diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-08-30 17:54:52 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-07 17:10:07 +0000 |
commit | 1ffd39135ac29b976cb86d30a0e640e782a6cbe9 (patch) | |
tree | 02c8fdf27a606327dbb6efd29ea9e6a53785a857 | |
parent | 7963e14e406ce4bb596d1928e5623a7a0911837e (diff) | |
download | poky-1ffd39135ac29b976cb86d30a0e640e782a6cbe9.tar.gz |
binutils: CVE-2017-12449, CVE-2017_12455, CVE-2017-12457, CVE-2017-12458, CVE-2017-12459
Source: git://sourceware.org/git/binutils-gdb.git
MR: 73867, 73788, 73762, 73749, 73734
Type: Security Fix
Disposition: Backport from binutils-2_29-branch
ChangeID: 29a1fd75a879d40560b3891305b7d9577e26ffe5
Description:
Fix address violation issues encountered when parsing corrupt binaries.
PR 21840
* mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
size is -1.
* nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
with error return.
* section.c (bfd_make_section_with_flags): Fail if the name or bfd
are NULL.
* vms-alpha.c (bfd_make_section_with_flags): Correct computation
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
Fix address violations when reading corrupt VMS records.
PR binutils/21618
* vms-alpha.c (evax_bfd_print_emh): Check for insufficient record
length.
(evax_bfd_print_eeom): Likewise.
(evax_bfd_print_egsd): Check for an overlarge record length.
(evax_bfd_print_etir): Likewise.
Affects: <= 2.29
(From OE-Core rev: 62c4dc16dd8fe99cba970c5e7d8dfc063855d4b9)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 339 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 772df0af30..8cb7abc08a 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -54,6 +54,8 @@ SRC_URI = "\ | |||
54 | file://CVE-2017-9041_2.patch \ | 54 | file://CVE-2017-9041_2.patch \ |
55 | file://CVE-2017-7226.patch \ | 55 | file://CVE-2017-7226.patch \ |
56 | file://CVE-2017-12448.patch \ | 56 | file://CVE-2017-12448.patch \ |
57 | file://CVE-2017-12449_12455_12457_1.patch \ | ||
58 | file://CVE-2017-12449_12455_12457.patch \ | ||
57 | " | 59 | " |
58 | S = "${WORKDIR}/git" | 60 | S = "${WORKDIR}/git" |
59 | 61 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch new file mode 100644 index 0000000000..d7512b3829 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457.patch | |||
@@ -0,0 +1,240 @@ | |||
1 | commit 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Thu Jul 27 12:04:50 2017 +0100 | ||
4 | |||
5 | Fix address violation issues encountered when parsing corrupt binaries. | ||
6 | |||
7 | PR 21840 | ||
8 | * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab | ||
9 | size is -1. | ||
10 | * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion | ||
11 | with error return. | ||
12 | * section.c (bfd_make_section_with_flags): Fail if the name or bfd | ||
13 | are NULL. | ||
14 | * vms-alpha.c (bfd_make_section_with_flags): Correct computation | ||
15 | of end pointer. | ||
16 | (evax_bfd_print_emh): Check for invalid string lengths. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | CVE: CVE-2017-12449_12455_12457 | ||
21 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
22 | |||
23 | Index: git/bfd/mach-o.c | ||
24 | =================================================================== | ||
25 | --- git.orig/bfd/mach-o.c 2017-08-30 17:21:59.684671218 +0530 | ||
26 | +++ git/bfd/mach-o.c 2017-08-30 17:22:19.136813620 +0530 | ||
27 | @@ -3739,6 +3739,9 @@ | ||
28 | } | ||
29 | else | ||
30 | { | ||
31 | + /* See PR 21840 for a reproducer. */ | ||
32 | + if ((sym->strsize + 1) == 0) | ||
33 | + return FALSE; | ||
34 | sym->strtab = bfd_alloc (abfd, sym->strsize + 1); | ||
35 | if (sym->strtab == NULL) | ||
36 | return FALSE; | ||
37 | Index: git/bfd/nlmcode.h | ||
38 | =================================================================== | ||
39 | --- git.orig/bfd/nlmcode.h 2017-08-30 17:21:59.688671247 +0530 | ||
40 | +++ git/bfd/nlmcode.h 2017-08-30 17:22:19.140813649 +0530 | ||
41 | @@ -351,7 +351,9 @@ | ||
