diff options
author | Armin Kuster <akuster808@gmail.com> | 2017-11-26 12:54:25 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-12-11 22:02:58 +0000 |
commit | 5d2f47f2a205919a036c556349630e608b75e762 (patch) | |
tree | f6f57153e7e6581325d16a5f2af06ba59b5fa0b0 /meta | |
parent | 640706066cc74667e16dd0a4014a417418fcad3c (diff) | |
download | poky-5d2f47f2a205919a036c556349630e608b75e762.tar.gz |
binutils: Security fix for CVE-2017-8398
Affects: <= 2.28
(From OE-Core rev: 8bbed39afd0d4197e39db587f41cd301726c2958)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.28.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch | 147 |
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index ca78a30bb7..d58d7b86cc 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -49,6 +49,7 @@ SRC_URI = "\ | |||
49 | file://CVE-2017-8394.patch \ | 49 | file://CVE-2017-8394.patch \ |
50 | file://CVE-2017-8395.patch \ | 50 | file://CVE-2017-8395.patch \ |
51 | file://CVE-2017-8396_8397.patch \ | 51 | file://CVE-2017-8396_8397.patch \ |
52 | file://CVE-2017-8398.patch \ | ||
52 | " | 53 | " |
53 | S = "${WORKDIR}/git" | 54 | S = "${WORKDIR}/git" |
54 | 55 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch new file mode 100644 index 0000000000..5b9acc8cfa --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch | |||
@@ -0,0 +1,147 @@ | |||
1 | From d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Fri, 28 Apr 2017 10:28:04 +0100 | ||
4 | Subject: [PATCH] Fix heap-buffer overflow bugs caused when dumping debug | ||
5 | information from a corrupt binary. | ||
6 | |||
7 | PR binutils/21438 | ||
8 | * dwarf.c (process_extended_line_op): Do not assume that the | ||
9 | string extracted from the section is NUL terminated. | ||
10 | (fetch_indirect_string): If the string retrieved from the section | ||
11 | is not NUL terminated, return an error message. | ||
12 | (fetch_indirect_line_string): Likewise. | ||
13 | (fetch_indexed_string): Likewise. | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2017-8398 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | binutils/ChangeLog | 10 +++++++++ | ||
21 | binutils/dwarf.c | 66 +++++++++++++++++++++++++++++++++++++++++------------- | ||
22 | 2 files changed, 60 insertions(+), 16 deletions(-) | ||
23 | |||
24 | Index: git/binutils/dwarf.c | ||
25 | =================================================================== | ||
26 | --- git.orig/binutils/dwarf.c | ||
27 | +++ git/binutils/dwarf.c | ||
28 | @@ -472,15 +472,20 @@ process_extended_line_op (unsigned char | ||
29 | printf (_(" Entry\tDir\tTime\tSize\tName\n")); | ||
30 | printf (" %d\t", ++state_machine_regs.last_file_entry); | ||
31 | |||
32 | - name = data; | ||
33 | - data += strnlen ((char *) data, end - data) + 1; | ||
34 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
35 | - data += bytes_read; | ||
36 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
37 | - data += bytes_read; | ||
38 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
39 | - data += bytes_read; | ||
40 | - printf ("%s\n\n", name); | ||
41 | + { | ||
42 | + size_t l; | ||
43 | + | ||
44 | + name = data; | ||
45 | + l = strnlen ((char *) data, end - data); | ||
46 | + data += len + 1; | ||
47 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
48 | + data += bytes_read; | ||
49 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
50 | + data += bytes_read; | ||
51 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
52 | + data += bytes_read; | ||
53 | + printf ("%.*s\n\n", (int) l, name); | ||
54 | + } | ||
55 | |||
56 | if (((unsigned int) (data - orig_data) != len) || data == end) | ||
57 | warn (_("DW_LNE_define_file: Bad opcode length\n")); | ||
58 | @@ -597,18 +602,27 @@ static const unsigned char * | ||
59 | fetch_indirect_string (dwarf_vma offset) | ||
60 | { | ||
61 | struct dwarf_section *section = &debug_displays [str].section; | ||
