summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-devtools/binutils')
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.27.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch147
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index a455b0192c..35e26fc0dd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -75,6 +75,7 @@ SRC_URI = "\
75 file://CVE-2017-8421.patch \ 75 file://CVE-2017-8421.patch \
76 file://CVE-2017-8394_1.patch \ 76 file://CVE-2017-8394_1.patch \
77 file://CVE-2017-8394.patch \ 77 file://CVE-2017-8394.patch \
78 file://CVE-2017-8398.patch \
78" 79"
79S = "${WORKDIR}/git" 80S = "${WORKDIR}/git"
80 81
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
new file mode 100644
index 0000000000..23d5085b16
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch
@@ -0,0 +1,147 @@
1commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34
2Author: Nick Clifton <nickc@redhat.com>
3Date: Fri Apr 28 10:28:04 2017 +0100
4
5 Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary.
6
7 PR binutils/21438
8 * dwarf.c (process_extended_line_op): Do not assume that the
9 string extracted from the section is NUL terminated.
10 (fetch_indirect_string): If the string retrieved from the section
11 is not NUL terminated, return an error message.
12 (fetch_indirect_line_string): Likewise.
13 (fetch_indexed_string): Likewise.
14
15Upstream-Status: Backport
16
17CVE: CVE-2017-8398
18Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
19
20Index: git/binutils/dwarf.c
21===================================================================
22--- git.orig/binutils/dwarf.c 2017-09-20 13:40:17.148898512 +0530
23+++ git/binutils/dwarf.c 2017-09-20 13:45:17.564730907 +0530
24@@ -472,15 +472,20 @@
25 printf (_(" Entry\tDir\tTime\tSize\tName\n"));
26 printf (" %d\t", ++state_machine_regs.last_file_entry);
27
28- name = data;
29- data += strnlen ((char *) data, end - data) + 1;
30- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
31- data += bytes_read;
32- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
33- data += bytes_read;
34- printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
35- data += bytes_read;
36- printf ("%s\n\n", name);
37+ {
38+ size_t l;
39+
40+ name = data;
41+ l = strnlen ((char *) data, end - data);
42+ data += len + 1;
43+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
44+ data += bytes_read;
45+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
46+ data += bytes_read;
47+ printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end)));
48+ data += bytes_read;
49+ printf ("%.*s\n\n", (int) l, name);
50+ }
51
52 if (((unsigned int) (data - orig_data) != len) || data == end)
53 warn (_("DW_LNE_define_file: Bad opcode length\n"));
54@@ -597,18 +602,28 @@
55 fetch_indirect_string (dwarf_vma offset)
56 {
57 struct dwarf_section *section = &debug_displays [str].section;
58+ const unsigned char * ret;
59
60 if (section->start == NULL)
61 return (const unsigned char *) _("<no .debug_str section>");
62
63- if (offset > section->size)
64+ if (offset >= section->size)
65 {
66 warn (_("DW_FORM_strp offset too big: %s\n"),
67 dwarf_vmatoa ("x", offset));
68 return (const unsigned char *) _("<offset is too big>");
69 }
70
71- return (const unsigned char *) section->start + offset;
72+ ret = section->start + offset;
73+ /* Unfortunately we cannot rely upon the .debug_str section ending with a
74+ NUL byte. Since our caller is expecting to receive a well formed C
75+ string we test for the lack of a terminating byte here. */
76+ if (strnlen ((const char *) ret, section->size - offset)
77+ == section->size - offset)
78+ ret = (const unsigned char *)
79+ _("<no NUL byte at end of .debug_str section>");
80+
81+ return ret;
82 }
83
84 static const char *
85@@ -621,6 +636,7 @@
86 struct dwarf_section *str_section = &debug_displays [str_sec_idx].section;
87 dwarf_vma index_offset = idx * offset_size;
88 dwarf_vma str_offset;
89+ const char * ret;
90
91 if (index_section->start == NULL)
92 return (dwo ? _("<no .debug_str_offsets.dwo section>")
93@@ -628,7 +644,7 @@
94
95 if (this_set != NULL)
96 index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS];
97- if (index_offset > index_section->size)
98+ if (index_offset >= index_section->size)
99 {
100 warn (_("DW_FORM_GNU_str_index offset too big: %s\n"),
101 dwarf_vmatoa ("x", index_offset));
102@@ -641,14 +657,22 @@
103
104 str_offset = byte_get (index_section->start + index_offset, offset_size);
105 str_offset -= str_section->address;
106- if (str_offset > str_section->size)
107+ if (str_offset >= str_section->size)
108 {
109 warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"),
110 dwarf_vmatoa ("x", str_offset));
111 return _("<indirect index offset is too big>");
112 }
113
114- return (const char *) str_section->start + str_offset;
115+ ret = (const char *) str_section->start + str_offset;
116+ /* Unfortunately we cannot rely upon str_section ending with a NUL byte.
117+ Since our caller is expecting to receive a well formed C string we test
118+ for the lack of a terminating byte here. */
119+ if (strnlen (ret, str_section->size - str_offset)
120+ == str_section->size - str_offset)
121+ ret = (const char *) _("<no NUL byte at end of section>");
122+
123+ return ret;
124 }
125
126 static const char *
127Index: git/binutils/ChangeLog
128===================================================================
129--- git.orig/binutils/ChangeLog 2017-09-20 13:40:18.900898599 +0530
130+++ git/binutils/ChangeLog 2017-09-20 13:48:02.976503560 +0530
131@@ -10,6 +10,16 @@
132 * objdump.c (dump_relocs_in_section): Check for an excessive
133 number of relocs before attempting to dump them.
134
135+2017-04-28 Nick Clifton <nickc@redhat.com>
136+
137+ PR binutils/21438
138+ * dwarf.c (process_extended_line_op): Do not assume that the
139+ string extracted from the section is NUL terminated.
140+ (fetch_indirect_string): If the string retrieved from the section
141+ is not NUL terminated, return an error message.
142+ (fetch_indirect_line_string): Likewise.
143+ (fetch_indexed_string): Likewise.
144+
145 2017-02-14 Nick Clifton <nickc@redhat.com>
146
147 PR binutils/21157