Binutils: Security fix for CVE-2018-7569

Affects: <= 2.30 (From OE-Core rev: b99d1f2212ea73ddafd3fbf9426b37a04d89b809) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-08 13:53:40 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: bdb39814660ec744aae1ddae0b09bbdc8847b823 (patch)
tree: 7a05ac4398495c25bf7b7b31df6aed1b5b2ac245
parent: 3552c38b32021aa24f6de6914cd37b622ab70f05 (diff)
download: poky-bdb39814660ec744aae1ddae0b09bbdc8847b823.tar.gz
2 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index ceb8e85579..cfde35cecd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
     file://CVE-2018-7208.patch \
     file://CVE-2018-7568_p1.patch \
     file://CVE-2018-7568_p2.patch \
+     file://CVE-2018-7569.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000000..e77118bc13
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,120 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+        PR 22895
+        PR 22893
+        * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+        pointer.  Drop unused abfd parameter.  Check the size of the block
+        before initialising the data field.  Return the end pointer if the
+        size is invalid.
+        (read_attribute_value): Adjust invocations of read_n_bytes.
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -649,14 +649,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-             bfd_byte *buf,
+-             bfd_byte *end,
+-             unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
+read_n_bytes (bfd_byte *           buf,
+             bfd_byte *           end,
+             struct dwarf_block * block)
+{
+  unsigned int  size = block->size;
+  bfd_byte *    block_end = buf + size;
+
+  if (block_end > end || block_end < buf)
+    {
+      block->data = NULL;
+      block->size = 0;
+      return end;
+    }
+  else
+    {
+      block->data = buf;
+      return block_end;
+    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+                                         FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
+        return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
+      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,4 +1,14 @@
+ 2018-02-28  Nick Clifton  <nickc@redhat.com>
+ 
+       PR 22895
+       PR 22893
+       * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+       pointer.  Drop unused abfd parameter.  Check the size of the block
+       before initialising the data field.  Return the end pointer if the
+       size is invalid.
+       (read_attribute_value): Adjust invocations of read_n_bytes.
+
+2018-02-28  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22894
+        * dwarf1.c (parse_die): Check the length of form blocks before
author	Armin Kuster <akuster@mvista.com>	2018-08-08 13:53:40 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	bdb39814660ec744aae1ddae0b09bbdc8847b823 (patch)
tree	7a05ac4398495c25bf7b7b31df6aed1b5b2ac245
parent	3552c38b32021aa24f6de6914cd37b622ab70f05 (diff)
download	poky-bdb39814660ec744aae1ddae0b09bbdc8847b823.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index ceb8e85579..cfde35cecd 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
75	file://CVE-2018-7208.patch \	75	file://CVE-2018-7208.patch \
76	file://CVE-2018-7568_p1.patch \	76	file://CVE-2018-7568_p1.patch \
77	file://CVE-2018-7568_p2.patch \	77	file://CVE-2018-7568_p2.patch \
		78	file://CVE-2018-7569.patch \
78	"	79	"
79	S = "${WORKDIR}/git"	80	S = "${WORKDIR}/git"
80		81


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch new file mode 100644 index 0000000000..e77118bc13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,120 @@
		1	From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 28 Feb 2018 11:50:49 +0000
		4	Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
		5	FORM blocks.
		6
		7	PR 22895
		8	PR 22893
		9	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
		10	pointer. Drop unused abfd parameter. Check the size of the block
		11	before initialising the data field. Return the end pointer if the
		12	size is invalid.
		13	(read_attribute_value): Adjust invocations of read_n_bytes.
		14
		15	Upstream-Status: Backport
		16	Affects: <= 2.30
		17	CVE: CVE-2018-7569
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	bfd/ChangeLog \| 8 ++++++++
		22	bfd/dwarf2.c \| 36 +++++++++++++++++++++---------------
		23	2 files changed, 29 insertions(+), 15 deletions(-)
		24
		25	Index: git/bfd/dwarf2.c
		26	===================================================================
		27	--- git.orig/bfd/dwarf2.c
		28	+++ git/bfd/dwarf2.c
		29	@@ -649,14 +649,24 @@ read_8_bytes (bfd abfd, bfd_byte buf,
		30	}
		31
		32	static bfd_byte *
		33	-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
		34	- bfd_byte *buf,
		35	- bfd_byte *end,
		36	- unsigned int size ATTRIBUTE_UNUSED)
		37	-{
		38	- if (buf + size > end)
		39	- return NULL;
		40	- return buf;
		41	+read_n_bytes (bfd_byte * buf,
		42	+ bfd_byte * end,
		43	+ struct dwarf_block * block)
		44	+{
		45	+ unsigned int size = block->size;
		46	+ bfd_byte * block_end = buf + size;
		47	+
		48	+ if (block_end > end \|\| block_end < buf)
		49	+ {
		50	+ block->data = NULL;
		51	+ block->size = 0;
		52	+ return end;
		53	+ }
		54	+ else
		55	+ {
		56	+ block->data = buf;
		57	+ return block_end;
		58	+ }
		59	}
		60
		61	/* Scans a NUL terminated string starting at BUF, returning a pointer to it.
		62	@@ -1154,8 +1164,7 @@ read_attribute_value (struct attribute *
		63	return NULL;
		64	blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
		65	info_ptr += 2;
		66	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		67	- info_ptr += blk->size;
		68	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		69	attr->u.blk = blk;
		70	break;
		71	case DW_FORM_block4:
		72	@@ -1165,8 +1174,7 @@ read_attribute_value (struct attribute *
		73	return NULL;
		74	blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
		75	info_ptr += 4;
		76	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		77	- info_ptr += blk->size;
		78	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		79	attr->u.blk = blk;
		80	break;
		81	case DW_FORM_data2:
		82	@@ -1206,8 +1214,7 @@ read_attribute_value (struct attribute *
		83	blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
		84	FALSE, info_ptr_end);
		85	info_ptr += bytes_read;
		86	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		87	- info_ptr += blk->size;
		88	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		89	attr->u.blk = blk;
		90	break;
		91	case DW_FORM_block1:
		92	@@ -1217,8 +1224,7 @@ read_attribute_value (struct attribute *
		93	return NULL;
		94	blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
		95	info_ptr += 1;
		96	- blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
		97	- info_ptr += blk->size;
		98	+ info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
		99	attr->u.blk = blk;
		100	break;
		101	case DW_FORM_data1:
		102	Index: git/bfd/ChangeLog
		103	===================================================================
		104	--- git.orig/bfd/ChangeLog
		105	+++ git/bfd/ChangeLog
		106	@@ -1,4 +1,14 @@
		107	2018-02-28 Nick Clifton <nickc@redhat.com>
		108	+
		109	+ PR 22895
		110	+ PR 22893
		111	+ * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
		112	+ pointer. Drop unused abfd parameter. Check the size of the block
		113	+ before initialising the data field. Return the end pointer if the
		114	+ size is invalid.
		115	+ (read_attribute_value): Adjust invocations of read_n_bytes.
		116	+
		117	+2018-02-28 Nick Clifton <nickc@redhat.com>
		118
		119	PR 22894
		120	* dwarf1.c (parse_die): Check the length of form blocks before