diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-11-08 13:41:00 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-07 17:10:09 +0000 |
commit | 7006ecaba3457fe48673b9c1da164a5165453eb0 (patch) | |
tree | de6859ddcbf2d511035530feb90b4bdd4ba2cfa5 /meta | |
parent | 05281ec4a64e22b2c8fcaa153e0f03464800092c (diff) | |
download | poky-7006ecaba3457fe48673b9c1da164a5165453eb0.tar.gz |
binutils: CVE-2017-15024
Source: binutils-gdb.git
MR: 76524
Type: Security Fix
Disposition: Backport from binutils master
ChangeID: 5f22a66eabb228b655605b964ecd350aee700806
Description:
PR22187, infinite loop in find_abstract_instance_name
This patch prevents the simple case of infinite recursion in
find_abstract_instance_name by ensuring that the attributes being
processed are not the same as the previous call.
The patch also does a little cleanup, and leaves in place some changes
to the nested_funcs array that I made when I wrongly thought looping
might occur in scan_unit_for_symbols.
PR 22187
* dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
pname param. Return status. Make name const. Don't abort,
return an error. Formatting. Exit if current info_ptr matches
orig_info_ptr. Update callers.
(scan_unit_for_symbols): Start at nesting_level of zero. Make
nested_funcs an array of structs for extensibility. Formatting.
Affects: <= 2.29
(From OE-Core rev: 3e88bb5e933ebbf9c3445bac1814dc0ac105bf45)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.27.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch | 241 |
2 files changed, 242 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index b1669a4ef0..ae43d2a5d2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -101,6 +101,7 @@ SRC_URI = "\ | |||
101 | file://CVE-2017-9955_8.patch \ | 101 | file://CVE-2017-9955_8.patch \ |
102 | file://CVE-2017-9955_9.patch \ | 102 | file://CVE-2017-9955_9.patch \ |
103 | file://CVE-2017-14729.patch \ | 103 | file://CVE-2017-14729.patch \ |
104 | file://CVE-2017-15024.patch \ | ||
104 | " | 105 | " |
105 | S = "${WORKDIR}/git" | 106 | S = "${WORKDIR}/git" |
106 | 107 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch new file mode 100644 index 0000000000..ef42b13597 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch | |||
@@ -0,0 +1,241 @@ | |||
1 | commit 52a93b95ec0771c97e26f0bb28630a271a667bd2 | ||
2 | Author: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sun Sep 24 14:37:16 2017 +0930 | ||
4 | |||
5 | PR22187, infinite loop in find_abstract_instance_name | ||
6 | |||
7 | This patch prevents the simple case of infinite recursion in | ||
8 | find_abstract_instance_name by ensuring that the attributes being | ||
9 | processed are not the same as the previous call. | ||
10 | |||
11 | The patch also does a little cleanup, and leaves in place some changes | ||
12 | to the nested_funcs array that I made when I wrongly thought looping | ||
13 | might occur in scan_unit_for_symbols. | ||
14 | |||
15 | PR 22187 | ||
16 | * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and | ||
17 | pname param. Return status. Make name const. Don't abort, | ||
18 | return an error. Formatting. Exit if current info_ptr matches | ||
19 | orig_info_ptr. Update callers. | ||
20 | (scan_unit_for_symbols): Start at nesting_level of zero. Make | ||
21 | nested_funcs an array of structs for extensibility. Formatting. | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | |||
25 | CVE: CVE-2017-15024 | ||
26 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
27 | |||
28 | Index: git/bfd/dwarf2.c | ||
29 | =================================================================== | ||
30 | --- git.orig/bfd/dwarf2.c 2017-11-08 12:44:59.198052588 +0530 | ||
31 | +++ git/bfd/dwarf2.c 2017-11-08 12:45:10.670155730 +0530 | ||
32 | @@ -2273,9 +2273,11 @@ | ||
33 | return FALSE; | ||
