diff options
author | Armin Kuster <akuster808@gmail.com> | 2017-11-26 16:29:17 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-12-11 22:02:59 +0000 |
commit | 9d446c19382e23871a098887d181fcb80d775e53 (patch) | |
tree | a9c6562ca1a33b04c45723068f5e6f4b724ef22c | |
parent | 64ccf9b291cd7cf3cf8531b41eb5af373965ced1 (diff) | |
download | poky-9d446c19382e23871a098887d181fcb80d775e53.tar.gz |
binutls: Security fix for CVE-2017-9752
Affects: <= 2.28
(From OE-Core rev: b7bab86b9598ad0fedfcbdafb3d1fc2d522b2b70)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.28.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch | 208 |
2 files changed, 209 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 99fc1b1ffa..68d21c8829 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -63,6 +63,7 @@ SRC_URI = "\ | |||
63 | file://CVE-2017-9749.patch \ | 63 | file://CVE-2017-9749.patch \ |
64 | file://CVE-2017-9750.patch \ | 64 | file://CVE-2017-9750.patch \ |
65 | file://CVE-2017-9751.patch \ | 65 | file://CVE-2017-9751.patch \ |
66 | file://CVE-2017-9752.patch \ | ||
66 | " | 67 | " |
67 | S = "${WORKDIR}/git" | 68 | S = "${WORKDIR}/git" |
68 | 69 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..f63a993b29 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch | |||
@@ -0,0 +1,208 @@ | |||
1 | From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed, 14 Jun 2017 11:27:15 +0100 | ||
4 | Subject: [PATCH] Fix potential address violations when processing a corrupt | ||
5 | Alpha VMA binary. | ||
6 | |||
7 | PR binutils/21589 | ||
8 | * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the | ||
9 | maximum value for the ascic pointer. Check that name processing | ||
10 | does not read beyond this value. | ||
11 | (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the | ||
12 | end of etir record. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2017-9752 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | bfd/ChangeLog | 9 +++++++++ | ||
20 | bfd/vms-alpha.c | 51 +++++++++++++++++++++++++++++++++++++++++---------- | ||
21 | 2 files changed, 50 insertions(+), 10 deletions(-) | ||
22 | |||
23 | Index: git/bfd/ChangeLog | ||
24 | =================================================================== | ||
25 | --- git.orig/bfd/ChangeLog | ||
26 | +++ git/bfd/ChangeLog | ||
27 | @@ -9,6 +9,15 @@ | ||
28 | |||
29 | 2017-06-14 Nick Clifton <nickc@redhat.com> | ||
30 | |||
31 | + PR binutils/21589 | ||
32 | + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the | ||
33 | + maximum value for the ascic pointer. Check that name processing | ||
34 | + does not read beyond this value. | ||
35 | + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the | ||
36 | + end of etir record. | ||
37 | + | ||
38 | +2017-06-14 Nick Clifton <nickc@redhat.com> | ||
39 | + | ||
40 | PR binutils/21578 | ||
41 | * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid | ||
42 | flag value. | ||
43 | Index: git/bfd/vms-alpha.c | ||
44 | =================================================================== | ||
45 | --- git.orig/bfd/vms-alpha.c | ||
46 | +++ git/bfd/vms-alpha.c | ||
47 | @@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign | ||
48 | /* Write multiple bytes to section image. */ | ||
49 | |||
50 | static bfd_boolean | ||
51 | -image_write (bfd *abfd, unsigned char *ptr, int size) | ||
52 | +image_write (bfd *abfd, unsigned char *ptr, unsigned int size) | ||
53 | { | ||
54 | #if VMS_DEBUG | ||
55 | _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size, | ||
56 | @@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd) | ||
57 | #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L) | ||
58 | |||
59 | static void | ||
60 | -_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic, | ||
61 | +_bfd_vms_get_value (bfd *abfd, | ||
62 | + const unsigned char *ascic, | ||
63 | + const unsigned char *max_ascic, | ||
64 | struct bfd_link_info *info, | ||
65 | bfd_vma *vma, | ||
66 | struct alpha_vms_link_hash_entry **hp) | ||
67 | { | ||
68 | char name[257]; | ||
69 | - int len; | ||
70 | - int i; | ||
71 | + unsigned int len; | ||
72 | + unsigned int i; | ||
73 | struct alpha_vms_link_hash_entry *h; | ||
74 | |||
75 | /* Not linking. Do not try to resolve the symbol. */ | ||
76 | @@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns | ||
77 | } | ||
78 | |||
79 | len = *ascic; | ||
80 | + if (ascic + len >= max_ascic) | ||
81 | + { | ||
82 | + _bfd_error_handler (_("Corrupt vms value")); | ||
83 | + *vma = 0; | ||
84 | + *hp = NULL; | ||
