binutils: CVE-2017-15938

Source: binutils-gdb.git MR: 76766 Type: Security Fix Disposition: Backport from binutils master ChangeID: f080669b4e6f7c9088e30858238da5f4315192f3 Description: PR22209, invalid memory read in find_abstract_instance_name This patch adds bounds checking for DW_FORM_ref_addr die refs, and calculates them relative to the first .debug_info section. See the big comment for why calculating relative to the current .debug_info section was wrong for relocatable object files. PR 22209 * dwarf2.c (struct comp_unit): Delete sec_info_ptr field. (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative to stash->info_ptr_memory, and check die_ref is within that memory. Set info_ptr_end correctly when another CU is refd. Check die_ref for DW_FORM_ref4 etc. is within CU. Affects: <= 2.29 (From OE-Core rev: 592f315516e602bd9a9bdc3d116771528cd433d1) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-11-08 13:44:34 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:09 +0000
commit: 9c53a526d0cc371a06c51a8e042dd5fe6784bbd3 (patch)
tree: 3592060ef56132a4b864206d07c0e6a90f83f7e8 /meta/recipes-devtools
parent: 7006ecaba3457fe48673b9c1da164a5165453eb0 (diff)
download: poky-9c53a526d0cc371a06c51a8e042dd5fe6784bbd3.tar.gz
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index ae43d2a5d2..1311b65847 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -102,6 +102,7 @@ SRC_URI = "\
     file://CVE-2017-9955_9.patch \
     file://CVE-2017-14729.patch \
     file://CVE-2017-15024.patch \
+     file://CVE-2017-15938.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch
new file mode 100644
index 0000000000..25d6f3a32a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch
@@ -0,0 +1,153 @@
+commit 1b86808a86077722ee4f42ff97f836b12420bb2a
+Author: Alan Modra <amodra@gmail.com>
+Date:   Tue Sep 26 21:47:24 2017 +0930
+    PR22209, invalid memory read in find_abstract_instance_name
+    
+    This patch adds bounds checking for DW_FORM_ref_addr die refs, and
+    calculates them relative to the first .debug_info section.  See the
+    big comment for why calculating relative to the current .debug_info
+    section was wrong for relocatable object files.
+    
+        PR 22209
+        * dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
+        (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
+        to stash->info_ptr_memory, and check die_ref is within that memory.
+        Set info_ptr_end correctly when another CU is refd.  Check die_ref
+        for DW_FORM_ref4 etc. is within CU.
+Upstream-Status: Backport
+CVE: CVE-2017-15938
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c       2017-11-07 18:52:19.896253364 +0530
+++ git/bfd/dwarf2.c    2017-11-07 18:52:19.952253802 +0530
+@@ -119,8 +119,7 @@
+ 
+   /* A pointer to the memory block allocated for info_ptr.  Neither
+      info_ptr nor sec_info_ptr are guaranteed to stay pointing to the
+-     beginning of the malloc block.  This is used only to free the
+-     memory later.  */
+     beginning of the malloc block.  */
+   bfd_byte *info_ptr_memory;
+ 
+   /* Pointer to the symbol table.  */
+@@ -238,9 +237,6 @@
+      by its reference.  */
+   bfd_byte *info_ptr_unit;
+ 
+-  /* Pointer to the start of the debug section, for DW_FORM_ref_addr.  */
+-  bfd_byte *sec_info_ptr;
+-
+   /* The offset into .debug_line of the line number table.  */
+   unsigned long line_offset;
+ 
+@@ -2294,21 +2290,37 @@
+   if (attr_ptr->form == DW_FORM_ref_addr)
+     {
+       /* We only support DW_FORM_ref_addr within the same file, so
+-        any relocations should be resolved already.  */
+-      if (!die_ref)
+        any relocations should be resolved already.  Check this by
+        testing for a zero die_ref;  There can't be a valid reference
+        to the header of a .debug_info section.
