Re: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226

All of lore.kernel.org
 help / color / mirror / Atom feed

From: akuster808 <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226
Date: Fri, 13 May 2016 09:14:14 -0700	[thread overview]
Message-ID: <5735FD56.9080301@gmail.com> (raw)
In-Reply-To: <1462518717-2629-3-git-send-email-akuster808@gmail.com>

this fix is in GCC 6.0


On 05/06/2016 12:11 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
> 
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>  meta/recipes-devtools/gcc/gcc-5.3.inc              |   1 +
>  .../gcc/gcc-5.3/CVE-2016-2226.patch                | 103 +++++++++++++++++++++
>  2 files changed, 104 insertions(+)
>  create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> 
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
> index 692758d..5fede2a 100644
> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
> @@ -90,6 +90,7 @@ SRC_URI = "\
>             file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
>             file://CVE-2016-4488.patch \
>             file://CVE-2016-4489.patch \
> +           file://CVE-2016-2226.patch \
>  "
>  
>  BACKPORTS = ""
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> new file mode 100644
> index 0000000..4decb84
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> @@ -0,0 +1,103 @@
> +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Fri, 8 Apr 2016 12:10:21 +0000
> +Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
> + =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +	PR c++/69687
> +	* cplus-dem.c: Include <limits.h> if available.
> +	(INT_MAX): Define if necessary.
> +	(remember_type, remember_Ktype, register_Btype, string_need):
> +	Abort if we detect cases where we the size of the allocation would
> +	overflow.
> +
> +
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
> +Upstream-Status: Backport
> +CVE: CVE-2016-2226
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + libiberty/ChangeLog   |  7 +++++++
> + libiberty/cplus-dem.c | 15 +++++++++++++++
> + 2 files changed, 22 insertions(+)
> +
> +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
> +index 8e82a5f..2a34356 100644
> +--- a/libiberty/ChangeLog
> ++++ b/libiberty/ChangeLog
> +@@ -1,5 +1,12 @@
> + 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>
> + 
> ++	PR c++/69687
> ++	* cplus-dem.c: Include <limits.h> if available.
> ++	(INT_MAX): Define if necessary.
> ++	(remember_type, remember_Ktype, register_Btype, string_need):
> ++	Abort if we detect cases where we the size of the allocation would
> ++	overflow.
> ++
> + 	PR c++/70498
> + 	* cplus-dem.c (gnu_special): Handle case where consume_count returns
> + 	-1.
> +diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
> +index abba234..7514e57 100644
> +--- a/libiberty/cplus-dem.c
> ++++ b/libiberty/cplus-dem.c
> +@@ -56,6 +56,13 @@ void * malloc ();
> + void * realloc ();
> + #endif
> + 
> ++#ifdef HAVE_LIMITS_H
> ++#include <limits.h>
> ++#endif
> ++#ifndef INT_MAX
> ++# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
> ++#endif
> ++
> + #include <demangle.h>
> + #undef CURRENT_DEMANGLING_STYLE
> + #define CURRENT_DEMANGLING_STYLE work->options
> +@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
> + 	}
> +       else
> + 	{
> ++          if (work -> typevec_size > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> typevec_size *= 2;
> + 	  work -> typevec
> + 	    = XRESIZEVEC (char *, work->typevec, work->typevec_size);
> +@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
> + 	}
> +       else
> + 	{
> ++          if (work -> ksize > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> ksize *= 2;
> + 	  work -> ktypevec
> + 	    = XRESIZEVEC (char *, work->ktypevec, work->ksize);
> +@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
> + 	}
> +       else
> + 	{
> ++          if (work -> bsize > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> bsize *= 2;
> + 	  work -> btypevec
> + 	    = XRESIZEVEC (char *, work->btypevec, work->bsize);
> +@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
> +   else if (s->e - s->p < n)
> +     {
> +       tem = s->p - s->b;
> ++      if (n > INT_MAX / 2 - tem)
> ++        xmalloc_failed (INT_MAX); 
> +       n += tem;
> +       n *= 2;
> +       s->b = XRESIZEVEC (char, s->b, n);
> +-- 
> +2.3.5
> +
>

next prev parent reply	other threads:[~2016-05-13 16:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-06  7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06  7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
2016-05-06  7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
2016-05-13 16:14   ` akuster808 [this message]
2016-05-06  7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2016-05-13 16:16   ` akuster808
2016-05-13 18:07     ` Khem Raj
2016-05-13 20:52       ` akuster808
2016-05-13 21:04         ` Khem Raj
2016-05-14  3:26           ` akuster808

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5735FD56.9080301@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.