42 | bfd_byte *contents; | ||
43 | bfd_byte *p, *pend; | ||
44 | |||
45 | - BFD_ASSERT (hdrLength == 0 && hdr == NULL); | ||
46 | + /* See PR 21840 for a reproducer. */ | ||
47 | + if (hdrLength != 0 || hdr != NULL) | ||
48 | + return FALSE; | ||
49 | |||
50 | pos = bfd_tell (abfd); | ||
51 | if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0) | ||
52 | Index: git/bfd/section.c | ||
53 | =================================================================== | ||
54 | --- git.orig/bfd/section.c 2017-08-30 17:21:59.708671392 +0530 | ||
55 | +++ git/bfd/section.c 2017-08-30 17:22:19.140813649 +0530 | ||
56 | @@ -1240,7 +1240,7 @@ | ||
57 | struct section_hash_entry *sh; | ||
58 | asection *newsect; | ||
59 | |||
60 | - if (abfd->output_has_begun) | ||
61 | + if (abfd == NULL || name == NULL || abfd->output_has_begun) | ||
62 | { | ||
63 | bfd_set_error (bfd_error_invalid_operation); | ||
64 | return NULL; | ||
65 | Index: git/bfd/vms-alpha.c | ||
66 | =================================================================== | ||
67 | --- git.orig/bfd/vms-alpha.c 2017-08-30 17:22:19.080813209 +0530 | ||
68 | +++ git/bfd/vms-alpha.c 2017-08-30 17:22:19.140813649 +0530 | ||
69 | @@ -5562,8 +5562,9 @@ | ||
70 | { | ||
71 | struct vms_emh_common *emh = (struct vms_emh_common *)rec; | ||
72 | unsigned int subtype; | ||
73 | + int extra; | ||
74 | |||
75 | - subtype = (unsigned)bfd_getl16 (emh->subtyp); | ||
76 | + subtype = (unsigned) bfd_getl16 (emh->subtyp); | ||
77 | |||
78 | fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); | ||
79 | |||
80 | @@ -5573,58 +5574,82 @@ | ||
81 | fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); | ||
82 | return; | ||
83 | } | ||
84 | - | ||
85 | + extra = rec_len - sizeof (struct vms_emh_common); | ||
86 | + | ||
87 | switch (subtype) | ||
88 | { | ||
89 | case EMH__C_MHD: | ||
90 | { | ||
91 | - struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec; | ||
92 | - const char *name; | ||
93 | + struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec; | ||
94 | + const char * name; | ||
95 | + const char * nextname; | ||
96 | + const char * maxname; | ||
97 | |||
98 | + /* PR 21840: Check for invalid lengths. */ | ||
99 | + if (rec_len < sizeof (* mhd)) | ||
100 | + { | ||
101 | + fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n")); | ||
102 | + return; | ||
103 | + } | ||
104 | fprintf (file, _("Module header\n")); | ||
105 | fprintf (file, _(" structure level: %u\n"), mhd->strlvl); | ||
106 | fprintf (file, _(" max record size: %u\n"), | ||
107 | - (unsigned)bfd_getl32 (mhd->recsiz)); | ||
108 | + (unsigned) bfd_getl32 (mhd->recsiz)); | ||
109 | name = (char *)(mhd + 1); | ||
110 | + maxname = (char *) rec + rec_len; | ||
111 | + if (name > maxname - 2) | ||
112 | + { | ||
113 | + fprintf (file, _(" Error: The module name is missing\n")); | ||
114 | + return; | ||
115 | + } | ||
116 | + nextname = name + name[0] + 1; | ||
117 | + if (nextname >= maxname) | ||
118 | + { | ||
119 | + fprintf (file, _(" Error: The module name is too long\n")); | ||
120 | + return; | ||
121 | + } | ||
122 | fprintf (file, _(" module name : %.*s\n"), name[0], name + 1); | ||
123 | - name += name[0] + 1; | ||
124 | + name = nextname; | ||
125 | + if (name > maxname - 2) | ||
126 | + { | ||
127 | + fprintf (file, _(" Error: The module version is missing\n")); | ||
128 | + return; | ||
129 | + } | ||
130 | + nextname = name + name[0] + 1; | ||
131 | + if (nextname >= maxname) | ||
132 | + { | ||
133 | + fprintf (file, _(" Error: The module version is too long\n")); | ||
134 | + return; | ||
135 | + } | ||
136 | fprintf (file, _(" module version : %.*s\n"), name[0], name + 1); | ||
137 | - name += name[0] + 1; | ||
138 | - fprintf (file, _(" compile date : %.17s\n"), name); | ||
139 | + name = nextname; | ||
140 | + if ((maxname - name) < 17 && maxname[-1] != 0) | ||
141 | + fprintf (file, _(" Error: The compile date is truncated\n")); | ||
142 | + else | ||