+        DW_FORM_ref_addr is an offset relative to .debug_info.
+        Normally when using the GNU linker this is accomplished by
+        emitting a symbolic reference to a label, because .debug_info
+        sections are linked at zero.  When there are multiple section
+        groups containing .debug_info, as there might be in a
+        relocatable object file, it would be reasonable to assume that
+        a symbolic reference to a label in any .debug_info section
+        might be used.  Since we lay out multiple .debug_info
+        sections at non-zero VMAs (see place_sections), and read
+        them contiguously into stash->info_ptr_memory, that means
+        the reference is relative to stash->info_ptr_memory.  */
+      size_t total;
+
+      info_ptr = unit->stash->info_ptr_memory;
+      info_ptr_end = unit->stash->info_ptr_end;
+      total = info_ptr_end - info_ptr;
+      if (!die_ref || die_ref >= total)
+        {
+          _bfd_error_handler
+-           (_("Dwarf Error: Abstract instance DIE ref zero."));
+           (_("Dwarf Error: Invalid abstract instance DIE ref."));
+          bfd_set_error (bfd_error_bad_value);
+          return FALSE;
+        }
+-
+-      info_ptr = unit->sec_info_ptr + die_ref;
+-      info_ptr_end = unit->end_ptr;
+      info_ptr += die_ref;
+ 
+       /* Now find the CU containing this pointer.  */
+       if (info_ptr >= unit->info_ptr_unit && info_ptr < unit->end_ptr)
+-       ;
+       info_ptr_end = unit->end_ptr;
+       else
+        {
+          /* Check other CUs to see if they contain the abbrev.  */
+@@ -2324,7 +2336,10 @@
+                break;
+ 
+          if (u)
+-           unit = u;
+           {
+             unit = u;
+             info_ptr_end = unit->end_ptr;
+           }
+          /* else FIXME: What do we do now ?  */
+        }
+     }
+@@ -2346,8 +2361,22 @@
+     }
+   else
+     {
+-      info_ptr = unit->info_ptr_unit + die_ref;
+      /* DW_FORM_ref1, DW_FORM_ref2, DW_FORM_ref4, DW_FORM_ref8 or
+        DW_FORM_ref_udata.  These are all references relative to the
+        start of the current CU.  */
+      size_t total;
+
+      info_ptr = unit->info_ptr_unit;
+       info_ptr_end = unit->end_ptr;
+      total = info_ptr_end - info_ptr;
+      if (!die_ref || die_ref >= total)
+       {
+         _bfd_error_handler
+           (_("Dwarf Error: Invalid abstract instance DIE ref."));
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+      info_ptr += die_ref;
+     }
+ 
+   abbrev_number = safe_read_leb128 (abfd, info_ptr, &bytes_read, FALSE, info_ptr_end);
+@@ -2846,7 +2875,6 @@
+   unit->end_ptr = end_ptr;
+   unit->stash = stash;
+   unit->info_ptr_unit = info_ptr_unit;
+-  unit->sec_info_ptr = stash->sec_info_ptr;
+ 
+   for (i = 0; i < abbrev->num_attrs; ++i)
+     {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-11-07 18:52:19.900253395 +0530
+++ git/bfd/ChangeLog   2017-11-07 18:53:29.668799630 +0530
+@@ -1,3 +1,12 @@
+2017-09-26  Alan Modra  <amodra@gmail.com>
+
+       PR 22209
+       * dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
+       (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
+       to stash->info_ptr_memory, and check die_ref is within that memory.
+       Set info_ptr_end correctly when another CU is refd.  Check die_ref
+       for DW_FORM_ref4 etc. is within CU.
