diff options
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.28.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch | 247 |
2 files changed, 248 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index b88e154f1d..c63a2e5bab 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -61,6 +61,7 @@ SRC_URI = "\ | |||
61 | file://CVE-2017-9747.patch \ | 61 | file://CVE-2017-9747.patch \ |
62 | file://CVE-2017-9748.patch \ | 62 | file://CVE-2017-9748.patch \ |
63 | file://CVE-2017-9749.patch \ | 63 | file://CVE-2017-9749.patch \ |
64 | file://CVE-2017-9750.patch \ | ||
64 | " | 65 | " |
65 | S = "${WORKDIR}/git" | 66 | S = "${WORKDIR}/git" |
66 | 67 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch new file mode 100644 index 0000000000..fe8fa69344 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9750.patch | |||
@@ -0,0 +1,247 @@ | |||
1 | From db5fa770268baf8cc82cf9b141d69799fd485fe2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed, 14 Jun 2017 13:35:06 +0100 | ||
4 | Subject: [PATCH] Fix address violation problems when disassembling a corrupt | ||
5 | RX binary. | ||
6 | |||
7 | PR binutils/21587 | ||
8 | * rx-decode.opc: Include libiberty.h | ||
9 | (GET_SCALE): New macro - validates access to SCALE array. | ||
10 | (GET_PSCALE): New macro - validates access to PSCALE array. | ||
11 | (DIs, SIs, S2Is, rx_disp): Use new macros. | ||
12 | * rx-decode.c: Regenerate. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2017-9750 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | opcodes/ChangeLog | 9 +++++++++ | ||
20 | opcodes/rx-decode.c | 24 ++++++++++++++---------- | ||
21 | opcodes/rx-decode.opc | 24 ++++++++++++++---------- | ||
22 | 3 files changed, 37 insertions(+), 20 deletions(-) | ||
23 | |||
24 | Index: git/opcodes/rx-decode.c | ||
25 | =================================================================== | ||
26 | --- git.orig/opcodes/rx-decode.c | ||
27 | +++ git/opcodes/rx-decode.c | ||
28 | @@ -27,6 +27,7 @@ | ||
29 | #include <string.h> | ||
30 | #include "ansidecl.h" | ||
31 | #include "opcode/rx.h" | ||
32 | +#include "libiberty.h" | ||
33 | |||
34 | #define RX_OPCODE_BIG_ENDIAN 0 | ||
35 | |||
36 | @@ -45,7 +46,7 @@ static int trace = 0; | ||
37 | #define LSIZE 2 | ||
38 | |||
39 | /* These are for when the upper bits are "don't care" or "undefined". */ | ||
40 | -static int bwl[] = | ||
41 | +static int bwl[4] = | ||
42 | { | ||
43 | RX_Byte, | ||
44 | RX_Word, | ||
45 | @@ -53,7 +54,7 @@ static int bwl[] = | ||
46 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
47 | }; | ||
48 | |||
49 | -static int sbwl[] = | ||
50 | +static int sbwl[4] = | ||
51 | { | ||
52 | RX_SByte, | ||
53 | RX_SWord, | ||
54 | @@ -61,7 +62,7 @@ static int sbwl[] = | ||
55 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
56 | }; | ||
57 | |||
58 | -static int ubw[] = | ||
59 | +static int ubw[4] = | ||
60 | { | ||
61 | RX_UByte, | ||
62 | RX_UWord, | ||
63 | @@ -69,7 +70,7 @@ static int ubw[] = | ||
64 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
65 | }; | ||
66 | |||
67 | -static int memex[] = | ||
68 | +static int memex[4] = | ||
69 | { | ||
70 | RX_SByte, | ||
71 | RX_SWord, | ||
72 | @@ -89,6 +90,9 @@ static int SCALE[] = { 1, 2, 4, 0 }; | ||
73 | /* This is for the prefix size enum. */ | ||
74 | static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; | ||
75 | |||
76 | +#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) | ||
77 | +#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) | ||
78 | + | ||
79 | static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, | ||
80 | 16, 17, 0, 0, 0, 0, 0, 0 }; | ||
81 | |||
82 | @@ -107,7 +111,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
83 | #define DC(c) OP (0, RX_Operand_Immediate, 0, c) | ||
