binutils: fix CVE-2017-7210

CVE: CVE-2017-7210
[BZ 21157] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21157

PR binutils/21157: Fix handling of corrupt STABS enum type strings.

Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 5dca05e898e0c235290bda9e914df38e1b71c1cc..0936d974d4dd0b647212696394bcb88a4d8c401f 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -44,6 +44,7 @@ SRC_URI = "\
      file://CVE-2017-6969.patch \
      file://CVE-2017-6969_2.patch \
      file://CVE-2017-7209.patch \
+     file://CVE-2017-7210.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch
new file mode 100644 (file)
index 0000000..211d2bf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7210.patch
@@ -0,0 +1,71 @@
+From 80958b04c91edcd41c42807225a7ad1b2a4ce0e6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 14 Feb 2017 14:07:29 +0000
+Subject: Fix handling of corrupt STABS enum type strings.
+
+       PR binutils/21157
+       * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
+       pairs.
+       (parse_number): Exit early if passed an empty string.
+
+CVE: CVE-2017-7210
+Upstream-Status: Backport [master]
+
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/stabs.c   | 14 +++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index c4d8e60eca..2bae9ec587 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,10 @@
++2017-02-14  Nick Clifton  <nickc@redhat.com>
++
++      PR binutils/21157
++      * stabs.c (parse_stab_enum_type): Check for corrupt NAME:VALUE
++      pairs.
++      (parse_number): Exit early if passed an empty string.
++
+ 2017-02-13  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21135
+diff --git a/binutils/stabs.c b/binutils/stabs.c
+index aebde7afe9..c425afe98e 100644
+--- a/binutils/stabs.c
++++ b/binutils/stabs.c
+@@ -232,6 +232,10 @@ parse_number (const char **pp, bfd_boolean *poverflow)
+ 
+   orig = *pp;
+ 
++  /* Stop early if we are passed an empty string.  */
++  if (*orig == 0)
++    return (bfd_vma) 0;
++
+   errno = 0;
+   ul = strtoul (*pp, (char **) pp, 0);
+   if (ul + 1 != 0 || errno == 0)
+@@ -1975,9 +1979,17 @@ parse_stab_enum_type (void *dhandle, const char **pp)
+       bfd_signed_vma val;
+ 
+       p = *pp;
+-      while (*p != ':')
++      while (*p != ':' && *p != 0)
+       ++p;
+ 
++      if (*p == 0)
++      {
++        bad_stab (orig);
++        free (names);
++        free (values);
++        return DEBUG_TYPE_NULL;
++      }
++
+       name = savestring (*pp, p - *pp);
+ 
+       *pp = p + 1;
+-- 
+2.11.0
+