra <amodra@gmail.com>
	+2018-02-28 Nick Clifton <nickc@redhat.com>
	+
	+ PR 22894
	+ * dwarf1.c (parse_die): Check the length of form blocks before
	+ advancing the data pointer.

	PR 22895
	PR 22893
	@@ -14,6 +18,8 @@
	size is invalid.
	(read_attribute_value): Adjust invocations of read_n_bytes.

	+2018-02-28 Alan Modra <amodra@gmail.com>
	+
	PR 22887
	* aoutx.h (swap_std_reloc_in): Correct r_index bound check.