binutls: Security fix for CVE-2017-15939

affects: <= 2.29.1 (From OE-Core rev: dec0162e16040aa00c5fff3e5cfde1b488af3e55) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-06 19:36:12 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: f0be43144f1b8719d7342c9288dc8efe2c050e60 (patch)
tree: d175562cb14006db8fee5b9dddf1f9b472154536
parent: e4c382ecc6212166644d7b85fbdbf7ee0c1264dc (diff)
download: poky-f0be43144f1b8719d7342c9288dc8efe2c050e60.tar.gz
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 2440873cd9..cb0502d4b5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
     file://CVE-2017-15024.patch \
     file://CVE-2017-15025.patch \
     file://CVE-2017-15225.patch \
+     file://CVE-2017-15939.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
new file mode 100644
index 0000000000..bccad763f4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
@@ -0,0 +1,113 @@
+From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 09:38:26 +0930
+Subject: [PATCH] PR22205, .debug_line file table NULL filename
+The PR22200 fuzzer testcase found one way to put NULLs into .debug_line
+file tables.  PR22205 finds another.  This patch gives up on trying to
+prevent NULL files in the file table and instead just copes with them.
+Arguably, this is better than giving up and showing no info from
+.debug_line.  I've also fixed a case where the fairly recent DWARF5
+support in handling broken DWARG could result in uninitialized memory
+reads, and made a small tidy.
+        PR 22205
+        * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
+        (read_formatted_entries): Init "fe".
+        (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15939
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf2.c  | 35 +++++++++++++----------------------
+ 2 files changed, 20 insertions(+), 22 deletions(-)
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table
+     }
+ 
+   filename = table->files[file - 1].name;
+  if (filename == NULL)
+    return strdup ("<unknown>");
+ 
+   if (!IS_ABSOLUTE_PATH (filename))
+     {
+@@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit
+       bfd_byte *format = format_header_data;
+       struct fileinfo fe;
+ 
+      memset (&fe, 0, sizeof fe);
+       for (formati = 0; formati < format_count; formati++)
+        {
+          bfd_vma content_type, form;
+@@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit
+       unsigned int discriminator = 0;
+       int is_stmt = lh.default_is_stmt;
+       int end_sequence = 0;
+      unsigned int dir, xtime, size;
+       /* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some
+         compilers generate address sequences that are wildly out of
+         order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler
+@@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit
+                case DW_LNE_define_file:
+                  cur_file = read_string (abfd, line_ptr, line_end, &bytes_read);
+                  line_ptr += bytes_read;
+-                 if ((table->num_files % FILE_ALLOC_CHUNK) == 0)
+-                   {
+-                     struct fileinfo *tmp;
+-
+-                     amt = table->num_files + FILE_ALLOC_CHUNK;
+-                     amt *= sizeof (struct fileinfo);
+-                     tmp = (struct fileinfo *) bfd_realloc (table->files, amt);
+-                     if (tmp == NULL)
+-                       goto line_fail;
+-                     table->files = tmp;
+-                   }
+-                 table->files[table->num_files].name = cur_file;
+-                 table->files[table->num_files].dir =
+-                   _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-                                          FALSE, line_end);
+                 dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+                                              FALSE, line_end);
+                  line_ptr += bytes_read;
+-                 table->files[table->num_files].time =
+-                   _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-                                          FALSE, line_end);
+                 xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+                                                FALSE, line_end);
+                  line_ptr += bytes_read;
+-                 table->files[table->num_files].size =
+-                   _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+-                                          FALSE, line_end);
+                 size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
+                                               FALSE, line_end);
+                  line_ptr += bytes_read;
+-                 table->num_files++;
+                 if (!line_info_add_file_name (table, cur_file, dir,
+                                               xtime, size))
+                   goto line_fail;
+                  break;
+                case DW_LNE_set_discriminator:
+                  discriminator =
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
+2017-09-26  Alan Modra  <amodra@gmail.com>
+ 
+       PR 22205
+       * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
+       (read_formatted_entries): Init "fe".
+       (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
+
+ 2017-10-09  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22212
author	Armin Kuster <akuster@mvista.com>	2018-08-06 19:36:12 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	f0be43144f1b8719d7342c9288dc8efe2c050e60 (patch)
tree	d175562cb14006db8fee5b9dddf1f9b472154536
parent	e4c382ecc6212166644d7b85fbdbf7ee0c1264dc (diff)
download	poky-f0be43144f1b8719d7342c9288dc8efe2c050e60.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 2440873cd9..cb0502d4b5 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
50	file://CVE-2017-15024.patch \	50	file://CVE-2017-15024.patch \
51	file://CVE-2017-15025.patch \	51	file://CVE-2017-15025.patch \
52	file://CVE-2017-15225.patch \	52	file://CVE-2017-15225.patch \
		53	file://CVE-2017-15939.patch \
53	"	54	"
54	S = "${WORKDIR}/git"	55	S = "${WORKDIR}/git"
55		56


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch new file mode 100644 index 0000000000..bccad763f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15939.patch
@@ -0,0 +1,113 @@
		1	From a54018b72d75abf2e74bf36016702da06399c1d9 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 26 Sep 2017 09:38:26 +0930
		4	Subject: [PATCH] PR22205, .debug_line file table NULL filename
		5
		6	The PR22200 fuzzer testcase found one way to put NULLs into .debug_line
		7	file tables. PR22205 finds another. This patch gives up on trying to
		8	prevent NULL files in the file table and instead just copes with them.
