binutils: CVE-2017-8398

Source: git://sourceware.org/git/binutils-gdb.git MR: 74127 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: 410078b468de6dc1c908342283a6abe5bdf38d54 Description: Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary. PR binutils/21438 * dwarf.c (process_extended_line_op): Do not assume that the string extracted from the section is NUL terminated. (fetch_indirect_string): If the string retrieved from the section is not NUL terminated, return an error message. (fetch_indirect_line_string): Likewise. (fetch_indexed_string): Likewise. Affects: <= 2.29 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 1e19e656a97caf61f26ab4f52339b9413d3bb29f) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-20 13:52:00 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: b5e7f898506df7bbff861f1ba1b78c695906e3a6 (patch)
tree: a6c82156f5256fd19bda2cb7a40c68500939b491 /meta/recipes-devtools
parent: 226c2fd1f720da30abf906179c64061e9f121dfc (diff)
download: poky-b5e7f898506df7bbff861f1ba1b78c695906e3a6.tar.gz
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index a455b0192c..35e26fc0dd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
     file://CVE-2017-8421.patch \
     file://CVE-2017-8394_1.patch \
     file://CVE-2017-8394.patch \
+     file://CVE-2017-8398.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
new file mode 100644
index 0000000000..23d5085b16
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
@@ -0,0 +1,147 @@
+commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Fri Apr 28 10:28:04 2017 +0100
+    Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
+    
+        PR binutils/21438
+        * dwarf.c (process_extended_line_op): Do not assume that the
+        string extracted from the section is NUL terminated.
+        (fetch_indirect_string): If the string retrieved from the section
+        is not NUL terminated, return an error message.
+        (fetch_indirect_line_string): Likewise.
+        (fetch_indexed_string): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-8398
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c   2017-09-20 13:40:17.148898512 +0530
+++ git/binutils/dwarf.c        2017-09-20 13:45:17.564730907 +0530
+@@ -472,15 +472,20 @@
+       printf (_("  Entry\tDir\tTime\tSize\tName\n"));
+       printf ("   %d\t", ++state_machine_regs.last_file_entry);
+ 
+-      name = data;
+-      data += strnlen ((char *) data, end - data) + 1;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+-      data += bytes_read;
+-      printf ("%s\n\n", name);
+      {
+       size_t l;
+
+       name = data;
+       l = strnlen ((char *) data, end - data);
+       data += len + 1;
+       printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+       data += bytes_read;
+       printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+       data += bytes_read;
+       printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
+       data += bytes_read;
+       printf ("%.*s\n\n", (int) l, name);
+      }
+ 
+       if (((unsigned int) (data - orig_data) != len) || data == end)
+        warn (_("DW_LNE_define_file: Bad opcode length\n"));
+@@ -597,18 +602,28 @@
+ fetch_indirect_string (dwarf_vma offset)
+ {
+   struct dwarf_section *section = &debug_displays [str].section;
+  const unsigned char * ret;
+ 
+   if (section->start == NULL)
+     return (const unsigned char *) _("<no .debug_str section>");
+ 
+-  if (offset > section->size)
+  if (offset >= section->size)
+     {
+       warn (_("DW_FORM_strp offset too big: %s\n"),
+            dwarf_vmatoa ("x", offset));
+       return (const unsigned char *) _("<offset is too big>");
+     }
+ 
+-  return (const unsigned char *) section->start + offset;
+  ret = section->start + offset;
+  /* Unfortunately we cannot rely upon the .debug_str section ending with a
+     NUL byte.  Since our caller is expecting to receive a well formed C
+     string we test for the lack of a terminating byte here.  */
+  if (strnlen ((const char *) ret, section->size - offset)
+      == section->size - offset)
+    ret = (const unsigned char *)
+      _("<no NUL byte at end of .debug_str section>");
+
+  return ret; 
+ }
+ 
+ static const char *
+@@ -621,6 +636,7 @@
+   struct dwarf_section *str_section = &debug_displays [str_sec_idx].section;
+   dwarf_vma index_offset = idx * offset_size;
+   dwarf_vma str_offset;
+  const char * ret;
+ 
+   if (index_section->start == NULL)
+     return (dwo ? _("<no .debug_str_offsets.dwo section>")
+@@ -628,7 +644,7 @@
+ 
+   if (this_set != NULL)
+     index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
+-  if (index_offset > index_section->size)
+  if (index_offset >= index_section->size)
+     {
+       warn (_("DW_FORM_GNU_str_index offset too big: %s\n"),
+            dwarf_vmatoa ("x", index_offset));
+@@ -641,14 +657,22 @@
+ 
+   str_offset = byte_get (index_section->start + index_offset, offset_size);
+   str_offset -= str_section->address;
+-  if (str_offset > str_section->size)
+  if (str_offset >= str_section->size)
+     {
+       warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"),
+            dwarf_vmatoa ("x", str_offset));
+       return _("<indirect index offset is too big>");
+     }
+ 
+-  return (const char *) str_section->start + str_offset;
+  ret = (const char *) str_section->start + str_offset;
+  /* Unfortunately we cannot rely upon str_section ending with a NUL byte.