85 | + return; | ||
86 | + } | ||
87 | + | ||
88 | for (i = 0; i < len; i++) | ||
89 | name[i] = ascic[i + 1]; | ||
90 | name[i] = 0; | ||
91 | @@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
92 | _bfd_hexdump (8, ptr, cmd_length - 4, 0); | ||
93 | #endif | ||
94 | |||
95 | + /* PR 21589: Check for a corrupt ETIR record. */ | ||
96 | + if (cmd_length < 4) | ||
97 | + { | ||
98 | + corrupt_etir: | ||
99 | + _bfd_error_handler (_("Corrupt ETIR record encountered")); | ||
100 | + bfd_set_error (bfd_error_bad_value); | ||
101 | + return FALSE; | ||
102 | + } | ||
103 | + | ||
104 | switch (cmd) | ||
105 | { | ||
106 | /* Stack global | ||
107 | @@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
108 | |||
109 | stack 32 bit value of symbol (high bits set to 0). */ | ||
110 | case ETIR__C_STA_GBL: | ||
111 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
112 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
113 | _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h)); | ||
114 | break; | ||
115 | |||
116 | @@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
117 | |||
118 | stack 32 bit value, sign extend to 64 bit. */ | ||
119 | case ETIR__C_STA_LW: | ||
120 | + if (ptr + 4 >= maxptr) | ||
121 | + goto corrupt_etir; | ||
122 | _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE); | ||
123 | break; | ||
124 | |||
125 | @@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
126 | |||
127 | stack 64 bit value of symbol. */ | ||
128 | case ETIR__C_STA_QW: | ||
129 | + if (ptr + 8 >= maxptr) | ||
130 | + goto corrupt_etir; | ||
131 | _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE); | ||
132 | break; | ||
133 | |||
134 | @@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
135 | { | ||
136 | int psect; | ||
137 | |||
138 | + if (ptr + 12 >= maxptr) | ||
139 | + goto corrupt_etir; | ||
140 | psect = bfd_getl32 (ptr); | ||
141 | if ((unsigned int) psect >= PRIV (section_count)) | ||
142 | { | ||
143 | @@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
144 | { | ||
145 | int size; | ||
146 | |||
147 | + if (ptr + 4 >= maxptr) | ||
148 | + goto corrupt_etir; | ||
149 | size = bfd_getl32 (ptr); | ||
150 | _bfd_vms_pop (abfd, &op1, &rel1); | ||
151 | if (rel1 != RELC_NONE) | ||
152 | @@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
153 | /* Store global: write symbol value | ||
154 | arg: cs global symbol name. */ | ||
155 | case ETIR__C_STO_GBL: | ||
156 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
157 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
158 | if (h && h->sym) | ||
159 | { | ||
160 | if (h->sym->typ == EGSD__C_SYMG) | ||
161 | @@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
162 | /* Store code address: write address of entry point | ||
163 | arg: cs global symbol name (procedure). */ | ||
164 | case ETIR__C_STO_CA: | ||
165 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
166 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
167 | if (h && h->sym) | ||
168 | { | ||
169 | if (h->sym->flags & EGSY__V_NORM) | ||
170 | @@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
171 | da data. */ | ||
172 | case ETIR__C_STO_IMM: | ||
173 | { | ||
174 | - int size; | ||
175 | + unsigned int size; | ||
176 | |||
177 | + if (ptr + 4 >= maxptr) | ||
178 | + goto corrupt_etir; | ||
179 | size = bfd_getl32 (ptr); | ||
180 | image_write (abfd, ptr + 4, size); | ||
181 | } | ||
182 | @@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
183 | store global longword: store 32bit value of symbol | ||
184 | arg: cs symbol name. */ | ||
185 | case ETIR__C_STO_GBL_LW: | ||
186 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
187 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
188 | #if 0 | ||
189 | abort (); | ||
190 | #endif | ||
191 | @@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
192 | da signature. */ | ||
193 | |||
194 | case ETIR__C_STC_LP_PSB: | ||
195 | - _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h); | ||
196 | + _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h); | ||
197 | if (h && h->sym) | ||
198 | { | ||
199 | if (h->sym->typ == EGSD__C_SYMG) | ||
200 | @@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b | ||
201 | /* Augment relocation base: increment image location counter by offset | ||
202 | arg: lw offset value. */ | ||
203 | case ETIR__C_CTL_AUGRB: | ||
204 | + if (ptr + 4 >= maxptr) | ||
205 | + goto corrupt_etir; | ||
206 | op1 = bfd_getl32 (ptr); | ||
207 | image_inc_ptr (abfd, op1); | ||
208 | break; | ||