		9	Arguably, this is better than giving up and showing no info from
		10	.debug_line. I've also fixed a case where the fairly recent DWARF5
		11	support in handling broken DWARG could result in uninitialized memory
		12	reads, and made a small tidy.
		13
		14	PR 22205
		15	* dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
		16	(read_formatted_entries): Init "fe".
		17	(decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
		18
		19	Upstream-Status: Backport
		20	Affects: <= 2.29.1
		21	CVE: CVE-2017-15939
		22	Signed-off-by: Armin Kuster <akuster@mvista.com>
		23
		24	---
		25	bfd/ChangeLog \| 7 +++++++
		26	bfd/dwarf2.c \| 35 +++++++++++++----------------------
		27	2 files changed, 20 insertions(+), 22 deletions(-)
		28
		29	Index: git/bfd/dwarf2.c
		30	===================================================================
		31	--- git.orig/bfd/dwarf2.c
		32	+++ git/bfd/dwarf2.c
		33	@@ -1597,6 +1597,8 @@ concat_filename (struct line_info_table
		34	}
		35
		36	filename = table->files[file - 1].name;
		37	+ if (filename == NULL)
		38	+ return strdup ("<unknown>");
		39
		40	if (!IS_ABSOLUTE_PATH (filename))
		41	{
		42	@@ -1956,6 +1958,7 @@ read_formatted_entries (struct comp_unit
		43	bfd_byte *format = format_header_data;
		44	struct fileinfo fe;
		45
		46	+ memset (&fe, 0, sizeof fe);
		47	for (formati = 0; formati < format_count; formati++)
		48	{
		49	bfd_vma content_type, form;
		50	@@ -2256,6 +2259,7 @@ decode_line_info (struct comp_unit *unit
		51	unsigned int discriminator = 0;
		52	int is_stmt = lh.default_is_stmt;
		53	int end_sequence = 0;
		54	+ unsigned int dir, xtime, size;
		55	/* eraxxon@alumni.rice.edu: Against the DWARF2 specs, some
		56	compilers generate address sequences that are wildly out of
		57	order using DW_LNE_set_address (e.g. Intel C++ 6.0 compiler
		58	@@ -2330,31 +2334,18 @@ decode_line_info (struct comp_unit *unit
		59	case DW_LNE_define_file:
		60	cur_file = read_string (abfd, line_ptr, line_end, &bytes_read);
		61	line_ptr += bytes_read;
		62	- if ((table->num_files % FILE_ALLOC_CHUNK) == 0)
		63	- {
		64	- struct fileinfo *tmp;
		65	-
		66	- amt = table->num_files + FILE_ALLOC_CHUNK;
		67	- amt *= sizeof (struct fileinfo);
		68	- tmp = (struct fileinfo *) bfd_realloc (table->files, amt);
		69	- if (tmp == NULL)
		70	- goto line_fail;
		71	- table->files = tmp;
		72	- }
		73	- table->files[table->num_files].name = cur_file;
		74	- table->files[table->num_files].dir =
		75	- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		76	- FALSE, line_end);
		77	+ dir = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		78	+ FALSE, line_end);
		79	line_ptr += bytes_read;
		80	- table->files[table->num_files].time =
		81	- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		82	- FALSE, line_end);
		83	+ xtime = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		84	+ FALSE, line_end);
		85	line_ptr += bytes_read;
		86	- table->files[table->num_files].size =
		87	- _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		88	- FALSE, line_end);
		89	+ size = _bfd_safe_read_leb128 (abfd, line_ptr, &bytes_read,
		90	+ FALSE, line_end);
		91	line_ptr += bytes_read;
		92	- table->num_files++;
		93	+ if (!line_info_add_file_name (table, cur_file, dir,
		94	+ xtime, size))
		95	+ goto line_fail;
		96	break;
		97	case DW_LNE_set_discriminator:
		98	discriminator =
		99	Index: git/bfd/ChangeLog
		100	===================================================================
		101	--- git.orig/bfd/ChangeLog
		102	+++ git/bfd/ChangeLog
		103	@@ -1,3 +1,10 @@
		104	+2017-09-26 Alan Modra <amodra@gmail.com>
		105	+
		106	+ PR 22205
		107	+ * dwarf2.c (concat_filename): Return "<unknown>" on NULL filename.
		108	+ (read_formatted_entries): Init "fe".
		109	+ (decode_line_info <DW_LNE_define_file>): Use line_info_add_file_name.
		110	+
		111	2017-10-09 Alan Modra <amodra@gmail.com>
		112
		113	PR 22212