143 | + fprintf (file, _(" compile date : %.17s\n"), name); | ||
144 | } | ||
145 | break; | ||
146 | + | ||
147 | case EMH__C_LNM: | ||
148 | - { | ||
149 | - fprintf (file, _("Language Processor Name\n")); | ||
150 | - fprintf (file, _(" language name: %.*s\n"), | ||
151 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
152 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
153 | - } | ||
154 | + fprintf (file, _("Language Processor Name\n")); | ||
155 | + fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1)); | ||
156 | break; | ||
157 | + | ||
158 | case EMH__C_SRC: | ||
159 | - { | ||
160 | - fprintf (file, _("Source Files Header\n")); | ||
161 | - fprintf (file, _(" file: %.*s\n"), | ||
162 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
163 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
164 | - } | ||
165 | + fprintf (file, _("Source Files Header\n")); | ||
166 | + fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1)); | ||
167 | break; | ||
168 | + | ||
169 | case EMH__C_TTL: | ||
170 | - { | ||
171 | - fprintf (file, _("Title Text Header\n")); | ||
172 | - fprintf (file, _(" title: %.*s\n"), | ||
173 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
174 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
175 | - } | ||
176 | + fprintf (file, _("Title Text Header\n")); | ||
177 | + fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1)); | ||
178 | break; | ||
179 | + | ||
180 | case EMH__C_CPR: | ||
181 | - { | ||
182 | - fprintf (file, _("Copyright Header\n")); | ||
183 | - fprintf (file, _(" copyright: %.*s\n"), | ||
184 | - (int)(rec_len - sizeof (struct vms_emh_common)), | ||
185 | - (char *)rec + sizeof (struct vms_emh_common)); | ||
186 | - } | ||
187 | + fprintf (file, _("Copyright Header\n")); | ||
188 | + fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1)); | ||
189 | break; | ||
190 | + | ||
191 | default: | ||
192 | fprintf (file, _("unhandled emh subtype %u\n"), subtype); | ||
193 | break; | ||
194 | Index: git/bfd/vms-misc.c | ||
195 | =================================================================== | ||
196 | --- git.orig/bfd/vms-misc.c 2017-08-30 17:21:59.716671451 +0530 | ||
197 | +++ git/bfd/vms-misc.c 2017-08-30 17:22:19.140813649 +0530 | ||
198 | @@ -135,8 +135,8 @@ | ||
199 | #endif | ||
200 | |||
201 | |||
202 | -/* Copy sized string (string with fixed size) to new allocated area | ||
203 | - size is string size (size of record) */ | ||
204 | +/* Copy sized string (string with fixed size) to new allocated area. | ||
205 | + Size is string size (size of record). */ | ||
206 | |||
207 | char * | ||
208 | _bfd_vms_save_sized_string (unsigned char *str, int size) | ||
209 | @@ -151,8 +151,8 @@ | ||
210 | return newstr; | ||
211 | } | ||
212 | |||
213 | -/* Copy counted string (string with size at first byte) to new allocated area | ||
214 | - ptr points to size byte on entry */ | ||
215 | +/* Copy counted string (string with size at first byte) to new allocated area. | ||
216 | + PTR points to size byte on entry. */ | ||
217 | |||
218 | char * | ||
219 | _bfd_vms_save_counted_string (unsigned char *ptr) | ||
220 | Index: git/bfd/ChangeLog | ||
221 | =================================================================== | ||
222 | --- git.orig/bfd/ChangeLog 2017-08-30 17:22:19.080813209 +0530 | ||
223 | +++ git/bfd/ChangeLog 2017-08-30 17:23:51.069502425 +0530 | ||
224 | @@ -1,3 +1,16 @@ | ||
225 | +2017-07-27 Nick Clifton <nickc@redhat.com> | ||
226 | + | ||
227 | + PR 21840 | ||
228 | + * mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab | ||
229 | + size is -1. | ||
230 | + * nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion | ||
231 | + with error return. | ||
232 | + * section.c (bfd_make_section_with_flags): Fail if the name or bfd | ||
233 | + are NULL. | ||
234 | + * vms-alpha.c (bfd_make_section_with_flags): Correct computation | ||
235 | + of end pointer. | ||
236 | + (evax_bfd_print_emh): Check for invalid string lengths. | ||
