binutils: CVE-2017-7301

Source: git://sourceware.org/git/binutils-gdb.git
MR: 74231
Type: Security Fix
Disposition: Backport from binutils-2_28-branch
ChangeID: 1fbae9f71e3ad90f930f8b25d550de964e05c259
Description:

   Fix seg-fault in linker parsing a corrupt input file.

        PR ld/20924
        (aout_link_add_symbols): Fix off by one error checking for
        overflow of string offset.

Affects: <= 2.28

Author: Nick Clifton <nickc@redhat.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 54cdcc7bb5668dae6139b628c37b3109299bb641..59e46b8bf47d7ff34fea17155a85a06a079cac80 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
      file://CVE-2017-7224.patch \
      file://CVE-2017-7225.patch \
      file://CVE-2017-7227.patch \
+     file://CVE-2017-7301.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch
new file mode 100644 (file)
index 0000000..36b4259
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-7301.patch
@@ -0,0 +1,52 @@
+commit daae68f4f372e0618d6b9c64ec0f1f74eae6ab3d
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Mon Dec 5 12:25:34 2016 +0000
+
+    Fix seg-fault in linker parsing a corrupt input file.
+    
+        PR ld/20924
+        (aout_link_add_symbols): Fix off by one error checking for
+        overflow of string offset.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-7301
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog     2017-09-04 15:42:15.244812577 +0530
++++ git/bfd/ChangeLog  2017-09-04 15:51:36.573466525 +0530
+@@ -120,6 +120,10 @@
+        * peicode.h (pe_ILF_object_p): Use strnlen to avoid running over
+        the end of the string buffer.
+ 
++       PR ld/20924
++       (aout_link_add_symbols): Fix off by one error checking for
++       overflow of string offset.
++
+ 2016-12-01  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/20891
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h       2017-09-04 15:42:15.244812577 +0530
++++ git/bfd/aoutx.h    2017-09-04 15:49:36.500479341 +0530
+@@ -3091,7 +3091,7 @@
+         BFD_ASSERT (p + 1 < pend);
+         ++p;
+         /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
+-        if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
++        if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
+           return FALSE;
+         string = strings + GET_WORD (abfd, p->e_strx);
+         section = bfd_ind_section_ptr;
+@@ -3127,7 +3127,7 @@
+         ++p;
+         string = name;
+         /* PR 19629: Corrupt binaries can contain illegal string offsets.  */
+-        if (GET_WORD (abfd, p->e_strx) > obj_aout_external_string_size (abfd))
++        if (GET_WORD (abfd, p->e_strx) >= obj_aout_external_string_size (abfd))
+           return FALSE;
+         name = strings + GET_WORD (abfd, p->e_strx);
+         section = bfd_und_section_ptr;