summaryrefslogtreecommitdiff
path: root/system/binutils/CVE-2018-19932.patch
diff options
context:
space:
mode:
authorA. Wilcox <AWilcox@Wilcox-Tech.com>2018-12-08 18:46:12 +0000
committerA. Wilcox <AWilcox@Wilcox-Tech.com>2018-12-08 18:46:12 +0000
commit33c8b06837879978fece3749280c6bb7613e4de3 (patch)
tree1eb4b8c4d60e350fdee62ec474ad965e869a65d8 /system/binutils/CVE-2018-19932.patch
parent791c07e0235932c246b15902c47cd459fc652718 (diff)
downloadpackages-33c8b06837879978fece3749280c6bb7613e4de3.tar.gz
packages-33c8b06837879978fece3749280c6bb7613e4de3.tar.bz2
packages-33c8b06837879978fece3749280c6bb7613e4de3.tar.xz
packages-33c8b06837879978fece3749280c6bb7613e4de3.zip
system/binutils: fix CVE-2018-19931 and CVE-2018-19932
Diffstat (limited to 'system/binutils/CVE-2018-19932.patch')
-rw-r--r--system/binutils/CVE-2018-19932.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/system/binutils/CVE-2018-19932.patch b/system/binutils/CVE-2018-19932.patch
new file mode 100644
index 000000000..383aae70f
--- /dev/null
+++ b/system/binutils/CVE-2018-19932.patch
@@ -0,0 +1,47 @@
+From beab453223769279cc1cef68a1622ab8978641f7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 30 Nov 2018 11:43:12 +0000
+Subject: [PATCH] Remove an abort in the bfd library and add a check for an
+ integer overflow when mapping sections to segments.
+
+ PR 23932
+ * elf.c (IS_CONTAINED_BY_LMA): Add a check for a negative section
+ size.
+ (rewrite_elf_program_header): If no sections are mapped into a
+ segment return an error.
+---
+ bfd/elf.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 604971d..79a76be 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -6644,6 +6644,7 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+ the given segment. LMA addresses are compared. */
+ #define IS_CONTAINED_BY_LMA(section, segment, base) \
+ (section->lma >= base \
++ && (section->lma + SECTION_SIZE (section, segment) >= section->lma) \
+ && (section->lma + SECTION_SIZE (section, segment) \
+ <= SEGMENT_END (segment, base)))
+
+@@ -7167,7 +7168,15 @@ rewrite_elf_program_header (bfd *ibfd, bfd *obfd)
+ suggested_lma = output_section;
+ }
+
+- BFD_ASSERT (map->count > 0);
++ /* PR 23932. A corrupt input file may contain sections that cannot
++ be assigned to any segment - because for example they have a
++ negative size - or segments that do not contain any sections. */
++ if (map->count == 0)
++ {
++ bfd_set_error (bfd_error_bad_value);
++ free (sections);
++ return FALSE;
++ }
+
+ /* Add the current segment to the list of built segments. */
+ *pointer_to_map = map;
+--
+2.9.3
+