Re: [OE-core] [zeus][PATCH] binutils: fix CVE-2019-17451

Trevor Gamblin Fri, 25 Oct 2019 08:48:29 -0700

On 10/25/19 11:41 AM, Trevor Gamblin wrote:

Backport upstream fix to zeus.


Signed-off-by: Trevor Gamblin <[email protected]>
---
  .../binutils/binutils-2.32.inc                |  1 +
  .../binutils/binutils/CVE-2019-17451.patch    | 51 +++++++++++++++++++
  2 files changed, 52 insertions(+)
  create mode 100644 
meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc 
b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 1e96cf494d..349c3e1154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
       file://CVE-2019-14250.patch \
       file://CVE-2019-14444.patch \
       file://CVE-2019-17450.patch \
+     file://CVE-2019-17451.patch \
  "
  S  = "${WORKDIR}/git"

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch

new file mode 100644
index 0000000000..1ae50a8ef4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
+From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
+From: Alan Modra <[email protected]>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17450, so backport it to master and zeus.
+
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
+CVE: CVE-2019-17451
+Signed-off-by: Trevor Gamblin <[email protected]>
+
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+       PR 25070
+       * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+       total_size calculation.
+---
+ bfd/dwarf2.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..a91597b1d0 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+          msec;
+          msec = find_debug_info (debug_bfd, debug_sections, msec))
+-      total_size += msec->size;
++      {
++        /* Catch PR25070 testcase overflowing size calculation here.  */
++        if (total_size + msec->size < total_size
++            || total_size + msec->size < msec->size)
++          {
++            bfd_set_error (bfd_error_no_memory);
++            return FALSE;
++          }
++        total_size += msec->size;
++      }
+
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+--
+2.23.0
+

Patch file references the wrong CVE in the description. Sending a v2..
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [zeus][PATCH] binutils: fix CVE-2019-17451

Reply via email to