3 files changed, 230 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index e6cfe33859..ba60eccf87 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
     file://CVE-2017-15996.patch \
     file://CVE-2017-16826.patch \
     file://CVE-2017-16827.patch \
+     file://CVE-2017-16828_p1.patch \
+     file://CVE-2017-16828_p2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
new file mode 100644
index 0000000000..310908f86d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
+From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 5 Oct 2017 17:32:18 +1030
+Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
+Pointer comparisons have traps for the unwary.  After adding a large
+unknown value to "start", the test "start < end" depends on where
+"start" is originally in memory.
+        PR 22239
+        * dwarf.c (read_cie): Don't compare "start" and "end" pointers
+        after adding a possibly wild length to "start", compare the length
+        to the difference of the pointers instead.  Remove now redundant
+        "negative" length test.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16828 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog |  8 ++++++++
+ binutils/dwarf.c   | 15 ++++-----------
+ 2 files changed, 12 insertions(+), 11 deletions(-)
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
+@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
+     {
+       READ_ULEB (augmentation_data_len);
+       augmentation_data = start;
+-      start += augmentation_data_len;
+       /* PR 17512: file: 11042-2589-0.004.  */
+-      if (start > end)
+      if (augmentation_data_len > (size_t) (end - start))
+        {
+          warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
+-               augmentation_data_len, (long)((end - start) + augmentation_data_len));
+               augmentation_data_len, (unsigned long) (end - start));
+          return end;
+        }
+      start += augmentation_data_len;
+     }
+ 
+   if (augmentation_data_len)
+@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
+       q = augmentation_data;
+       qend = q + augmentation_data_len;
+ 
+-      /* PR 17531: file: 015adfaa.  */
+-      if (qend < q)
+-       {
+-         warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
+-         augmentation_data_len = 0;
+-       }
+-
+-      while (p < end && q < augmentation_data + augmentation_data_len)
+      while (p < end && q < qend)
+        {
+          if (*p == 'L')
+            q++;
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
+++ git/binutils/ChangeLog
+@@ -1,3 +1,11 @@
+2017-10-05  Alan Modra  <amodra@gmail.com>
+
+       PR 22239
+       * dwarf.c (read_cie): Don't compare "start" and "end" pointers
+       after adding a possibly wild length to "start", compare the length
+       to the difference of the pointers instead.  Remove now redundant
+       "negative" length test.
+
+ 2017-09-27  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22219
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
new file mode 100644
index 0000000000..5073d31ce0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
@@ -0,0 +1,149 @@
+From bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 3 Nov 2017 13:57:15 +0000
+Subject: [PATCH] Fix integer overflow problems when reading an ELF binary with
+ corrupt augmentation data.
+        PR 22386
+        * dwarf.c (read_cie): Use bfd_size_type for
+        augmentation_data_len.
+        (display_augmentation_data): New function.
+        (display_debug_frames): Use it.
+        Check for integer overflow when testing augmentation_data_len.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-16828 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog | 10 +++++++++
+ binutils/dwarf.c   | 65 +++++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 50 insertions(+), 25 deletions(-)
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
+++ git/binutils/dwarf.c
+@@ -6577,13 +6577,13 @@ frame_display_row (Frame_Chunk *fc, int
+ static unsigned char *
+ read_cie (unsigned char *start, unsigned char *end,
+          Frame_Chunk **p_cie, int *p_version,
+-         unsigned long *p_aug_len, unsigned char **p_aug)
+         bfd_size_type *p_aug_len, unsigned char **p_aug)
+ {
+   int version;
+   Frame_Chunk *fc;
+   unsigned int length_return;
+   unsigned char *augmentation_data = NULL;
+-  unsigned long augmentation_data_len = 0;
+  bfd_size_type augmentation_data_len = 0;
+ 
+   * p_cie = NULL;
+   /* PR 17512: file: 001-228113-0.004.  */
+@@ -6653,10 +6653,11 @@ read_cie (unsigned char *start, unsigned
+       READ_ULEB (augmentation_data_len);
+       augmentation_data = start;
+       /* PR 17512: file: 11042-2589-0.004.  */
+-      if (augmentation_data_len > (size_t) (end - start))
+      if (augmentation_data_len > (bfd_size_type) (end - start))
+        {
+-         warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
+-               augmentation_data_len, (unsigned long) (end - start));
+         warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),
+               dwarf_vmatoa ("x", augmentation_data_len),
+               (unsigned long) (end - start));
+          return end;
+        }
+       start += augmentation_data_len;
+@@ -6701,6 +6702,31 @@ read_cie (unsigned char *start, unsigned
+   return start;
+ }
+ 
+/* Prints out the contents on the augmentation data array.
+   If do_wide is not enabled, then formats the output to fit into 80 columns.  */
+
+static void
+display_augmentation_data (const unsigned char * data, const bfd_size_type len)
+{
+  bfd_size_type i;
+
+  i = printf (_("  Augmentation data:    "));
+
+  if (do_wide || len < ((80 - i) / 3))
+    for (i = 0; i < len; ++i)
+      printf (" %02x", data[i]);
+  else
+    {
+      for (i = 0; i < len; ++i)
+       {
+         if (i % (80 / 3) == 0)
+           putchar ('\n');
+         printf (" %02x", data[i]);
+       }
+    }
+  putchar ('\n');
+}
+
+ static int
+ display_debug_frames (struct dwarf_section *section,
+                      void *file ATTRIBUTE_UNUSED)
+@@ -6729,7 +6755,7 @@ display_debug_frames (struct dwarf_secti
+       Frame_Chunk *cie;
+       int need_col_headers = 1;
+       unsigned char *augmentation_data = NULL;
+-      unsigned long augmentation_data_len = 0;
+      bfd_size_type augmentation_data_len = 0;
+       unsigned int encoded_ptr_size = saved_eh_addr_size;
+       unsigned int offset_size;
+       unsigned int initial_length_size;
+@@ -6823,16 +6849,8 @@ display_debug_frames (struct dwarf_secti
+              printf ("  Return address column: %d\n", fc->ra);
+ 
+              if (augmentation_data_len)
+-               {
+-                 unsigned long i;
+               display_augmentation_data (augmentation_data, augmentation_data_len);
+ 
+-                 printf ("  Augmentation data:    ");
+-                 for (i = 0; i < augmentation_data_len; ++i)
+-                   /* FIXME: If do_wide is FALSE, then we should
+-                      add carriage returns at 80 columns...  */
+-                   printf (" %02x", augmentation_data[i]);
+-                 putchar ('\n');
+-               }
+              putchar ('\n');
+            }
+        }
+@@ -6988,11 +7006,13 @@ display_debug_frames (struct dwarf_secti
+              READ_ULEB (augmentation_data_len);
+              augmentation_data = start;
+              start += augmentation_data_len;
+-             /* PR 17512: file: 722-8446-0.004.  */
+-             if (start >= end || ((signed long) augmentation_data_len) < 0)
+             /* PR 17512 file: 722-8446-0.004 and PR 22386.  */
+             if (start >= end
+                 || ((bfd_signed_vma) augmentation_data_len) < 0
+                 || augmentation_data > start)
+                {
+-                 warn (_("Corrupt augmentation data length: %lx\n"),
+-                       augmentation_data_len);
+                 warn (_("Corrupt augmentation data length: 0x%s\n"),
+                       dwarf_vmatoa ("x", augmentation_data_len));
+                  start = end;
+                  augmentation_data = NULL;
+                  augmentation_data_len = 0;
+@@ -7014,12 +7034,7 @@ display_debug_frames (struct dwarf_secti
+ 
+          if (! do_debug_frames_interp && augmentation_data_len)
+            {
+-             unsigned long i;
+-
+-             printf ("  Augmentation data:    ");
+-             for (i = 0; i < augmentation_data_len; ++i)
+-               printf (" %02x", augmentation_data[i]);
+-             putchar ('\n');
+             display_augmentation_data (augmentation_data, augmentation_data_len);
+              putchar ('\n');
+            }
+        }

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index e6cfe33859..ba60eccf87 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
54	file://CVE-2017-15996.patch \	54	file://CVE-2017-15996.patch \
55	file://CVE-2017-16826.patch \	55	file://CVE-2017-16826.patch \
56	file://CVE-2017-16827.patch \	56	file://CVE-2017-16827.patch \
		57	file://CVE-2017-16828_p1.patch \
		58	file://CVE-2017-16828_p2.patch \
57	"	59	"
58	S = "${WORKDIR}/git"	60	S = "${WORKDIR}/git"
59		61


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch new file mode 100644 index 0000000000..310908f86d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
		1	From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Thu, 5 Oct 2017 17:32:18 +1030
		4	Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
		5
		6	Pointer comparisons have traps for the unwary. After adding a large
		7	unknown value to "start", the test "start < end" depends on where
		8	"start" is originally in memory.