84 | #define DR(r) OP (0, RX_Operand_Register, r, 0) | ||
85 | #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) | ||
86 | -#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
87 | +#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
88 | #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); | ||
89 | #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) | ||
90 | |||
91 | @@ -115,7 +119,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
92 | #define SR(r) OP (1, RX_Operand_Register, r, 0) | ||
93 | #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) | ||
94 | #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) | ||
95 | -#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
96 | +#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
97 | #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); | ||
98 | #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); | ||
99 | #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; | ||
100 | @@ -124,7 +128,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
101 | #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) | ||
102 | #define S2R(r) OP (2, RX_Operand_Register, r, 0) | ||
103 | #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) | ||
104 | -#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
105 | +#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
106 | #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); | ||
107 | #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); | ||
108 | #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; | ||
109 | @@ -211,7 +215,7 @@ immediate (int sfield, int ex, LocalData | ||
110 | } | ||
111 | |||
112 | static void | ||
113 | -rx_disp (int n, int type, int reg, int size, LocalData * ld) | ||
114 | +rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) | ||
115 | { | ||
116 | int disp; | ||
117 | |||
118 | @@ -228,7 +232,7 @@ rx_disp (int n, int type, int reg, int s | ||
119 | case 1: | ||
120 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
121 | disp = GETBYTE (); | ||
122 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
123 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
124 | break; | ||
125 | case 2: | ||
126 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
127 | @@ -238,7 +242,7 @@ rx_disp (int n, int type, int reg, int s | ||
128 | #else | ||
129 | disp = disp + GETBYTE () * 256; | ||
130 | #endif | ||
131 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
132 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
133 | break; | ||
134 | default: | ||
135 | abort (); | ||
136 | Index: git/opcodes/rx-decode.opc | ||
137 | =================================================================== | ||
138 | --- git.orig/opcodes/rx-decode.opc | ||
139 | +++ git/opcodes/rx-decode.opc | ||
140 | @@ -26,6 +26,7 @@ | ||
141 | #include <string.h> | ||
142 | #include "ansidecl.h" | ||
143 | #include "opcode/rx.h" | ||
144 | +#include "libiberty.h" | ||
145 | |||
146 | #define RX_OPCODE_BIG_ENDIAN 0 | ||
147 | |||
148 | @@ -44,7 +45,7 @@ static int trace = 0; | ||
149 | #define LSIZE 2 | ||
150 | |||
151 | /* These are for when the upper bits are "don't care" or "undefined". */ | ||
152 | -static int bwl[] = | ||
153 | +static int bwl[4] = | ||
154 | { | ||
155 | RX_Byte, | ||
156 | RX_Word, | ||
157 | @@ -52,7 +53,7 @@ static int bwl[] = | ||
158 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
159 | }; | ||
160 | |||
161 | -static int sbwl[] = | ||
162 | +static int sbwl[4] = | ||
163 | { | ||
164 | RX_SByte, | ||
165 | RX_SWord, | ||
166 | @@ -60,7 +61,7 @@ static int sbwl[] = | ||
167 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
168 | }; | ||
169 | |||
170 | -static int ubw[] = | ||