237 | + | ||
238 | 2017-07-19 Nick Clifton <nickc@redhat.com> | ||
239 | |||
240 | PR 21787 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch new file mode 100644 index 0000000000..6dae0f6c24 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-12449_12455_12457_1.patch | |||
@@ -0,0 +1,97 @@ | |||
1 | commit bc21b167eb0106eb31d946a0eb5acfb7e4d5d8a1 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon Jun 19 14:52:36 2017 +0100 | ||
4 | |||
5 | Fix address violations when reading corrupt VMS records. | ||
6 | |||
7 | PR binutils/21618 | ||
8 | * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record | ||
9 | length. | ||
10 | (evax_bfd_print_eeom): Likewise. | ||
11 | (evax_bfd_print_egsd): Check for an overlarge record length. | ||
12 | (evax_bfd_print_etir): Likewise. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE: CVE-2017-12449_12455_12457 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | Index: git/bfd/vms-alpha.c | ||
20 | =================================================================== | ||
21 | --- git.orig/bfd/vms-alpha.c 2017-08-30 17:08:27.408159234 +0530 | ||
22 | +++ git/bfd/vms-alpha.c 2017-08-30 17:12:07.289044702 +0530 | ||
23 | @@ -5567,6 +5567,13 @@ | ||
24 | |||
25 | fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len); | ||
26 | |||
27 | + /* PR 21618: Check for invalid lengths. */ | ||
28 | + if (rec_len < sizeof (* emh)) | ||
29 | + { | ||
30 | + fprintf (file, _(" Error: The length is less than the length of an EMH record\n")); | ||
31 | + return; | ||
32 | + } | ||
33 | + | ||
34 | switch (subtype) | ||
35 | { | ||
36 | case EMH__C_MHD: | ||
37 | @@ -5630,6 +5637,14 @@ | ||
38 | struct vms_eeom *eeom = (struct vms_eeom *)rec; | ||
39 | |||
40 | fprintf (file, _(" EEOM (len=%u):\n"), rec_len); | ||
41 | + | ||
42 | + /* PR 21618: Check for invalid lengths. */ | ||
43 | + if (rec_len < sizeof (* eeom)) | ||
44 | + { | ||
45 | + fprintf (file, _(" Error: The length is less than the length of an EEOM record\n")); | ||
46 | + return; | ||
47 | + } | ||
48 | + | ||
49 | fprintf (file, _(" number of cond linkage pairs: %u\n"), | ||
50 | (unsigned)bfd_getl32 (eeom->total_lps)); | ||
51 | fprintf (file, _(" completion code: %u\n"), | ||
52 | @@ -5718,6 +5733,12 @@ | ||
53 | n, type, len); | ||
54 | n++; | ||
55 | |||
56 | + if (off + len > rec_len || off + len < off) | ||
57 | + { | ||
58 | + fprintf (file, _(" Error: length larger than remaining space in record\n")); | ||
59 | + return; | ||
60 | + } | ||
61 | + | ||
62 | switch (type) | ||
63 | { | ||
64 | case EGSD__C_PSC: | ||
65 | @@ -5958,6 +5979,12 @@ | ||
66 | size = bfd_getl16 (etir->size); | ||
67 | buf = rec + off + sizeof (struct vms_etir); | ||
68 | |||
69 | + if (off + size > rec_len || off + size < off) | ||
70 | + { | ||
71 | + fprintf (file, _(" Error: length larger than remaining space in record\n")); | ||
72 | + return; | ||
73 | + } | ||
74 | + | ||
75 | fprintf (file, _(" (type: %3u, size: 4+%3u): "), type, size - 4); | ||
76 | switch (type) | ||
77 | { | ||
78 | Index: git/bfd/ChangeLog | ||
79 | =================================================================== | ||
80 | --- git.orig/bfd/ChangeLog 2017-08-30 17:08:43.612213596 +0530 | ||
81 | +++ git/bfd/ChangeLog 2017-08-30 17:13:27.217438742 +0530 | ||
82 | @@ -5,6 +5,15 @@ | ||
83 | correct magic bytes at the start, set the error to wrong format | ||
84 | and clear the format selector before returning NULL. | ||
85 | |||
86 | + 2017-06-19 Nick Clifton <nickc@redhat.com> | ||
87 | + | ||
88 | + PR binutils/21618 | ||
89 | + * vms-alpha.c (evax_bfd_print_emh): Check for insufficient record | ||
90 | + length. | ||
91 | + (evax_bfd_print_eeom): Likewise. | ||
92 | + (evax_bfd_print_egsd): Check for an overlarge record length. | ||
93 | + (evax_bfd_print_etir): Likewise. | ||
94 | + | ||
95 | 2017-04-25 Maciej W. Rozycki <macro@imgtec.com> | ||
96 | |||
97 | * readelf.c (process_mips_specific): Remove error reporting from | ||