62 | + const unsigned char * ret; | ||
63 | |||
64 | if (section->start == NULL) | ||
65 | return (const unsigned char *) _("<no .debug_str section>"); | ||
66 | |||
67 | - if (offset > section->size) | ||
68 | + if (offset >= section->size) | ||
69 | { | ||
70 | warn (_("DW_FORM_strp offset too big: %s\n"), | ||
71 | dwarf_vmatoa ("x", offset)); | ||
72 | return (const unsigned char *) _("<offset is too big>"); | ||
73 | } | ||
74 | + ret = section->start + offset; | ||
75 | + /* Unfortunately we cannot rely upon the .debug_str section ending with a | ||
76 | + NUL byte. Since our caller is expecting to receive a well formed C | ||
77 | + string we test for the lack of a terminating byte here. */ | ||
78 | + if (strnlen ((const char *) ret, section->size - offset) | ||
79 | + == section->size - offset) | ||
80 | + ret = (const unsigned char *) | ||
81 | + _("<no NUL byte at end of .debug_str section>"); | ||
82 | |||
83 | - return (const unsigned char *) section->start + offset; | ||
84 | + return ret; | ||
85 | } | ||
86 | |||
87 | static const char * | ||
88 | @@ -621,6 +635,7 @@ fetch_indexed_string (dwarf_vma idx, str | ||
89 | struct dwarf_section *str_section = &debug_displays [str_sec_idx].section; | ||
90 | dwarf_vma index_offset = idx * offset_size; | ||
91 | dwarf_vma str_offset; | ||
92 | + const char * ret; | ||
93 | |||
94 | if (index_section->start == NULL) | ||
95 | return (dwo ? _("<no .debug_str_offsets.dwo section>") | ||
96 | @@ -628,7 +643,7 @@ fetch_indexed_string (dwarf_vma idx, str | ||
97 | |||
98 | if (this_set != NULL) | ||
99 | index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; | ||
100 | - if (index_offset > index_section->size) | ||
101 | + if (index_offset >= index_section->size) | ||
102 | { | ||
103 | warn (_("DW_FORM_GNU_str_index offset too big: %s\n"), | ||
104 | dwarf_vmatoa ("x", index_offset)); | ||
105 | @@ -641,14 +656,22 @@ fetch_indexed_string (dwarf_vma idx, str | ||
106 | |||
107 | str_offset = byte_get (index_section->start + index_offset, offset_size); | ||
108 | str_offset -= str_section->address; | ||
109 | - if (str_offset > str_section->size) | ||
110 | + if (str_offset >= str_section->size) | ||
111 | { | ||
112 | warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"), | ||
113 | dwarf_vmatoa ("x", str_offset)); | ||
114 | return _("<indirect index offset is too big>"); | ||
115 | } | ||
116 | |||
117 | - return (const char *) str_section->start + str_offset; | ||
118 | + ret = (const char *) str_section->start + str_offset; | ||
119 | + /* Unfortunately we cannot rely upon str_section ending with a NUL byte. | ||
120 | + Since our caller is expecting to receive a well formed C string we test | ||
121 | + for the lack of a terminating byte here. */ | ||
122 | + if (strnlen (ret, str_section->size - str_offset) | ||
123 | + == str_section->size - str_offset) | ||
124 | + ret = (const char *) _("<no NUL byte at end of section>"); | ||
125 | + | ||
126 | + return ret; | ||
127 | } | ||
128 | |||
129 | static const char * | ||
130 | Index: git/binutils/ChangeLog | ||
131 | =================================================================== | ||
132 | --- git.orig/binutils/ChangeLog | ||
133 | +++ git/binutils/ChangeLog | ||
134 | @@ -1,3 +1,13 @@ | ||
135 | +2017-04-28 Nick Clifton <nickc@redhat.com> | ||
136 | + | ||
137 | + PR binutils/21438 | ||
138 | + * dwarf.c (process_extended_line_op): Do not assume that the | ||
139 | + string extracted from the section is NUL terminated. | ||
140 | + (fetch_indirect_string): If the string retrieved from the section | ||
141 | + is not NUL terminated, return an error message. | ||
142 | + (fetch_indirect_line_string): Likewise. | ||
143 | + (fetch_indexed_string): Likewise. | ||
144 | + | ||
145 | 2017-02-14 Nick Clifton <nickc@redhat.com> | ||
146 | |||
147 | PR binutils/21157 | ||