From: Armin Kuster <akuster808@gmail.com>
To: akuster@mvista.com, openembedded-core@lists.openembedded.org
Subject: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226
Date: Fri, 6 May 2016 00:11:56 -0700 [thread overview]
Message-ID: <1462518717-2629-3-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1462518717-2629-1-git-send-email-akuster808@gmail.com>
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/gcc/gcc-5.3.inc | 1 +
.../gcc/gcc-5.3/CVE-2016-2226.patch | 103 +++++++++++++++++++++
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
index 692758d..5fede2a 100644
--- a/meta/recipes-devtools/gcc/gcc-5.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
@@ -90,6 +90,7 @@ SRC_URI = "\
file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
file://CVE-2016-4488.patch \
file://CVE-2016-4489.patch \
+ file://CVE-2016-2226.patch \
"
BACKPORTS = ""
diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
new file mode 100644
index 0000000..4decb84
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
@@ -0,0 +1,103 @@
+From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
+From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 8 Apr 2016 12:10:21 +0000
+Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
+ =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ PR c++/69687
+ * cplus-dem.c: Include <limits.h> if available.
+ (INT_MAX): Define if necessary.
+ (remember_type, remember_Ktype, register_Btype, string_need):
+ Abort if we detect cases where we the size of the allocation would
+ overflow.
+
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
+CVE: CVE-2016-2226
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libiberty/ChangeLog | 7 +++++++
+ libiberty/cplus-dem.c | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 8e82a5f..2a34356 100644
+--- a/libiberty/ChangeLog
++++ b/libiberty/ChangeLog
+@@ -1,5 +1,12 @@
+ 2016-04-08 Marcel Böhme <boehme.marcel@gmail.com>
+
++ PR c++/69687
++ * cplus-dem.c: Include <limits.h> if available.
++ (INT_MAX): Define if necessary.
++ (remember_type, remember_Ktype, register_Btype, string_need):
++ Abort if we detect cases where we the size of the allocation would
++ overflow.
++
+ PR c++/70498
+ * cplus-dem.c (gnu_special): Handle case where consume_count returns
+ -1.
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index abba234..7514e57 100644
+--- a/libiberty/cplus-dem.c
++++ b/libiberty/cplus-dem.c
+@@ -56,6 +56,13 @@ void * malloc ();
+ void * realloc ();
+ #endif
+
++#ifdef HAVE_LIMITS_H
++#include <limits.h>
++#endif
++#ifndef INT_MAX
++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* 0x7FFFFFFF */
++#endif
++
+ #include <demangle.h>
+ #undef CURRENT_DEMANGLING_STYLE
+ #define CURRENT_DEMANGLING_STYLE work->options
+@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
+ }
+ else
+ {
++ if (work -> typevec_size > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> typevec_size *= 2;
+ work -> typevec
+ = XRESIZEVEC (char *, work->typevec, work->typevec_size);
+@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
+ }
+ else
+ {
++ if (work -> ksize > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> ksize *= 2;
+ work -> ktypevec
+ = XRESIZEVEC (char *, work->ktypevec, work->ksize);
+@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
+ }
+ else
+ {
++ if (work -> bsize > INT_MAX / 2)
++ xmalloc_failed (INT_MAX);
+ work -> bsize *= 2;
+ work -> btypevec
+ = XRESIZEVEC (char *, work->btypevec, work->bsize);
+@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
+ else if (s->e - s->p < n)
+ {
+ tem = s->p - s->b;
++ if (n > INT_MAX / 2 - tem)
++ xmalloc_failed (INT_MAX);
+ n += tem;
+ n *= 2;
+ s->b = XRESIZEVEC (char, s->b, n);
+--
+2.3.5
+
--
2.3.5
next prev parent reply other threads:[~2016-05-06 7:12 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-06 7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06 7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
2016-05-06 7:11 ` Armin Kuster [this message]
2016-05-13 16:14 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 akuster808
2016-05-06 7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2016-05-13 16:16 ` akuster808
2016-05-13 18:07 ` Khem Raj
2016-05-13 20:52 ` akuster808
2016-05-13 21:04 ` Khem Raj
2016-05-14 3:26 ` akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462518717-2629-3-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox