diff options
Diffstat (limited to 'meta/recipes-devtools/binutils')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.27.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch | 147 |
2 files changed, 148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index a455b0192c..35e26fc0dd 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -75,6 +75,7 @@ SRC_URI = "\ | |||
75 | file://CVE-2017-8421.patch \ | 75 | file://CVE-2017-8421.patch \ |
76 | file://CVE-2017-8394_1.patch \ | 76 | file://CVE-2017-8394_1.patch \ |
77 | file://CVE-2017-8394.patch \ | 77 | file://CVE-2017-8394.patch \ |
78 | file://CVE-2017-8398.patch \ | ||
78 | " | 79 | " |
79 | S = "${WORKDIR}/git" | 80 | S = "${WORKDIR}/git" |
80 | 81 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch new file mode 100644 index 0000000000..23d5085b16 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8398.patch | |||
@@ -0,0 +1,147 @@ | |||
1 | commit d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Fri Apr 28 10:28:04 2017 +0100 | ||
4 | |||
5 | Fix heap-buffer overflow bugs caused when dumping debug information from a corrupt binary. | ||
6 | |||
7 | PR binutils/21438 | ||
8 | * dwarf.c (process_extended_line_op): Do not assume that the | ||
9 | string extracted from the section is NUL terminated. | ||
10 | (fetch_indirect_string): If the string retrieved from the section | ||
11 | is not NUL terminated, return an error message. | ||
12 | (fetch_indirect_line_string): Likewise. | ||
13 | (fetch_indexed_string): Likewise. | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | CVE: CVE-2017-8398 | ||
18 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
19 | |||
20 | Index: git/binutils/dwarf.c | ||
21 | =================================================================== | ||
22 | --- git.orig/binutils/dwarf.c 2017-09-20 13:40:17.148898512 +0530 | ||
23 | +++ git/binutils/dwarf.c 2017-09-20 13:45:17.564730907 +0530 | ||
24 | @@ -472,15 +472,20 @@ | ||
25 | printf (_(" Entry\tDir\tTime\tSize\tName\n")); | ||
26 | printf (" %d\t", ++state_machine_regs.last_file_entry); | ||
27 | |||
28 | - name = data; | ||
29 | - data += strnlen ((char *) data, end - data) + 1; | ||
30 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
31 | - data += bytes_read; | ||
32 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
33 | - data += bytes_read; | ||
34 | - printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
35 | - data += bytes_read; | ||
36 | - printf ("%s\n\n", name); | ||
37 | + { | ||
38 | + size_t l; | ||
39 | + | ||
40 | + name = data; | ||
41 | + l = strnlen ((char *) data, end - data); | ||
42 | + data += len + 1; | ||
43 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
44 | + data += bytes_read; | ||
45 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
46 | + data += bytes_read; | ||
47 | + printf ("%s\t", dwarf_vmatoa ("u", read_uleb128 (data, & bytes_read, end))); | ||
48 | + data += bytes_read; | ||
49 | + printf ("%.*s\n\n", (int) l, name); | ||
50 | + } | ||
51 | |||
52 | if (((unsigned int) (data - orig_data) != len) || data == end) | ||
53 | warn (_("DW_LNE_define_file: Bad opcode length\n")); | ||
54 | @@ -597,18 +602,28 @@ | ||
55 | fetch_indirect_string (dwarf_vma offset) | ||
56 | { | ||
57 | struct dwarf_section *section = &debug_displays [str].section; | ||
58 | + const unsigned char * ret; | ||
59 | |||
60 | if (section->start == NULL) | ||
61 | return (const unsigned char *) _("<no .debug_str section>"); | ||
62 | |||
63 | - if (offset > section->size) | ||
64 | + if (offset >= section->size) | ||
65 | { | ||
66 | warn (_("DW_FORM_strp offset too big: %s\n"), | ||