+
+ 2017-09-24  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22187
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-11-08 13:44:34 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:09 +0000
commit	9c53a526d0cc371a06c51a8e042dd5fe6784bbd3 (patch)
tree	3592060ef56132a4b864206d07c0e6a90f83f7e8 /meta/recipes-devtools
parent	7006ecaba3457fe48673b9c1da164a5165453eb0 (diff)
download	poky-9c53a526d0cc371a06c51a8e042dd5fe6784bbd3.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index ae43d2a5d2..1311b65847 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -102,6 +102,7 @@ SRC_URI = "\
102	file://CVE-2017-9955_9.patch \	102	file://CVE-2017-9955_9.patch \
103	file://CVE-2017-14729.patch \	103	file://CVE-2017-14729.patch \
104	file://CVE-2017-15024.patch \	104	file://CVE-2017-15024.patch \
		105	file://CVE-2017-15938.patch \
105	"	106	"
106	S = "${WORKDIR}/git"	107	S = "${WORKDIR}/git"
107		108


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch new file mode 100644 index 0000000000..25d6f3a32a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch
@@ -0,0 +1,153 @@
		1	commit 1b86808a86077722ee4f42ff97f836b12420bb2a
		2	Author: Alan Modra <amodra@gmail.com>
		3	Date: Tue Sep 26 21:47:24 2017 +0930
		4
		5	PR22209, invalid memory read in find_abstract_instance_name
		6
		7	This patch adds bounds checking for DW_FORM_ref_addr die refs, and
		8	calculates them relative to the first .debug_info section. See the
		9	big comment for why calculating relative to the current .debug_info
		10	section was wrong for relocatable object files.
		11
		12	PR 22209
		13	* dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
		14	(find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
		15	to stash->info_ptr_memory, and check die_ref is within that memory.
		16	Set info_ptr_end correctly when another CU is refd. Check die_ref
		17	for DW_FORM_ref4 etc. is within CU.
		18
		19	Upstream-Status: Backport
		20
		21	CVE: CVE-2017-15938
		22	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		23
		24	Index: git/bfd/dwarf2.c
		25	===================================================================
		26	--- git.orig/bfd/dwarf2.c 2017-11-07 18:52:19.896253364 +0530
		27	+++ git/bfd/dwarf2.c 2017-11-07 18:52:19.952253802 +0530
		28	@@ -119,8 +119,7 @@
		29
		30	/* A pointer to the memory block allocated for info_ptr. Neither
		31	info_ptr nor sec_info_ptr are guaranteed to stay pointing to the
		32	- beginning of the malloc block. This is used only to free the
		33	- memory later. */
		34	+ beginning of the malloc block. */
		35	bfd_byte *info_ptr_memory;
		36
		37	/* Pointer to the symbol table. */
		38	@@ -238,9 +237,6 @@
		39	by its reference. */
		40	bfd_byte *info_ptr_unit;
		41
		42	- /* Pointer to the start of the debug section, for DW_FORM_ref_addr. */
		43	- bfd_byte *sec_info_ptr;
		44	-
		45	/* The offset into .debug_line of the line number table. */
		46	unsigned long line_offset;
		47
		48	@@ -2294,21 +2290,37 @@
		49	if (attr_ptr->form == DW_FORM_ref_addr)
		50	{
		51	/* We only support DW_FORM_ref_addr within the same file, so
		52	- any relocations should be resolved already. */
		53	- if (!die_ref)
		54	+ any relocations should be resolved already. Check this by
		55	+ testing for a zero die_ref; There can't be a valid reference
		56	+ to the header of a .debug_info section.
		57	+ DW_FORM_ref_addr is an offset relative to .debug_info.