		9
		10	PR 22239
		11	* dwarf.c (read_cie): Don't compare "start" and "end" pointers
		12	after adding a possibly wild length to "start", compare the length
		13	to the difference of the pointers instead. Remove now redundant
		14	"negative" length test.
		15
		16	Upstream-Status: Backport
		17	Affects: <= 2.29.1
		18	CVE: CVE-2017-16828 patch1
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	binutils/ChangeLog \| 8 ++++++++
		23	binutils/dwarf.c \| 15 ++++-----------
		24	2 files changed, 12 insertions(+), 11 deletions(-)
		25
		26	Index: git/binutils/dwarf.c
		27	===================================================================
		28	--- git.orig/binutils/dwarf.c
		29	+++ git/binutils/dwarf.c
		30	@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
		31	{
		32	READ_ULEB (augmentation_data_len);
		33	augmentation_data = start;
		34	- start += augmentation_data_len;
		35	/* PR 17512: file: 11042-2589-0.004. */
		36	- if (start > end)
		37	+ if (augmentation_data_len > (size_t) (end - start))
		38	{
		39	warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
		40	- augmentation_data_len, (long)((end - start) + augmentation_data_len));
		41	+ augmentation_data_len, (unsigned long) (end - start));
		42	return end;
		43	}
		44	+ start += augmentation_data_len;
		45	}
		46
		47	if (augmentation_data_len)
		48	@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
		49	q = augmentation_data;
		50	qend = q + augmentation_data_len;
		51
		52	- /* PR 17531: file: 015adfaa. */
		53	- if (qend < q)
		54	- {
		55	- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
		56	- augmentation_data_len = 0;
		57	- }
		58	-
		59	- while (p < end && q < augmentation_data + augmentation_data_len)
		60	+ while (p < end && q < qend)
		61	{
		62	if (*p == 'L')
		63	q++;
		64	Index: git/binutils/ChangeLog
		65	===================================================================
		66	--- git.orig/binutils/ChangeLog
		67	+++ git/binutils/ChangeLog
		68	@@ -1,3 +1,11 @@
		69	+2017-10-05 Alan Modra <amodra@gmail.com>
		70	+
		71	+ PR 22239
		72	+ * dwarf.c (read_cie): Don't compare "start" and "end" pointers
		73	+ after adding a possibly wild length to "start", compare the length
		74	+ to the difference of the pointers instead. Remove now redundant
		75	+ "negative" length test.
		76	+
		77	2017-09-27 Nick Clifton <nickc@redhat.com>
		78
		79	PR 22219


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch new file mode 100644 index 0000000000..5073d31ce0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
@@ -0,0 +1,149 @@
		1	From bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Fri, 3 Nov 2017 13:57:15 +0000
		4	Subject: [PATCH] Fix integer overflow problems when reading an ELF binary with
		5	corrupt augmentation data.
		6
		7	PR 22386
		8	* dwarf.c (read_cie): Use bfd_size_type for
		9	augmentation_data_len.
		10	(display_augmentation_data): New function.
		11	(display_debug_frames): Use it.
		12	Check for integer overflow when testing augmentation_data_len.
		13
		14	Upstream-Status: Backport
		15	Affects: <= 2.29.1
		16	CVE: CVE-2017-16828 patch2
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	binutils/ChangeLog \| 10 +++++++++
		21	binutils/dwarf.c \| 65 +++++++++++++++++++++++++++++++++---------------------
		22	2 files changed, 50 insertions(+), 25 deletions(-)
		23
		24	Index: git/binutils/dwarf.c
		25	===================================================================
		26	--- git.orig/binutils/dwarf.c
		27	+++ git/binutils/dwarf.c
		28	@@ -6577,13 +6577,13 @@ frame_display_row (Frame_Chunk *fc, int
		29	static unsigned char *
		30	read_cie (unsigned char start, unsigned char end,
		31	Frame_Chunk *p_cie, int p_version,
		32	- unsigned long p_aug_len, unsigned char *p_aug)
		33	+ bfd_size_type p_aug_len, unsigned char *p_aug)
		34	{
		35	int version;
		36	Frame_Chunk *fc;
		37	unsigned int length_return;
		38	unsigned char *augmentation_data = NULL;
		39	- unsigned long augmentation_data_len = 0;
		40	+ bfd_size_type augmentation_data_len = 0;
		41
		42	* p_cie = NULL;
		43	/* PR 17512: file: 001-228113-0.004. */
		44	@@ -6653,10 +6653,11 @@ read_cie (unsigned char *start, unsigned
		45	READ_ULEB (augmentation_data_len);
		46	augmentation_data = start;
		47	/* PR 17512: file: 11042-2589-0.004. */
		48	- if (augmentation_data_len > (size_t) (end - start))
		49	+ if (augmentation_data_len > (bfd_size_type) (end - start))
		50	{
		51	- warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
		52	- augmentation_data_len, (unsigned long) (end - start));
		53	+ warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),
		54	+ dwarf_vmatoa ("x", augmentation_data_len),
		55	+ (unsigned long) (end - start));
		56	return end;
		57	}
		58	start += augmentation_data_len;
		59	@@ -6701,6 +6702,31 @@ read_cie (unsigned char *start, unsigned
		60	return start;
		61	}
		62
		63	+/* Prints out the contents on the augmentation data array.
