diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.27.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch | 204 |
2 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 6580270284..54fb5d61c3 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc | |||
@@ -84,6 +84,7 @@ SRC_URI = "\ | |||
84 | file://CVE-2017-9748.patch \ | 84 | file://CVE-2017-9748.patch \ |
85 | file://CVE-2017-9747.patch \ | 85 | file://CVE-2017-9747.patch \ |
86 | file://CVE-2017-9750.patch \ | 86 | file://CVE-2017-9750.patch \ |
87 | file://CVE-2017-9752.patch \ | ||
87 | " | 88 | " |
88 | S = "${WORKDIR}/git" | 89 | S = "${WORKDIR}/git" |
89 | 90 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..fce5b14b20 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch | |||
@@ -0,0 +1,204 @@ | |||
1 | commit c53d2e6d744da000aaafe0237bced090aab62818 | ||
2 | Author: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Wed Jun 14 11:27:15 2017 +0100 | ||
4 | |||
5 | Fix potential address violations when processing a corrupt Alpha VMA binary. | ||
6 | |||
7 | PR binutils/21589 | ||
8 | * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the | ||
9 | maximum value for the ascic pointer. Check that name processing | ||
10 | does not read beyond this value. | ||
11 | (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the | ||
12 | end of etir record. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | CVE: CVE-2017-9752 | ||
17 | Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> | ||
18 | |||
19 | Index: git/bfd/vms-alpha.c | ||
20 | =================================================================== | ||
21 | --- git.orig/bfd/vms-alpha.c 2017-09-21 15:00:19.117805347 +0530 | ||
22 | +++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530 | ||
23 | @@ -1507,7 +1507,7 @@ | ||
24 | /* Write multiple bytes to section image. */ | ||
25 | |||
26 | static bfd_boolean | ||
27 | -image_write (bfd *abfd, unsigned char *ptr, int size) | ||
28 | +image_write (bfd *abfd, unsigned char *ptr, unsigned int size) | ||
29 | { | ||
30 | #if VMS_DEBUG | ||
31 | _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size, | ||
32 | @@ -1654,14 +1654,16 @@ | ||
33 | #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L) | ||
34 | |||
35 | static void | ||
36 | -_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic, | ||
37 | +_bfd_vms_get_value (bfd *abfd, | ||
38 | + const unsigned char *ascic, | ||
39 | + const unsigned char *max_ascic, | ||
40 | struct bfd_link_info *info, | ||
41 | bfd_vma *vma, | ||
42 | struct alpha_vms_link_hash_entry **hp) | ||
43 | { | ||
44 | char name[257]; | ||
45 | - int len; | ||
46 | - int i; | ||
47 | + unsigned int len; | ||
48 | + unsigned int i; | ||
49 | struct alpha_vms_link_hash_entry *h; | ||
50 | |||
51 | /* Not linking. Do not try to resolve the symbol. */ | ||
52 | @@ -1673,6 +1675,14 @@ | ||
53 | } | ||
54 | |||
55 | len = *ascic; | ||
56 | + if (ascic + len >= max_ascic) | ||
57 | + { | ||
58 | + _bfd_error_handler (_("Corrupt vms value")); | ||
59 | + *vma = 0; | ||
60 | + *hp = NULL; | ||
61 | + return; | ||
62 | + } | ||
63 | + | ||
64 | for (i = 0; i < len; i++) | ||
65 | name[i] = ascic[i + 1]; | ||
66 | name[i] = 0; | ||
67 | @@ -1797,6 +1807,15 @@ | ||
68 | _bfd_hexdump (8, ptr, cmd_length - 4, 0); | ||
69 | #endif | ||
70 | |||
71 | + /* PR 21589: Check for a corrupt ETIR record. */ | ||
72 | + if (cmd_length < 4) | ||
73 | + { | ||
74 | + corrupt_etir: | ||
75 | + _bfd_error_handler (_("Corrupt ETIR record encountered")); | ||
76 | + bfd_set_error (bfd_error_bad_value); | ||
77 | + return FALSE; | ||
78 | + } | ||
79 | + | ||
80 | switch (cmd) | ||
81 | { | ||
82 | /* Stack global | ||
83 | @@ -1804,7 +1823,7 @@ | ||
84 | |||
85 | stack 32 bit value of symbol (high bits set to 0). */ | ||
86 | case ETIR__C_STA_GBL: | ||
87 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
88 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
89 | _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h)); | ||
90 | break; | ||
91 | |||