		58	+ Normally when using the GNU linker this is accomplished by
		59	+ emitting a symbolic reference to a label, because .debug_info
		60	+ sections are linked at zero. When there are multiple section
		61	+ groups containing .debug_info, as there might be in a
		62	+ relocatable object file, it would be reasonable to assume that
		63	+ a symbolic reference to a label in any .debug_info section
		64	+ might be used. Since we lay out multiple .debug_info
		65	+ sections at non-zero VMAs (see place_sections), and read
		66	+ them contiguously into stash->info_ptr_memory, that means
		67	+ the reference is relative to stash->info_ptr_memory. */
		68	+ size_t total;
		69	+
		70	+ info_ptr = unit->stash->info_ptr_memory;
		71	+ info_ptr_end = unit->stash->info_ptr_end;
		72	+ total = info_ptr_end - info_ptr;
		73	+ if (!die_ref \|\| die_ref >= total)
		74	{
		75	_bfd_error_handler
		76	- (_("Dwarf Error: Abstract instance DIE ref zero."));
		77	+ (_("Dwarf Error: Invalid abstract instance DIE ref."));
		78	bfd_set_error (bfd_error_bad_value);
		79	return FALSE;
		80	}
		81	-
		82	- info_ptr = unit->sec_info_ptr + die_ref;
		83	- info_ptr_end = unit->end_ptr;
		84	+ info_ptr += die_ref;
		85
		86	/* Now find the CU containing this pointer. */
		87	if (info_ptr >= unit->info_ptr_unit && info_ptr < unit->end_ptr)
		88	- ;
		89	+ info_ptr_end = unit->end_ptr;
		90	else
		91	{
		92	/* Check other CUs to see if they contain the abbrev. */
		93	@@ -2324,7 +2336,10 @@
		94	break;
		95
		96	if (u)
		97	- unit = u;
		98	+ {
		99	+ unit = u;
		100	+ info_ptr_end = unit->end_ptr;
		101	+ }
		102	/* else FIXME: What do we do now ? */
		103	}
		104	}
		105	@@ -2346,8 +2361,22 @@
		106	}
		107	else
		108	{
		109	- info_ptr = unit->info_ptr_unit + die_ref;
		110	+ /* DW_FORM_ref1, DW_FORM_ref2, DW_FORM_ref4, DW_FORM_ref8 or
		111	+ DW_FORM_ref_udata. These are all references relative to the
		112	+ start of the current CU. */
		113	+ size_t total;
		114	+
		115	+ info_ptr = unit->info_ptr_unit;
		116	info_ptr_end = unit->end_ptr;
		117	+ total = info_ptr_end - info_ptr;
		118	+ if (!die_ref \|\| die_ref >= total)
		119	+ {
		120	+ _bfd_error_handler
		121	+ (_("Dwarf Error: Invalid abstract instance DIE ref."));
		122	+ bfd_set_error (bfd_error_bad_value);
		123	+ return FALSE;
		124	+ }
		125	+ info_ptr += die_ref;
		126	}
		127
		128	abbrev_number = safe_read_leb128 (abfd, info_ptr, &bytes_read, FALSE, info_ptr_end);
		129	@@ -2846,7 +2875,6 @@
		130	unit->end_ptr = end_ptr;
		131	unit->stash = stash;
		132	unit->info_ptr_unit = info_ptr_unit;
		133	- unit->sec_info_ptr = stash->sec_info_ptr;
		134
		135	for (i = 0; i < abbrev->num_attrs; ++i)
		136	{
		137	Index: git/bfd/ChangeLog
		138	===================================================================
		139	--- git.orig/bfd/ChangeLog 2017-11-07 18:52:19.900253395 +0530
		140	+++ git/bfd/ChangeLog 2017-11-07 18:53:29.668799630 +0530
		141	@@ -1,3 +1,12 @@
		142	+2017-09-26 Alan Modra <amodra@gmail.com>
		143	+
		144	+ PR 22209
		145	+ * dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
		146	+ (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
		147	+ to stash->info_ptr_memory, and check die_ref is within that memory.
		148	+ Set info_ptr_end correctly when another CU is refd. Check die_ref
		149	+ for DW_FORM_ref4 etc. is within CU.
		150	+
		151	2017-09-24 Alan Modra <amodra@gmail.com>
		152
		153	PR 22187