67 | dwarf_vmatoa ("x", offset)); | ||
68 | return (const unsigned char *) _("<offset is too big>"); | ||
69 | } | ||
70 | |||
71 | - return (const unsigned char *) section->start + offset; | ||
72 | + ret = section->start + offset; | ||
73 | + /* Unfortunately we cannot rely upon the .debug_str section ending with a | ||
74 | + NUL byte. Since our caller is expecting to receive a well formed C | ||
75 | + string we test for the lack of a terminating byte here. */ | ||
76 | + if (strnlen ((const char *) ret, section->size - offset) | ||
77 | + == section->size - offset) | ||
78 | + ret = (const unsigned char *) | ||
79 | + _("<no NUL byte at end of .debug_str section>"); | ||
80 | + | ||
81 | + return ret; | ||
82 | } | ||
83 | |||
84 | static const char * | ||
85 | @@ -621,6 +636,7 @@ | ||
86 | struct dwarf_section *str_section = &debug_displays [str_sec_idx].section; | ||
87 | dwarf_vma index_offset = idx * offset_size; | ||
88 | dwarf_vma str_offset; | ||
89 | + const char * ret; | ||
90 | |||
91 | if (index_section->start == NULL) | ||
92 | return (dwo ? _("<no .debug_str_offsets.dwo section>") | ||
93 | @@ -628,7 +644,7 @@ | ||
94 | |||
95 | if (this_set != NULL) | ||
96 | index_offset += this_set->section_offsets [DW_SECT_STR_OFFSETS]; | ||
97 | - if (index_offset > index_section->size) | ||
98 | + if (index_offset >= index_section->size) | ||
99 | { | ||
100 | warn (_("DW_FORM_GNU_str_index offset too big: %s\n"), | ||
101 | dwarf_vmatoa ("x", index_offset)); | ||
102 | @@ -641,14 +657,22 @@ | ||
103 | |||
104 | str_offset = byte_get (index_section->start + index_offset, offset_size); | ||
105 | str_offset -= str_section->address; | ||
106 | - if (str_offset > str_section->size) | ||
107 | + if (str_offset >= str_section->size) | ||
108 | { | ||
109 | warn (_("DW_FORM_GNU_str_index indirect offset too big: %s\n"), | ||
110 | dwarf_vmatoa ("x", str_offset)); | ||
111 | return _("<indirect index offset is too big>"); | ||
112 | } | ||
113 | |||
114 | - return (const char *) str_section->start + str_offset; | ||
115 | + ret = (const char *) str_section->start + str_offset; | ||
116 | + /* Unfortunately we cannot rely upon str_section ending with a NUL byte. | ||
117 | + Since our caller is expecting to receive a well formed C string we test | ||
118 | + for the lack of a terminating byte here. */ | ||
119 | + if (strnlen (ret, str_section->size - str_offset) | ||
120 | + == str_section->size - str_offset) | ||
121 | + ret = (const char *) _("<no NUL byte at end of section>"); | ||
122 | + | ||
123 | + return ret; | ||
124 | } | ||
125 | |||
126 | static const char * | ||
127 | Index: git/binutils/ChangeLog | ||
128 | =================================================================== | ||
129 | --- git.orig/binutils/ChangeLog 2017-09-20 13:40:18.900898599 +0530 | ||
130 | +++ git/binutils/ChangeLog 2017-09-20 13:48:02.976503560 +0530 | ||
131 | @@ -10,6 +10,16 @@ | ||
132 | * objdump.c (dump_relocs_in_section): Check for an excessive | ||
133 | number of relocs before attempting to dump them. | ||
134 | |||
135 | +2017-04-28 Nick Clifton <nickc@redhat.com> | ||
136 | + | ||
137 | + PR binutils/21438 | ||
138 | + * dwarf.c (process_extended_line_op): Do not assume that the | ||
139 | + string extracted from the section is NUL terminated. | ||
140 | + (fetch_indirect_string): If the string retrieved from the section | ||
141 | + is not NUL terminated, return an error message. | ||
142 | + (fetch_indirect_line_string): Likewise. | ||
143 | + (fetch_indexed_string): Likewise. | ||
144 | + | ||
145 | 2017-02-14 Nick Clifton <nickc@redhat.com> | ||
146 | |||
147 | PR binutils/21157 | ||