171 | +static int ubw[4] = | ||
172 | { | ||
173 | RX_UByte, | ||
174 | RX_UWord, | ||
175 | @@ -68,7 +69,7 @@ static int ubw[] = | ||
176 | RX_Bad_Size /* Bogus instructions can have a size field set to 3. */ | ||
177 | }; | ||
178 | |||
179 | -static int memex[] = | ||
180 | +static int memex[4] = | ||
181 | { | ||
182 | RX_SByte, | ||
183 | RX_SWord, | ||
184 | @@ -88,6 +89,9 @@ static int SCALE[] = { 1, 2, 4, 0 }; | ||
185 | /* This is for the prefix size enum. */ | ||
186 | static int PSCALE[] = { 4, 1, 1, 1, 2, 2, 2, 3, 4 }; | ||
187 | |||
188 | +#define GET_SCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (SCALE) ? SCALE[(_indx)] : 0) | ||
189 | +#define GET_PSCALE(_indx) ((unsigned)(_indx) < ARRAY_SIZE (PSCALE) ? PSCALE[(_indx)] : 0) | ||
190 | + | ||
191 | static int flagmap[] = {0, 1, 2, 3, 0, 0, 0, 0, | ||
192 | 16, 17, 0, 0, 0, 0, 0, 0 }; | ||
193 | |||
194 | @@ -106,7 +110,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
195 | #define DC(c) OP (0, RX_Operand_Immediate, 0, c) | ||
196 | #define DR(r) OP (0, RX_Operand_Register, r, 0) | ||
197 | #define DI(r,a) OP (0, RX_Operand_Indirect, r, a) | ||
198 | -#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
199 | +#define DIs(r,a,s) OP (0, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
200 | #define DD(t,r,s) rx_disp (0, t, r, bwl[s], ld); | ||
201 | #define DF(r) OP (0, RX_Operand_Flag, flagmap[r], 0) | ||
202 | |||
203 | @@ -114,7 +118,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
204 | #define SR(r) OP (1, RX_Operand_Register, r, 0) | ||
205 | #define SRR(r) OP (1, RX_Operand_TwoReg, r, 0) | ||
206 | #define SI(r,a) OP (1, RX_Operand_Indirect, r, a) | ||
207 | -#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
208 | +#define SIs(r,a,s) OP (1, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
209 | #define SD(t,r,s) rx_disp (1, t, r, bwl[s], ld); | ||
210 | #define SP(t,r) rx_disp (1, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 1); | ||
211 | #define SPm(t,r,m) rx_disp (1, t, r, memex[m], ld); rx->op[1].size = memex[m]; | ||
212 | @@ -123,7 +127,7 @@ static int dsp3map[] = { 8, 9, 10, 3, 4, | ||
213 | #define S2C(i) OP (2, RX_Operand_Immediate, 0, i) | ||
214 | #define S2R(r) OP (2, RX_Operand_Register, r, 0) | ||
215 | #define S2I(r,a) OP (2, RX_Operand_Indirect, r, a) | ||
216 | -#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * SCALE[s]) | ||
217 | +#define S2Is(r,a,s) OP (2, RX_Operand_Indirect, r, (a) * GET_SCALE (s)) | ||
218 | #define S2D(t,r,s) rx_disp (2, t, r, bwl[s], ld); | ||
219 | #define S2P(t,r) rx_disp (2, t, r, (t!=3) ? RX_UByte : RX_Long, ld); P(t, 2); | ||
220 | #define S2Pm(t,r,m) rx_disp (2, t, r, memex[m], ld); rx->op[2].size = memex[m]; | ||
221 | @@ -210,7 +214,7 @@ immediate (int sfield, int ex, LocalData | ||
222 | } | ||
223 | |||
224 | static void | ||
225 | -rx_disp (int n, int type, int reg, int size, LocalData * ld) | ||
226 | +rx_disp (int n, int type, int reg, unsigned int size, LocalData * ld) | ||
227 | { | ||
228 | int disp; | ||
229 | |||
230 | @@ -227,7 +231,7 @@ rx_disp (int n, int type, int reg, int s | ||
231 | case 1: | ||
232 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
233 | disp = GETBYTE (); | ||
234 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
235 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
236 | break; | ||
237 | case 2: | ||
238 | ld->rx->op[n].type = RX_Operand_Indirect; | ||
239 | @@ -237,7 +241,7 @@ rx_disp (int n, int type, int reg, int s | ||
240 | #else | ||
241 | disp = disp + GETBYTE () * 256; | ||
242 | #endif | ||
243 | - ld->rx->op[n].addend = disp * PSCALE[size]; | ||
244 | + ld->rx->op[n].addend = disp * GET_PSCALE (size); | ||
245 | break; | ||
246 | default: | ||
247 | abort (); | ||