binutils: CVE-2017-9954

Source: binutils-gdb.git
MR: 73906
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 13858130a02bbe84744fd33ecbf2bbbd2360c09c
Description:

 Fix address violation parsing a corrupt texhex format file.

        PR binutils/21670
        * tekhex.c (getvalue): Check for the source pointer exceeding the
        end pointer before the first byte is read.

Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index f51ca4e897343f1dbe34ddfa798c0ad8a8792d25..fdc1252c23a1a4d5aae68d51b5e4faafffb43b9f 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -90,6 +90,7 @@ SRC_URI = "\
      file://CVE-2017-9755_2.patch \
      file://CVE-2017-9756.patch \
      file://CVE-2017-9745.patch \
+     file://CVE-2017-9954.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch
new file mode 100644 (file)
index 0000000..2651572
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9954.patch
@@ -0,0 +1,58 @@
+commit 04e15b4a9462cb1ae819e878a6009829aab8020b
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Jun 26 15:46:34 2017 +0100
+
+    Fix address violation parsing a corrupt texhex format file.
+    
+       PR binutils/21670
+       * tekhex.c (getvalue): Check for the source pointer exceeding the
+       end pointer before the first byte is read.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9954
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/tekhex.c
+===================================================================
+--- git.orig/bfd/tekhex.c      2017-09-21 16:19:42.570877476 +0530
++++ git/bfd/tekhex.c   2017-09-21 16:20:06.878964516 +0530
+@@ -273,6 +273,9 @@
+   bfd_vma value = 0;
+   unsigned int len;
+ 
++  if (src >= endp)
++    return FALSE;
++
+   if (!ISHEX (*src))
+     return FALSE;
+ 
+@@ -514,9 +517,10 @@
+   /* To the front of the file.  */
+   if (bfd_seek (abfd, (file_ptr) 0, SEEK_SET) != 0)
+     return FALSE;
++
+   while (! is_eof)
+     {
+-      char src[MAXCHUNK];
++      static char src[MAXCHUNK];
+       char type;
+ 
+       /* Find first '%'.  */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog     2017-09-21 16:20:06.822964309 +0530
++++ git/bfd/ChangeLog  2017-09-21 16:22:29.383577439 +0530
+@@ -55,6 +55,12 @@
+        correct magic bytes at the start, set the error to wrong format
+        and clear the format selector before returning NULL.
+ 
++2017-06-26  Nick Clifton  <nickc@redhat.com>
++
++      PR binutils/21670
++      * tekhex.c (getvalue): Check for the source pointer exceeding the
++      end pointer before the first byte is read.
++
+  2017-06-21  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21637