92 | @@ -1813,6 +1832,8 @@ | ||
93 | |||
94 | stack 32 bit value, sign extend to 64 bit. */ | ||
95 | case ETIR__C_STA_LW: | ||
96 | + if (ptr + 4 >= maxptr) | ||
97 | + goto corrupt_etir; | ||
98 | _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE); | ||
99 | break; | ||
100 | |||
101 | @@ -1821,6 +1842,8 @@ | ||
102 | |||
103 | stack 64 bit value of symbol. */ | ||
104 | case ETIR__C_STA_QW: | ||
105 | + if (ptr + 8 >= maxptr) | ||
106 | + goto corrupt_etir; | ||
107 | _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE); | ||
108 | break; | ||
109 | |||
110 | @@ -1834,6 +1857,8 @@ | ||
111 | { | ||
112 | int psect; | ||
113 | |||
114 | + if (ptr + 12 >= maxptr) | ||
115 | + goto corrupt_etir; | ||
116 | psect = bfd_getl32 (ptr); | ||
117 | if ((unsigned int) psect >= PRIV (section_count)) | ||
118 | { | ||
119 | @@ -1923,6 +1948,8 @@ | ||
120 | { | ||
121 | int size; | ||
122 | |||
123 | + if (ptr + 4 >= maxptr) | ||
124 | + goto corrupt_etir; | ||
125 | size = bfd_getl32 (ptr); | ||
126 | _bfd_vms_pop (abfd, &op1, &rel1); | ||
127 | if (rel1 != RELC_NONE) | ||
128 | @@ -1935,7 +1962,7 @@ | ||
129 | /* Store global: write symbol value | ||
130 | arg: cs global symbol name. */ | ||
131 | case ETIR__C_STO_GBL: | ||
132 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
133 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
134 | if (h && h->sym) | ||
135 | { | ||
136 | if (h->sym->typ == EGSD__C_SYMG) | ||
137 | @@ -1957,7 +1984,7 @@ | ||
138 | /* Store code address: write address of entry point | ||
139 | arg: cs global symbol name (procedure). */ | ||
140 | case ETIR__C_STO_CA: | ||
141 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
142 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
143 | if (h && h->sym) | ||
144 | { | ||
145 | if (h->sym->flags & EGSY__V_NORM) | ||
146 | @@ -2002,8 +2029,10 @@ | ||
147 | da data. */ | ||
148 | case ETIR__C_STO_IMM: | ||
149 | { | ||
150 | - int size; | ||
151 | + unsigned int size; | ||
152 | |||
153 | + if (ptr + 4 >= maxptr) | ||
154 | + goto corrupt_etir; | ||
155 | size = bfd_getl32 (ptr); | ||
156 | image_write (abfd, ptr + 4, size); | ||
157 | } | ||
158 | @@ -2016,7 +2045,7 @@ | ||
159 | store global longword: store 32bit value of symbol | ||
160 | arg: cs symbol name. */ | ||
161 | case ETIR__C_STO_GBL_LW: | ||
162 | - _bfd_vms_get_value (abfd, ptr, info, &op1, &h); | ||
163 | + _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); | ||
164 | #if 0 | ||
165 | abort (); | ||
166 | #endif | ||
167 | @@ -2069,7 +2098,7 @@ | ||
168 | da signature. */ | ||
169 | |||
170 | case ETIR__C_STC_LP_PSB: | ||
171 | - _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h); | ||
172 | + _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h); | ||
173 | if (h && h->sym) | ||
174 | { | ||
175 | if (h->sym->typ == EGSD__C_SYMG) | ||
176 | @@ -2165,6 +2194,8 @@ | ||
177 | /* Augment relocation base: increment image location counter by offset | ||
178 | arg: lw offset value. */ | ||
179 | case ETIR__C_CTL_AUGRB: | ||
180 | + if (ptr + 4 >= maxptr) | ||
181 | + goto corrupt_etir; | ||
182 | op1 = bfd_getl32 (ptr); | ||
183 | image_inc_ptr (abfd, op1); | ||
184 | break; | ||
185 | Index: git/bfd/ChangeLog | ||
186 | =================================================================== | ||
187 | --- git.orig/bfd/ChangeLog 2017-09-21 15:04:44.000000000 +0530 | ||
188 | +++ git/bfd/ChangeLog 2017-09-21 15:07:58.268949291 +0530 | ||
189 | @@ -81,6 +81,15 @@ | ||
190 | PR binutils/21581 | ||
191 | (ieee_archive_p): Likewise. | ||
192 | |||
193 | +2017-06-14 Nick Clifton <nickc@redhat.com> | ||
194 | + | ||
195 | + PR binutils/21589 | ||
196 | + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the | ||
197 | + maximum value for the ascic pointer. Check that name processing | ||
198 | + does not read beyond this value. | ||
199 | + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the | ||
200 | + end of etir record. | ||
201 | + | ||
202 | 2017-04-29 Alan Modra <amodra@gmail.com> | ||
203 | |||
204 | PR 21432 | ||