+     Since our caller is expecting to receive a well formed C string we test
+     for the lack of a terminating byte here.  */
+  if (strnlen (ret, str_section->size - str_offset)
+      == str_section->size - str_offset)
+    ret = (const char *) _("<no NUL byte at end of section>");
+
+  return ret;
+ }
+ 
+ static const char *
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog 2017-09-20 13:40:18.900898599 +0530
+++ git/binutils/ChangeLog      2017-09-20 13:48:02.976503560 +0530
+@@ -10,6 +10,16 @@
+        * objdump.c (dump_relocs_in_section): Check for an excessive
+        number of relocs before attempting to dump them.
+ 
+2017-04-28  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21438
+       * dwarf.c (process_extended_line_op): Do not assume that the
+       string extracted from the section is NUL terminated.
+       (fetch_indirect_string): If the string retrieved from the section
+       is not NUL terminated, return an error message.
+       (fetch_indirect_line_string): Likewise.
+       (fetch_indexed_string): Likewise.
+
+ 2017-02-14  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21157
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-20 13:52:00 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	b5e7f898506df7bbff861f1ba1b78c695906e3a6 (patch)
tree	a6c82156f5256fd19bda2cb7a40c68500939b491 /meta/recipes-devtools
parent	226c2fd1f720da30abf906179c64061e9f121dfc (diff)
download	poky-b5e7f898506df7bbff861f1ba1b78c695906e3a6.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index a455b0192c..35e26fc0dd 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
75	file://CVE-2017-8421.patch \	75	file://CVE-2017-8421.patch \
76	file://CVE-2017-8394_1.patch \	76	file://CVE-2017-8394_1.patch \
77	file://CVE-2017-8394.patch \	77	file://CVE-2017-8394.patch \
		78	file://CVE-2017-8398.patch \
78	"	79	"
79	S = "${WORKDIR}/git"	80	S = "${WORKDIR}/git"
80		81


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch new file mode 100644 index 0000000000..23d5085b16 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
@@ -0,0 +1,147 @@
		1	commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Fri Apr 28 10:28:04 2017 +0100
		4
		5	Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
		6
		7	PR binutils/21438
		8	* dwarf.c (process_extended_line_op): Do not assume that the
		9	string extracted from the section is NUL terminated.
		10	(fetch_indirect_string): If the string retrieved from the section
		11	is not NUL terminated, return an error message.
		12	(fetch_indirect_line_string): Likewise.
		13	(fetch_indexed_string): Likewise.