		64	+ If do_wide is not enabled, then formats the output to fit into 80 columns. */
		65	+
		66	+static void
		67	+display_augmentation_data (const unsigned char * data, const bfd_size_type len)
		68	+{
		69	+ bfd_size_type i;
		70	+
		71	+ i = printf (_(" Augmentation data: "));
		72	+
		73	+ if (do_wide \|\| len < ((80 - i) / 3))
		74	+ for (i = 0; i < len; ++i)
		75	+ printf (" %02x", data[i]);
		76	+ else
		77	+ {
		78	+ for (i = 0; i < len; ++i)
		79	+ {
		80	+ if (i % (80 / 3) == 0)
		81	+ putchar ('\n');
		82	+ printf (" %02x", data[i]);
		83	+ }
		84	+ }
		85	+ putchar ('\n');
		86	+}
		87	+
		88	static int
		89	display_debug_frames (struct dwarf_section *section,
		90	void *file ATTRIBUTE_UNUSED)
		91	@@ -6729,7 +6755,7 @@ display_debug_frames (struct dwarf_secti
		92	Frame_Chunk *cie;
		93	int need_col_headers = 1;
		94	unsigned char *augmentation_data = NULL;
		95	- unsigned long augmentation_data_len = 0;
		96	+ bfd_size_type augmentation_data_len = 0;
		97	unsigned int encoded_ptr_size = saved_eh_addr_size;
		98	unsigned int offset_size;
		99	unsigned int initial_length_size;
		100	@@ -6823,16 +6849,8 @@ display_debug_frames (struct dwarf_secti
		101	printf (" Return address column: %d\n", fc->ra);
		102
		103	if (augmentation_data_len)
		104	- {
		105	- unsigned long i;
		106	+ display_augmentation_data (augmentation_data, augmentation_data_len);
		107
		108	- printf (" Augmentation data: ");
		109	- for (i = 0; i < augmentation_data_len; ++i)
		110	- /* FIXME: If do_wide is FALSE, then we should
		111	- add carriage returns at 80 columns... */
		112	- printf (" %02x", augmentation_data[i]);
		113	- putchar ('\n');
		114	- }
		115	putchar ('\n');
		116	}
		117	}
		118	@@ -6988,11 +7006,13 @@ display_debug_frames (struct dwarf_secti
		119	READ_ULEB (augmentation_data_len);
		120	augmentation_data = start;
		121	start += augmentation_data_len;
		122	- /* PR 17512: file: 722-8446-0.004. */
		123	- if (start >= end \|\| ((signed long) augmentation_data_len) < 0)
		124	+ /* PR 17512 file: 722-8446-0.004 and PR 22386. */
		125	+ if (start >= end
		126	+ \|\| ((bfd_signed_vma) augmentation_data_len) < 0
		127	+ \|\| augmentation_data > start)
		128	{
		129	- warn (_("Corrupt augmentation data length: %lx\n"),
		130	- augmentation_data_len);
		131	+ warn (_("Corrupt augmentation data length: 0x%s\n"),
		132	+ dwarf_vmatoa ("x", augmentation_data_len));
		133	start = end;
		134	augmentation_data = NULL;
		135	augmentation_data_len = 0;
		136	@@ -7014,12 +7034,7 @@ display_debug_frames (struct dwarf_secti
		137
		138	if (! do_debug_frames_interp && augmentation_data_len)
		139	{
		140	- unsigned long i;
		141	-
		142	- printf (" Augmentation data: ");
		143	- for (i = 0; i < augmentation_data_len; ++i)
		144	- printf (" %02x", augmentation_data[i]);
		145	- putchar ('\n');
		146	+ display_augmentation_data (augmentation_data, augmentation_data_len);
		147	putchar ('\n');
		148	}
		149	}