Richard, please revert
http://cgit.openembedded.org/openembedded-core/commit/?h=master-next&id=709dd94cd2a6011738b4ab10bd09839b07f44eac I sent a v2 of th-s fix. Its missing the gcc-6.1.inc changes to actually apply the patch. - armin On 07/07/2016 07:26 PM, Khem Raj wrote: > On Thu, Jul 7, 2016 at 2:33 PM, Armin Kuster <[email protected]> wrote: >> From: Armin Kuster <[email protected]> >> >> [Yocto #9632] >> >> not in 6.1.1 so back porting. > > 6.2 should be releasing in couple of months time hopefully but until > then we can have this > >> >> Signed-off-by: Armin Kuster <[email protected]> >> --- >> .../gcc/gcc-6.1/CVE-2016-4490.patch | 289 >> +++++++++++++++++++++ >> 1 file changed, 289 insertions(+) >> create mode 100644 meta/recipes-devtools/gcc/gcc-6.1/CVE-2016-4490.patch >> >> diff --git a/meta/recipes-devtools/gcc/gcc-6.1/CVE-2016-4490.patch >> b/meta/recipes-devtools/gcc/gcc-6.1/CVE-2016-4490.patch >> new file mode 100644 >> index 0000000..aaef2be >> --- /dev/null >> +++ b/meta/recipes-devtools/gcc/gcc-6.1/CVE-2016-4490.patch >> @@ -0,0 +1,289 @@ >> +From 7d235b1b5ea35352c54957ef5530d9a02c46962f Mon Sep 17 00:00:00 2001 >> +From: bernds <bernds@138bc75d-0d04-0410-961f-82ee72b054a4> >> +Date: Mon, 2 May 2016 17:06:40 +0000 >> +Subject: [PATCH] =?UTF-8?q?Demangler=20integer=20overflow=20fixes=20from?= >> + =?UTF-8?q?=20Marcel=20B=C3=B6hme.?= >> +MIME-Version: 1.0 >> +Content-Type: text/plain; charset=UTF-8 >> +Content-Transfer-Encoding: 8bit >> + >> + PR c++/70498 >> + * cp-demangle.c: Parse numbers as integer instead of long to avoid >> + overflow after sanity checks. Include <limits.h> if available. >> + (INT_MAX): Define if necessary. >> + (d_make_template_param): Takes integer argument instead of long. >> + (d_make_function_param): Likewise. >> + (d_append_num): Likewise. >> + (d_identifier): Likewise. >> + (d_number): Parse as and return integer. >> + (d_compact_number): Handle overflow. >> + (d_source_name): Change variable type to integer for parsed number. >> + (d_java_resource): Likewise. >> + (d_special_name): Likewise. >> + (d_discriminator): Likewise. >> + (d_unnamed_type): Likewise. >> + * testsuite/demangle-expected: Add regression test cases. >> + >> + >> + >> +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@235767 >> 138bc75d-0d04-0410-961f-82ee72b054a4 >> + >> +Upstream-Status: Backport >> +CVE: CVE-2016-4490 >> + >> +Signed-off-by: Armin Kuster <[email protected]> >> + >> +--- >> + libiberty/ChangeLog | 19 +++++++++++++ >> + libiberty/cp-demangle.c | 52 >> ++++++++++++++++++++--------------- >> + libiberty/testsuite/demangle-expected | 14 ++++++++-- >> + 3 files changed, 61 insertions(+), 24 deletions(-) >> + >> +Index: git/libiberty/ChangeLog >> +=================================================================== >> +--- git.orig/libiberty/ChangeLog >> ++++ git/libiberty/ChangeLog >> +@@ -1,3 +1,22 @@ >> ++2016-05-02 Marcel Böhme <[email protected]> >> ++ >> ++ PR c++/70498 >> ++ * cp-demangle.c: Parse numbers as integer instead of long to avoid >> ++ overflow after sanity checks. Include <limits.h> if available. >> ++ (INT_MAX): Define if necessary. >> ++ (d_make_template_param): Takes integer argument instead of long. >> ++ (d_make_function_param): Likewise. >> ++ (d_append_num): Likewise. >> ++ (d_identifier): Likewise. >> ++ (d_number): Parse as and return integer. >> ++ (d_compact_number): Handle overflow. >> ++ (d_source_name): Change variable type to integer for parsed number. >> ++ (d_java_resource): Likewise. >> ++ (d_special_name): Likewise. >> ++ (d_discriminator): Likewise. >> ++ (d_unnamed_type): Likewise. >> ++ * testsuite/demangle-expected: Add regression test cases. >> ++ >> + 2016-04-27 Release Manager >> + >> + * GCC 6.1.0 released. >> +Index: git/libiberty/cp-demangle.c >> +=================================================================== >> +--- git.orig/libiberty/cp-demangle.c >> ++++ git/libiberty/cp-demangle.c >> +@@ -128,6 +128,13 @@ extern char *alloca (); >> + # endif /* alloca */ >> + #endif /* HAVE_ALLOCA_H */ >> + >> ++#ifdef HAVE_LIMITS_H >> ++#include <limits.h> >> ++#endif >> ++#ifndef INT_MAX >> ++# define INT_MAX (int)(((unsigned int) ~0) >> 1) /* >> 0x7FFFFFFF */ >> ++#endif >> ++ >> + #include "ansidecl.h" >> + #include "libiberty.h" >> + #include "demangle.h" >> +@@ -398,7 +405,7 @@ d_make_dtor (struct d_info *, enum gnu_v >> + struct demangle_component *); >> + >> + static struct demangle_component * >> +-d_make_template_param (struct d_info *, long); >> ++d_make_template_param (struct d_info *, int); >> + >> + static struct demangle_component * >> + d_make_sub (struct d_info *, const char *, int); >> +@@ -421,9 +428,9 @@ static struct demangle_component *d_unqu >> + >> + static struct demangle_component *d_source_name (struct d_info *); >> + >> +-static long d_number (struct d_info *); >> ++static int d_number (struct d_info *); >> + >> +-static struct demangle_component *d_identifier (struct d_info *, long); >> ++static struct demangle_component *d_identifier (struct d_info *, int); >> + >> + static struct demangle_component *d_operator_name (struct d_info *); >> + >> +@@ -1119,7 +1126,7 @@ d_make_dtor (struct d_info *di, enum gnu >> + /* Add a new template parameter. */ >> + >> + static struct demangle_component * >> +-d_make_template_param (struct d_info *di, long i) >> ++d_make_template_param (struct d_info *di, int i) >> + { >> + struct demangle_component *p; >> + >> +@@ -1135,7 +1142,7 @@ d_make_template_param (struct d_info *di >> + /* Add a new function parameter. */ >> + >> + static struct demangle_component * >> +-d_make_function_param (struct d_info *di, long i) >> ++d_make_function_param (struct d_info *di, int i) >> + { >> + struct demangle_component *p; >> + >> +@@ -1620,7 +1627,7 @@ d_unqualified_name (struct d_info *di) >> + static struct demangle_component * >> + d_source_name (struct d_info *di) >> + { >> +- long len; >> ++ int len; >> + struct demangle_component *ret; >> + >> + len = d_number (di); >> +@@ -1633,12 +1640,12 @@ d_source_name (struct d_info *di) >> + >> + /* number ::= [n] <(non-negative decimal integer)> */ >> + >> +-static long >> ++static int >> + d_number (struct d_info *di) >> + { >> + int negative; >> + char peek; >> +- long ret; >> ++ int ret; >> + >> + negative = 0; >> + peek = d_peek_char (di); >> +@@ -1681,7 +1688,7 @@ d_number_component (struct d_info *di) >> + /* identifier ::= <(unqualified source code identifier)> */ >> + >> + static struct demangle_component * >> +-d_identifier (struct d_info *di, long len) >> ++d_identifier (struct d_info *di, int len) >> + { >> + const char *name; >> + >> +@@ -1702,7 +1709,7 @@ d_identifier (struct d_info *di, long le >> + /* Look for something which looks like a gcc encoding of an >> + anonymous namespace, and replace it with a more user friendly >> + name. */ >> +- if (len >= (long) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2 >> ++ if (len >= (int) ANONYMOUS_NAMESPACE_PREFIX_LEN + 2 >> + && memcmp (name, ANONYMOUS_NAMESPACE_PREFIX, >> + ANONYMOUS_NAMESPACE_PREFIX_LEN) == 0) >> + { >> +@@ -1870,7 +1877,7 @@ d_java_resource (struct d_info *di) >> + { >> + struct demangle_component *p = NULL; >> + struct demangle_component *next = NULL; >> +- long len, i; >> ++ int len, i; >> + char c; >> + const char *str; >> + >> +@@ -2012,7 +2019,7 @@ d_special_name (struct d_info *di) >> + case 'C': >> + { >> + struct demangle_component *derived_type; >> +- long offset; >> ++ int offset; >> + struct demangle_component *base_type; >> + >> + derived_type = cplus_demangle_type (di); >> +@@ -2946,10 +2953,10 @@ d_pointer_to_member_type (struct d_info >> + >> + /* <non-negative number> _ */ >> + >> +-static long >> ++static int >> + d_compact_number (struct d_info *di) >> + { >> +- long num; >> ++ int num; >> + if (d_peek_char (di) == '_') >> + num = 0; >> + else if (d_peek_char (di) == 'n') >> +@@ -2957,7 +2964,7 @@ d_compact_number (struct d_info *di) >> + else >> + num = d_number (di) + 1; >> + >> +- if (! d_check_char (di, '_')) >> ++ if (num < 0 || ! d_check_char (di, '_')) >> + return -1; >> + return num; >> + } >> +@@ -2969,7 +2976,7 @@ d_compact_number (struct d_info *di) >> + static struct demangle_component * >> + d_template_param (struct d_info *di) >> + { >> +- long param; >> ++ int param; >> + >> + if (! d_check_char (di, 'T')) >> + return NULL; >> +@@ -3171,9 +3178,10 @@ d_expression_1 (struct d_info *di) >> + } >> + else >> + { >> +- index = d_compact_number (di) + 1; >> +- if (index == 0) >> ++ index = d_compact_number (di); >> ++ if (index == INT_MAX || index == -1) >> + return NULL; >> ++ index ++; >> + } >> + return d_make_function_param (di, index); >> + } >> +@@ -3502,7 +3510,7 @@ d_local_name (struct d_info *di) >> + static int >> + d_discriminator (struct d_info *di) >> + { >> +- long discrim; >> ++ int discrim; >> + >> + if (d_peek_char (di) != '_') >> + return 1; >> +@@ -3558,7 +3566,7 @@ static struct demangle_component * >> + d_unnamed_type (struct d_info *di) >> + { >> + struct demangle_component *ret; >> +- long num; >> ++ int num; >> + >> + if (! d_check_char (di, 'U')) >> + return NULL; >> +@@ -4086,10 +4094,10 @@ d_append_string (struct d_print_info *dp >> + } >> + >> + static inline void >> +-d_append_num (struct d_print_info *dpi, long l) >> ++d_append_num (struct d_print_info *dpi, int l) >> + { >> + char buf[25]; >> +- sprintf (buf,"%ld", l); >> ++ sprintf (buf,"%d", l); >> + d_append_string (dpi, buf); >> + } >> + >> +Index: git/libiberty/testsuite/demangle-expected >> +=================================================================== >> +--- git.orig/libiberty/testsuite/demangle-expected >> ++++ git/libiberty/testsuite/demangle-expected >> +@@ -4422,12 +4422,22 @@ void baz<int>(A<sizeof (foo((int)(), (fl >> + _Z3fooI1FEN1XIXszdtcl1PclcvT__EEE5arrayEE4TypeEv >> + X<sizeof ((P(((F)())())).array)>::Type foo<F>() >> + # >> +-# Tests a use-after-free problem >> ++# Tests a use-after-free problem PR70481 >> + >> + _Q.__0 >> + ::Q.(void) >> + # >> +-# Tests a use-after-free problem >> ++# Tests a use-after-free problem PR70481 >> + >> + _Q10-__9cafebabe. >> + cafebabe.::-(void) >> ++# >> ++# Tests integer overflow problem PR70492 >> ++ >> ++__vt_90000000000cafebabe >> ++__vt_90000000000cafebabe >> ++# >> ++# Tests write access violation PR70498 >> ++ >> ++_Z80800000000000000000000 >> ++_Z80800000000000000000000 >> -- >> 2.3.5 >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> [email protected] >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