34 | } | ||
35 | |||
36 | -static char * | ||
37 | +static bfd_boolean | ||
38 | find_abstract_instance_name (struct comp_unit *unit, | ||
39 | + bfd_byte *orig_info_ptr, | ||
40 | struct attribute *attr_ptr, | ||
41 | + const char **pname, | ||
42 | bfd_boolean *is_linkage) | ||
43 | { | ||
44 | bfd *abfd = unit->abfd; | ||
45 | @@ -2285,7 +2287,7 @@ | ||
46 | struct abbrev_info *abbrev; | ||
47 | bfd_uint64_t die_ref = attr_ptr->u.val; | ||
48 | struct attribute attr; | ||
49 | - char *name = NULL; | ||
50 | + const char *name = NULL; | ||
51 | |||
52 | /* DW_FORM_ref_addr can reference an entry in a different CU. It | ||
53 | is an offset from the .debug_info section, not the current CU. */ | ||
54 | @@ -2294,7 +2296,12 @@ | ||
55 | /* We only support DW_FORM_ref_addr within the same file, so | ||
56 | any relocations should be resolved already. */ | ||
57 | if (!die_ref) | ||
58 | - abort (); | ||
59 | + { | ||
60 | + _bfd_error_handler | ||
61 | + (_("Dwarf Error: Abstract instance DIE ref zero.")); | ||
62 | + bfd_set_error (bfd_error_bad_value); | ||
63 | + return FALSE; | ||
64 | + } | ||
65 | |||
66 | info_ptr = unit->sec_info_ptr + die_ref; | ||
67 | info_ptr_end = unit->end_ptr; | ||
68 | @@ -2329,9 +2336,10 @@ | ||
69 | (*_bfd_error_handler) | ||
70 | (_("Dwarf Error: Unable to read alt ref %u."), die_ref); | ||
71 | bfd_set_error (bfd_error_bad_value); | ||
72 | - return NULL; | ||
73 | + return FALSE; | ||
74 | } | ||
75 | - info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size; | ||
76 | + info_ptr_end = (unit->stash->alt_dwarf_info_buffer | ||
77 | + + unit->stash->alt_dwarf_info_size); | ||
78 | |||
79 | /* FIXME: Do we need to locate the correct CU, in a similar | ||
80 | fashion to the code in the DW_FORM_ref_addr case above ? */ | ||
81 | @@ -2353,6 +2361,7 @@ | ||
82 | (*_bfd_error_handler) | ||
83 | (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number); | ||
84 | bfd_set_error (bfd_error_bad_value); | ||
85 | + return FALSE; | ||
86 | } | ||
87 | else | ||
88 | { | ||
89 | @@ -2362,6 +2371,15 @@ | ||
90 | info_ptr, info_ptr_end); | ||
91 | if (info_ptr == NULL) | ||
92 | break; | ||
93 | + /* It doesn't ever make sense for DW_AT_specification to | ||
94 | + refer to the same DIE. Stop simple recursion. */ | ||
95 | + if (info_ptr == orig_info_ptr) | ||
96 | + { | ||
97 | + _bfd_error_handler | ||
98 | + (_("Dwarf Error: Abstract instance recursion detected.")); | ||
99 | + bfd_set_error (bfd_error_bad_value); | ||
100 | + return FALSE; | ||
101 | + } | ||
102 | switch (attr.name) | ||
103 | { | ||
104 | case DW_AT_name: | ||
105 | @@ -2375,7 +2393,9 @@ | ||
106 | } | ||
107 | break; | ||
108 | case DW_AT_specification: | ||
109 | - name = find_abstract_instance_name (unit, &attr, is_linkage); | ||
110 | + if (!find_abstract_instance_name (unit, info_ptr, &attr, | ||
111 | + pname, is_linkage)) | ||
112 | + return FALSE; | ||
113 | break; | ||
114 | case DW_AT_linkage_name: | ||
115 | case DW_AT_MIPS_linkage_name: | ||
116 | @@ -2393,7 +2413,8 @@ | ||
117 | } | ||
118 | } | ||
119 | } | ||
120 | - return name; | ||
121 | + *pname = name; | ||
122 | + return TRUE; | ||
123 | } | ||
124 | |||
125 | static bfd_boolean | ||
126 | @@ -2454,20 +2475,22 @@ | ||
127 | bfd *abfd = unit->abfd; | ||
128 | bfd_byte *info_ptr = unit->first_child_die_ptr; | ||
129 | bfd_byte *info_ptr_end = unit->stash->info_ptr_end; | ||
130 | - int nesting_level = 1; | ||
131 | - struct funcinfo **nested_funcs; | ||
132 | + int nesting_level = 0; | ||
133 | + struct nest_funcinfo { | ||
134 | + struct funcinfo *func; | ||
135 | + } *nested_funcs; | ||
136 | int nested_funcs_size; | ||
137 | |||
138 | /* Maintain a stack of in-scope functions and inlined functions, which we | ||
139 | can use to set the caller_func field. */ | ||
140 | nested_funcs_size = 32; | ||
141 | - nested_funcs = (struct funcinfo **) | ||
142 | - bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *)); | ||
143 | + nested_funcs = (struct nest_funcinfo *) | ||
144 | + bfd_malloc (nested_funcs_size * sizeof (*nested_funcs)); | ||
145 | if (nested_funcs == NULL) | ||
146 | return FALSE; | ||
147 | - nested_funcs[nesting_level] = 0; | ||
148 | + nested_funcs[nesting_level].func = 0; | ||
149 | |||
150 | - while (nesting_level) | ||
151 | + while (nesting_level >= 0) | ||
152 | { | ||
153 | unsigned int abbrev_number, bytes_read, i; | ||
154 | struct abbrev_info *abbrev; | ||
155 | @@ -2516,13 +2539,13 @@ | ||
156 | BFD_ASSERT (!unit->cached); | ||
157 | |||
158 | if (func->tag == DW_TAG_inlined_subroutine) | ||
159 | - for (i = nesting_level - 1; i >= 1; i--) | ||
160 | - if (nested_funcs[i]) | ||
161 | + for (i = nesting_level; i-- != 0; ) | ||
162 | + if (nested_funcs[i].func) | ||
163 | { | ||
164 | - func->caller_func = nested_funcs[i]; | ||
165 | + func->caller_func = nested_funcs[i].func; | ||
166 | break; | ||
167 | } | ||
168 | - nested_funcs[nesting_level] = func; | ||
169 | + nested_funcs[nesting_level].func = func; | ||
170 | } | ||
171 | else | ||
172 | { | ||
173 | @@ -2541,12 +2564,13 @@ | ||
174 | } | ||
175 | |||
176 | /* No inline function in scope at this nesting level. */ | ||
177 | - nested_funcs[nesting_level] = 0; | ||
178 | + nested_funcs[nesting_level].func = 0; | ||
179 | } | ||
180 | |||
181 | for (i = 0; i < abbrev->num_attrs; ++i) | ||
182 | { | ||
183 | - info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end); | ||
184 | + info_ptr = read_attribute (&attr, &abbrev->attrs[i], | ||
185 | + unit, info_ptr, info_ptr_end); | ||
186 | if (info_ptr == NULL) | ||
187 | goto fail; | ||
188 | |||
189 | @@ -2565,8 +2589,10 @@ | ||
190 | |||
191 | case DW_AT_abstract_origin: | ||
192 | case DW_AT_specification: | ||
193 | - func->name = find_abstract_instance_name (unit, &attr, | ||
194 | - &func->is_linkage); | ||
195 | + if (!find_abstract_instance_name (unit, info_ptr, &attr, | ||
196 | + &func->name, | ||
197 | + &func->is_linkage)) | ||
198 | + goto fail; | ||
199 | break; | ||
200 | |||
201 | case DW_AT_name: | ||
202 | @@ -2691,17 +2717,17 @@ | ||
203 | |||
204 | if (nesting_level >= nested_funcs_size) | ||
205 | { | ||
206 | - struct funcinfo **tmp; | ||
207 | + struct nest_funcinfo *tmp; | ||
208 | |||
209 | nested_funcs_size *= 2; | ||
210 | - tmp = (struct funcinfo **) | ||
211 | + tmp = (struct nest_funcinfo *) | ||
212 | bfd_realloc (nested_funcs, | ||
213 | - nested_funcs_size * sizeof (struct funcinfo *)); | ||
214 | + nested_funcs_size * sizeof (*nested_funcs)); | ||
215 | if (tmp == NULL) | ||
216 | goto fail; | ||
217 | nested_funcs = tmp; | ||
218 | } | ||
219 | - nested_funcs[nesting_level] = 0; | ||
220 | + nested_funcs[nesting_level].func = 0; | ||
221 | } | ||
222 | } | ||
223 | |||
224 | Index: git/bfd/ChangeLog | ||
225 | =================================================================== | ||
226 | --- git.orig/bfd/ChangeLog 2017-11-08 12:45:10.614155229 +0530 | ||
227 | +++ git/bfd/ChangeLog 2017-11-08 12:46:55.791054918 +0530 | ||
228 | @@ -1,3 +1,13 @@ | ||
229 | +2017-09-24 Alan Modra <amodra@gmail.com> | ||
230 | + | ||
231 | + PR 22187 | ||
232 | + * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and | ||
233 | + pname param. Return status. Make name const. Don't abort, | ||
234 | + return an error. Formatting. Exit if current info_ptr matches | ||
235 | + orig_info_ptr. Update callers. | ||
236 | + (scan_unit_for_symbols): Start at nesting_level of zero. Make | ||
237 | + nested_funcs an array of structs for extensibility. Formatting. | ||
238 | + | ||
239 | 2017-09-22 H.J. Lu <hongjiu.lu@intel.com> | ||
240 | |||
241 | PR binutils/22170 | ||