		14
		15	Upstream-Status: Backport
		16
		17	CVE: CVE-2017-8398
		18	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		19
		20	Index: git/binutils/dwarf.c
		21	===================================================================
		22	--- git.orig/binutils/dwarf.c 2017-09-20 13:40:17.148898512 +0530
		23	+++ git/binutils/dwarf.c 2017-09-20 13:45:17.564730907 +0530
		24	@@ -472,15 +472,20 @@
		25	printf (_(" Entry\tDir\tTime\tSize\tName\n"));
		26	printf (" %d\t", ++state_machine_regs.last_file_entry);
		27
		28	- name = data;
		29	- data += strnlen ((char *) data, end - data) + 1;
		30	- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		31	- data += bytes_read;
		32	- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		33	- data += bytes_read;
		34	- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		35	- data += bytes_read;
		36	- printf ("%s\n\n", name);
		37	+ {
		38	+ size_t l;
		39	+
		40	+ name = data;
		41	+ l = strnlen ((char *) data, end - data);
		42	+ data += len + 1;
		43	+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		44	+ data += bytes_read;
		45	+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		46	+ data += bytes_read;
		47	+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
		48	+ data += bytes_read;
		49	+ printf ("%.*s\n\n", (int) l, name);
		50	+ }
		51
		52	if (((unsigned int) (data - orig_data) != len) \|\| data == end)
		53	warn (_("DW_LNE_define_file: Bad opcode length\n"));
		54	@@ -597,18 +602,28 @@
		55	fetch_indirect_string (dwarf_vma offset)
		56	{
		57	struct dwarf_section *section = &debug_displays [str].section;
		58	+ const unsigned char * ret;
		59
		60	if (section->start == NULL)
		61	return (const unsigned char *) _("<no .debug_str section>");
		62
		63	- if (offset > section->size)
		64	+ if (offset >= section->size)
		65	{
		66	warn (_("DW_FORM_strp offset too big: %s\n"),
		67	dwarf_vmatoa ("x", offset));
		68	return (const unsigned char *) _("<offset is too big>");
		69	}
		70
		71	- return (const unsigned char *) section->start + offset;
		72	+ ret = section->start + offset;
		73	+ /* Unfortunately we cannot rely upon the .debug_str section ending with a
		74	+ NUL byte. Since our caller is expecting to receive a well formed C
		75	+ string we test for the lack of a terminating byte here. */
		76	+ if (strnlen ((const char *) ret, section->size - offset)
		77	+ == section->size - offset)
		78	+ ret = (const unsigned char *)
		79	+ _("<no NUL byte at end of .debug_str section>");
		80	+
		81	+ return ret;
		82	}
		83
		84	static const char *
		85	@@ -621,6 +636,7 @@
		86	struct dwarf_section *str_section = &debug_displays [str_sec_idx].section;
		87	dwarf_vma index_offset = idx * offset_size;
		88	dwarf_vma str_offset;
		89	+ const char * ret;
		90
		91	if (index_section->start == NULL)
		92	return (dwo ? _("<no .debug_str_offsets.dwo section>")
		93	@@ -628,7 +644,7 @@
		94
		95	if (this_set != NULL)
		96	index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
		97	- if (index_offset > index_section->size)
		98	+ if (index_offset >= index_section->size)
		99	{
		100	warn (_("DW_FORM_GNU_str_index offset too big: %s\n"),
		101	dwarf_vmatoa ("x", index_offset));
		102	@@ -641,14 +657,22 @@
		103
		104	str_offset = byte_get (index_section->start + index_offset, offset_size);
		105	str_offset -= str_section->address;
		106	- if (str_offset > str_section->size)
		107	+ if (str_offset >= str_section->size)
		108	{
		109	warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"),
		110	dwarf_vmatoa ("x", str_offset));
		111	return _("<indirect index offset is too big>");
		112	}
		113
		114	- return (const char *) str_section->start + str_offset;
		115	+ ret = (const char *) str_section->start + str_offset;
		116	+ /* Unfortunately we cannot rely upon str_section ending with a NUL byte.
		117	+ Since our caller is expecting to receive a well formed C string we test
		118	+ for the lack of a terminating byte here. */
		119	+ if (strnlen (ret, str_section->size - str_offset)
		120	+ == str_section->size - str_offset)
		121	+ ret = (const char *) _("<no NUL byte at end of section>");
		122	+
		123	+ return ret;
		124	}
		125
		126	static const char *
		127	Index: git/binutils/ChangeLog
		128	===================================================================
		129	--- git.orig/binutils/ChangeLog 2017-09-20 13:40:18.900898599 +0530
		130	+++ git/binutils/ChangeLog 2017-09-20 13:48:02.976503560 +0530
		131	@@ -10,6 +10,16 @@
		132	* objdump.c (dump_relocs_in_section): Check for an excessive
		133	number of relocs before attempting to dump them.
		134
		135	+2017-04-28 Nick Clifton <nickc@redhat.com>
		136	+
		137	+ PR binutils/21438
		138	+ * dwarf.c (process_extended_line_op): Do not assume that the
		139	+ string extracted from the section is NUL terminated.
		140	+ (fetch_indirect_string): If the string retrieved from the section
		141	+ is not NUL terminated, return an error message.
		142	+ (fetch_indirect_line_string): Likewise.
		143	+ (fetch_indexed_string): Likewise.
		144	+
		145	2017-02-14 Nick Clifton <nickc@redhat.com>
		146
		147	PR binutils/21157