Re: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: akuster808 <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: Re: [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226
Date: Fri, 13 May 2016 09:14:14 -0700	[thread overview]
Message-ID: <5735FD56.9080301@gmail.com> (raw)
In-Reply-To: <1462518717-2629-3-git-send-email-akuster808@gmail.com>

this fix is in GCC 6.0


On 05/06/2016 12:11 AM, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
> 
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
>  meta/recipes-devtools/gcc/gcc-5.3.inc              |   1 +
>  .../gcc/gcc-5.3/CVE-2016-2226.patch                | 103 +++++++++++++++++++++
>  2 files changed, 104 insertions(+)
>  create mode 100644 meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> 
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3.inc b/meta/recipes-devtools/gcc/gcc-5.3.inc
> index 692758d..5fede2a 100644
> --- a/meta/recipes-devtools/gcc/gcc-5.3.inc
> +++ b/meta/recipes-devtools/gcc/gcc-5.3.inc
> @@ -90,6 +90,7 @@ SRC_URI = "\
>             file://0058-fdebug-prefix-map-support-to-remap-relative-path.patch \
>             file://CVE-2016-4488.patch \
>             file://CVE-2016-4489.patch \
> +           file://CVE-2016-2226.patch \
>  "
>  
>  BACKPORTS = ""
> diff --git a/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> new file mode 100644
> index 0000000..4decb84
> --- /dev/null
> +++ b/meta/recipes-devtools/gcc/gcc-5.3/CVE-2016-2226.patch
> @@ -0,0 +1,103 @@
> +From b8106f544a7fd485b6959ebd197bdd99a8884416 Mon Sep 17 00:00:00 2001
> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4>
> +Date: Fri, 8 Apr 2016 12:10:21 +0000
> +Subject: [PATCH] =?UTF-8?q?Fix=20memory=20allocation=20size=20overflows=20?=
> + =?UTF-8?q?(PR69687,=20patch=20by=20Marcel=20B=C3=B6hme)?=
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +	PR c++/69687
> +	* cplus-dem.c: Include <limits.h> if available.
> +	(INT_MAX): Define if necessary.
> +	(remember_type, remember_Ktype, register_Btype, string_need):
> +	Abort if we detect cases where we the size of the allocation would
> +	overflow.
> +
> +
> +
> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@234829 138bc75d-0d04-0410-961f-82ee72b054a4
> +Upstream-Status: Backport
> +CVE: CVE-2016-2226
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + libiberty/ChangeLog   |  7 +++++++
> + libiberty/cplus-dem.c | 15 +++++++++++++++
> + 2 files changed, 22 insertions(+)
> +
> +diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
> +index 8e82a5f..2a34356 100644
> +--- a/libiberty/ChangeLog
> ++++ b/libiberty/ChangeLog
> +@@ -1,5 +1,12 @@
> + 2016-04-08  Marcel Böhme  <boehme.marcel@gmail.com>
> + 
> ++	PR c++/69687
> ++	* cplus-dem.c: Include <limits.h> if available.
> ++	(INT_MAX): Define if necessary.
> ++	(remember_type, remember_Ktype, register_Btype, string_need):
> ++	Abort if we detect cases where we the size of the allocation would
> ++	overflow.
> ++
> + 	PR c++/70498
> + 	* cplus-dem.c (gnu_special): Handle case where consume_count returns
> + 	-1.
> +diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
> +index abba234..7514e57 100644
> +--- a/libiberty/cplus-dem.c
> ++++ b/libiberty/cplus-dem.c
> +@@ -56,6 +56,13 @@ void * malloc ();
> + void * realloc ();
> + #endif
> + 
> ++#ifdef HAVE_LIMITS_H
> ++#include <limits.h>
> ++#endif
> ++#ifndef INT_MAX
> ++# define INT_MAX       (int)(((unsigned int) ~0) >> 1)          /* 0x7FFFFFFF */ 
> ++#endif
> ++
> + #include <demangle.h>
> + #undef CURRENT_DEMANGLING_STYLE
> + #define CURRENT_DEMANGLING_STYLE work->options
> +@@ -4261,6 +4268,8 @@ remember_type (struct work_stuff *work, const char *start, int len)
> + 	}
> +       else
> + 	{
> ++          if (work -> typevec_size > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> typevec_size *= 2;
> + 	  work -> typevec
> + 	    = XRESIZEVEC (char *, work->typevec, work->typevec_size);
> +@@ -4288,6 +4297,8 @@ remember_Ktype (struct work_stuff *work, const char *start, int len)
> + 	}
> +       else
> + 	{
> ++          if (work -> ksize > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> ksize *= 2;
> + 	  work -> ktypevec
> + 	    = XRESIZEVEC (char *, work->ktypevec, work->ksize);
> +@@ -4317,6 +4328,8 @@ register_Btype (struct work_stuff *work)
> + 	}
> +       else
> + 	{
> ++          if (work -> bsize > INT_MAX / 2)
> ++	    xmalloc_failed (INT_MAX);
> + 	  work -> bsize *= 2;
> + 	  work -> btypevec
> + 	    = XRESIZEVEC (char *, work->btypevec, work->bsize);
> +@@ -4771,6 +4784,8 @@ string_need (string *s, int n)
> +   else if (s->e - s->p < n)
> +     {
> +       tem = s->p - s->b;
> ++      if (n > INT_MAX / 2 - tem)
> ++        xmalloc_failed (INT_MAX); 
> +       n += tem;
> +       n *= 2;
> +       s->b = XRESIZEVEC (char, s->b, n);
> +-- 
> +2.3.5
> +
>

next prev parent reply	other threads:[~2016-05-13 16:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-06  7:11 [master][krogoth][PATCH 1/4] gcc: Security fix CVE-2016-4488 Armin Kuster
2016-05-06  7:11 ` [master][krogoth][PATCH 2/4] gcc: Security fix CVE-2016-4489 Armin Kuster
2016-05-06  7:11 ` [master][krogoth][PATCH 3/4] gcc: Security fix CVE-2016-2226 Armin Kuster
2016-05-13 16:14   ` akuster808 [this message]
2016-05-06  7:11 ` [master][krogoth][PATCH 4/4] gcc: Security fix CVE-2016-4490 Armin Kuster
2016-05-13 16:16   ` akuster808
2016-05-13 18:07     ` Khem Raj
2016-05-13 20:52       ` akuster808
2016-05-13 21:04         ` Khem Raj
2016-05-14  3:26           ` akuster808

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5735FD56.9080301@gmail.com \
    --to=akuster808@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox