diff options
author | Thiruvadi Rajaraman <trajaraman@mvista.com> | 2017-09-21 19:21:03 +0530 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-07 17:10:08 +0000 |
commit | d2b21b2a14a6f18f5185cb77fab7903762b52af8 (patch) | |
tree | f0ecf3755683b2f7608898add58d1fc41c2b4f34 /meta | |
parent | bf0d750159d671626ca0b2d605c951010a54e6c7 (diff) | |
download | poky-d2b21b2a14a6f18f5185cb77fab7903762b52af8.tar.gz |
binutils: CVE-2017-9750
Source: binutils-gdb.git
MR: 73997
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 36893e1db9214b4da972a1eeb482be34405f0410
Description:
Fix address violation problems when disassembling a corrupt RX binary.
PR binutils/21587
* rx-decode.opc: Include libiberty.h
(GET_SCALE): New macro - validates access to SCALE array.
(GET_PSCALE): New macro - validates access to PSCALE array.
(DIs, SIs, S2Is, rx_disp): Use new macros.
* rx-decode.c: Regenerate.
Affects: <= 2.28
Author: Nick Clifton <nickc@redhat.com>
(From OE-Core rev: d8996fd2bf72fa774202724864ef014592a16ece)
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.27.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch | 262 |
2 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 24d4d5999e..6580270284 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -83,6 +83,7 @@ SRC_URI = "\ | |||
83 | file://CVE-2017-9746.patch \ | 83 | file://CVE-2017-9746.patch \ |
84 | file://CVE-2017-9748.patch \ | 84 | file://CVE-2017-9748.patch \ |
85 | file://CVE-2017-9747.patch \ | 85 | file://CVE-2017-9747.patch \ |
86 | file://CVE-2017-9750.patch \ | ||
86 | " | 87 | " |
87 | S = "${WORKDIR}/git" | 88 | S = "${WORKDIR}/git" |
88 | 89 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch new file mode 100644 index 0000000000..3ea1725315 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch | |||
@@ -0,0 +1,262 @@ | |||
1 | commit db5fa770268baf8cc82cf9b141d69799fd485fe2 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed Jun 14 13:35:06 2017 +0100 | ||
4 | |||
5 | Fix address violation problems when disassembling a corrupt RX binary. | ||
6 | |||
7 | PR binutils/21587 | ||
8 | * rx-decode.opc: Include libiberty.h | ||
9 | (GET_SCALE): New macro - validates access to SCALE array. | ||
10 | (GET_PSCALE): New macro - validates access to PSCALE array. | ||
11 | (DIs, SIs, S2Is, rx_disp): Use new macros. | ||
12 | * rx-decode.c: Regenerate. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE: CVE-2017-9750 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | Index: git/opcodes/rx-decode.c | ||
20 | =================================================================== | ||
21 | --- git.orig/opcodes/rx-decode.c 2017-09-21 14:41:57.478649861 +0530 | ||
22 | +++ git/opcodes/rx-decode.c 2017-09-21 14:41:57.458649736 +0530 | ||
23 | @@ -27,6 +27,7 @@ | ||
24 | #include <string.h> | ||
25 | #include "ansidecl.h" | ||
26 | #include "opcode/rx.h" | ||
27 | +#include "libiberty.h" | ||
28 | |||
29 | #define RX_OPCODE_BIG_ENDIAN 0 | ||
30 | |||
31 | @@ -45,7 +46,7 @@ | ||
32 | #define LSIZE 2 | ||
33 | |||
34 | /* These are for when the upper bits are "don't care" or "undefined". */ | ||
35 | -static int bwl[] = | ||
36 | +static int bwl[4] = | ||
37 | { | ||
38 | RX_Byte, | ||
39 | RX_Word, | ||
40 | @@ -53,7 +54,7 @@ | ||
41 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
42 | }; | ||
43 | |||
44 | -static int sbwl[] = | ||
45 | +static int sbwl[4] = | ||
46 | { | ||
47 | RX_SByte, | ||
48 | RX_SWord, | ||
49 | @@ -61,7 +62,7 @@ | ||
50 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
51 | }; | ||
52 | |||
53 | -static int ubw[] = | ||
54 | +static int ubw[4] = | ||
55 | { | ||
56 | RX_UByte, | ||
57 | RX_UWord, | ||
58 | @@ -69,7 +70,7 @@ | ||
59 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
60 | }; | ||
61 | |||
62 | -static int memex[] = | ||
63 | +static int memex[4] = | ||
64 | { | ||
65 | RX_SByte, | ||
66 | RX_SWord, | ||
67 | @@ -89,6 +90,9 @@ | ||
68 | /* This is for the prefix size enum. */ | ||
69 | static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; | ||
70 | |||
71 | +#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) | ||
72 | +#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) | ||
73 | + | ||
74 | static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, | ||
75 | 16, 17, 0, 0, 0, 0, 0, 0 }; | ||
76 | |||
77 | @@ -107,7 +111,7 @@ | ||
78 | #define DC(c) OP (0, RX_Operand_Immediate, 0, c) | ||
79 | #define DR(r) OP (0, RX_Operand_Register, r, 0) | ||
80 | #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) | ||
81 | -#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
82 | +#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
83 | #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); | ||
84 | #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) | ||
85 | |||
86 | @@ -115,7 +119,7 @@ | ||
87 | #define SR(r) OP (1, RX_Operand_Register, r, 0) | ||
88 | #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) | ||
89 | #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) | ||
90 | -#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
91 | +#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
92 | #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); | ||
93 | #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); | ||
94 | #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; | ||
95 | @@ -124,7 +128,7 @@ | ||
96 | #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) | ||
97 | #define S2R(r) OP (2, RX_Operand_Register, r, 0) | ||
98 | #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) | ||
99 | -#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
100 | +#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
101 | #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); | ||
102 | #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); | ||
103 | #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; | ||
104 | @@ -211,7 +215,7 @@ | ||
105 | } | ||
106 | |||
107 | static void | ||
108 | -rx_disp (int n, int type, int reg, int size, LocalData * ld) | ||
109 | +rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) | ||
110 | { | ||
111 | int disp; | ||
112 | |||
113 | @@ -228,7 +232,7 @@ | ||
114 | case 1: | ||
115 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
116 | disp = GETBYTE (); | ||
117 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
118 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
119 | break; | ||
120 | case 2: | ||
121 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
122 | @@ -238,7 +242,7 @@ | ||
123 | #else | ||
124 | disp = disp + GETBYTE () * 256; | ||
125 | #endif | ||
126 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
127 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
128 | break; | ||
129 | default: | ||
130 | abort (); | ||
131 | Index: git/opcodes/rx-decode.opc | ||
132 | =================================================================== | ||
133 | --- git.orig/opcodes/rx-decode.opc 2017-09-21 14:41:57.478649861 +0530 | ||
134 | +++ git/opcodes/rx-decode.opc 2017-09-21 14:41:57.458649736 +0530 | ||
135 | @@ -26,6 +26,7 @@ | ||
136 | #include <string.h> | ||
137 | #include "ansidecl.h" | ||
138 | #include "opcode/rx.h" | ||
139 | +#include "libiberty.h" | ||
140 | |||
141 | #define RX_OPCODE_BIG_ENDIAN 0 | ||
142 | |||
143 | @@ -44,7 +45,7 @@ | ||
144 | #define LSIZE 2 | ||
145 | |||
146 | /* These are for when the upper bits are "don't care" or "undefined". */ | ||
147 | -static int bwl[] = | ||
148 | +static int bwl[4] = | ||
149 | { | ||
150 | RX_Byte, | ||
151 | RX_Word, | ||
152 | @@ -52,7 +53,7 @@ | ||
153 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
154 | }; | ||
155 | |||
156 | -static int sbwl[] = | ||
157 | +static int sbwl[4] = | ||
158 | { | ||
159 | RX_SByte, | ||
160 | RX_SWord, | ||
161 | @@ -60,7 +61,7 @@ | ||
162 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
163 | }; | ||
164 | |||
165 | -static int ubw[] = | ||
166 | +static int ubw[4] = | ||
167 | { | ||
168 | RX_UByte, | ||
169 | RX_UWord, | ||
170 | @@ -68,7 +69,7 @@ | ||
171 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
172 | }; | ||
173 | |||
174 | -static int memex[] = | ||
175 | +static int memex[4] = | ||
176 | { | ||
177 | RX_SByte, | ||
178 | RX_SWord, | ||
179 | @@ -88,6 +89,9 @@ | ||
180 | /* This is for the prefix size enum. */ | ||
181 | static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; | ||
182 | |||
183 | +#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) | ||
184 | +#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) | ||
185 | + | ||
186 | static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, | ||
187 | 16, 17, 0, 0, 0, 0, 0, 0 }; | ||
188 | |||
189 | @@ -106,7 +110,7 @@ | ||
190 | #define DC(c) OP (0, RX_Operand_Immediate, 0, c) | ||
191 | #define DR(r) OP (0, RX_Operand_Register, r, 0) | ||
192 | #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) | ||
193 | -#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
194 | +#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
195 | #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); | ||
196 | #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) | ||
197 | |||
198 | @@ -114,7 +118,7 @@ | ||
199 | #define SR(r) OP (1, RX_Operand_Register, r, 0) | ||
200 | #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) | ||
201 | #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) | ||
202 | -#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
203 | +#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
204 | #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); | ||
205 | #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); | ||
206 | #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; | ||
207 | @@ -123,7 +127,7 @@ | ||
208 | #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) | ||
209 | #define S2R(r) OP (2, RX_Operand_Register, r, 0) | ||
210 | #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) | ||
211 | -#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
212 | +#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
213 | #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); | ||
214 | #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); | ||
215 | #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; | ||
216 | @@ -210,7 +214,7 @@ | ||
217 | } | ||
218 | |||
219 | static void | ||
220 | -rx_disp (int n, int type, int reg, int size, LocalData * ld) | ||
221 | +rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) | ||
222 | { | ||
223 | int disp; | ||
224 | |||
225 | @@ -227,7 +231,7 @@ | ||
226 | case 1: | ||
227 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
228 | disp = GETBYTE (); | ||
229 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
230 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
231 | break; | ||
232 | case 2: | ||
233 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
234 | @@ -237,7 +241,7 @@ | ||
235 | #else | ||
236 | disp = disp + GETBYTE () * 256; | ||
237 | #endif | ||
238 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
239 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
240 | break; | ||
241 | default: | ||
242 | abort (); | ||
243 | Index: git/opcodes/ChangeLog | ||
244 | =================================================================== | ||
245 | --- git.orig/opcodes/ChangeLog 2017-09-21 14:40:17.000000000 +0530 | ||
246 | +++ git/opcodes/ChangeLog 2017-09-21 14:44:07.503461009 +0530 | ||
247 | @@ -15,6 +15,15 @@ | ||
248 | array. | ||
249 | * rl78-decode.c: Regenerate. | ||
250 | |||
251 | +2017-06-14 Nick Clifton <nickc@redhat.com> | ||
252 | + | ||
253 | + PR binutils/21587 | ||
254 | + * rx-decode.opc: Include libiberty.h | ||
255 | + (GET_SCALE): New macro - validates access to SCALE array. | ||
256 | + (GET_PSCALE): New macro - validates access to PSCALE array. | ||
257 | + (DIs, SIs, S2Is, rx_disp): Use new macros. | ||
258 | + * rx-decode.c: Regenerate. | ||
259 | + | ||
260 | 2016-08-03 Tristan Gingold <gingold@adacore.com> | ||
261 | |||
262 | * configure: Regenerate. | ||