diff options
Diffstat (limited to 'meta')
3 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 76c5c439cb..78b5249ee1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc | |||
@@ -38,6 +38,8 @@ SRC_URI = "\ | |||
38 | file://CVE-2017-17124.patch \ | 38 | file://CVE-2017-17124.patch \ |
39 | file://CVE-2017-14930.patch \ | 39 | file://CVE-2017-14930.patch \ |
40 | file://CVE-2017-14932.patch \ | 40 | file://CVE-2017-14932.patch \ |
41 | file://CVE-2017-14933_p1.patch \ | ||
42 | file://CVE-2017-14933_p2.patch \ | ||
41 | " | 43 | " |
42 | S = "${WORKDIR}/git" | 44 | S = "${WORKDIR}/git" |
43 | 45 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch new file mode 100644 index 0000000000..9df8138401 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Tue, 26 Sep 2017 14:37:47 +0100 | ||
4 | Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF | ||
5 | directory or file name table. | ||
6 | |||
7 | PR 22210 | ||
8 | * dwarf2.c (read_formatted_entries): Fail early if we know that | ||
9 | the loop parsing data entries will overflow the end of the | ||
10 | section. | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | Affects: <= 2.29.1 | ||
14 | CVE: CVE-2017-14933 #1 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | bfd/ChangeLog | 7 +++++++ | ||
19 | bfd/dwarf2.c | 10 ++++++++++ | ||
20 | 2 files changed, 17 insertions(+) | ||
21 | |||
22 | Index: git/bfd/ChangeLog | ||
23 | =================================================================== | ||
24 | --- git.orig/bfd/ChangeLog | ||
25 | +++ git/bfd/ChangeLog | ||
26 | @@ -1,3 +1,10 @@ | ||
27 | +2017-09-26 Nick Clifton <nickc@redhat.com> | ||
28 | + | ||
29 | + PR 22210 | ||
30 | + * dwarf2.c (read_formatted_entries): Fail early if we know that | ||
31 | + the loop parsing data entries will overflow the end of the | ||
32 | + section. | ||
33 | + | ||
34 | 2017-09-26 Alan Modra <amodra@gmail.com> | ||
35 | |||
36 | PR 22204 | ||
37 | Index: git/bfd/dwarf2.c | ||
38 | =================================================================== | ||
39 | --- git.orig/bfd/dwarf2.c | ||
40 | +++ git/bfd/dwarf2.c | ||
41 | @@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit | ||
42 | |||
43 | data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end); | ||
44 | buf += bytes_read; | ||
45 | + | ||
46 | + /* PR 22210. Paranoia check. Don't bother running the loop | ||
47 | + if we know that we are going to run out of buffer. */ | ||
48 | + if (data_count > (bfd_vma) (buf_end - buf)) | ||
49 | + { | ||
50 | + _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."), | ||
51 | + data_count); | ||
52 | + bfd_set_error (bfd_error_bad_value); | ||
53 | + return FALSE; | ||
54 | + } | ||
55 | + | ||
56 | for (datai = 0; datai < data_count; datai++) | ||
57 | { | ||
58 | bfd_byte *format = format_header_data; | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch new file mode 100644 index 0000000000..607d92f3d4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Tue, 26 Sep 2017 23:20:06 +0930 | ||
4 | Subject: [PATCH] Tidy reading data in read_formatted_entries | ||
5 | |||
6 | Using read_attribute_value accomplishes two things: It checks for | ||
7 | unexpected formats, and ensures the buffer pointer always increments. | ||
8 | |||
9 | PR 22210 | ||
10 | * dwarf2.c (read_formatted_entries): Use read_attribute_value to | ||
11 | read data. | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | Affects: <= 2.29.1 | ||
15 | CVE: CVE-2017-14933 #2 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | bfd/ChangeLog | 6 ++++++ | ||
20 | bfd/dwarf2.c | 37 +++++++------------------------------ | ||
21 | 2 files changed, 13 insertions(+), 30 deletions(-) | ||
22 | |||
23 | Index: git/bfd/ChangeLog | ||
24 | =================================================================== | ||
25 | --- git.orig/bfd/ChangeLog | ||
26 | +++ git/bfd/ChangeLog | ||
27 | @@ -1,3 +1,9 @@ | ||
28 | +2017-09-26 Alan Modra <amodra@gmail.com> | ||
29 | + | ||
30 | + PR 22210 | ||
31 | + * dwarf2.c (read_formatted_entries): Use read_attribute_value to | ||
32 | + read data. | ||
33 | + | ||
34 | 2017-09-26 Nick Clifton <nickc@redhat.com> | ||
35 | |||
36 | PR 22210 | ||
37 | Index: git/bfd/dwarf2.c | ||
38 | =================================================================== | ||
39 | --- git.orig/bfd/dwarf2.c | ||
40 | +++ git/bfd/dwarf2.c | ||
41 | @@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit | ||
42 | char *string_trash; | ||
43 | char **stringp = &string_trash; | ||
44 | unsigned int uint_trash, *uintp = &uint_trash; | ||
45 | + struct attribute attr; | ||
46 | |||
47 | content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read, | ||
48 | FALSE, buf_end); | ||
49 | @@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit | ||
50 | form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE, | ||
51 | buf_end); | ||
52 | format += bytes_read; | ||
53 | + | ||
54 | + buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end); | ||
55 | + if (buf == NULL) | ||
56 | + return FALSE; | ||
57 | switch (form) | ||
58 | { | ||
59 | case DW_FORM_string: | ||
60 | - *stringp = read_string (abfd, buf, buf_end, &bytes_read); | ||
61 | - buf += bytes_read; | ||
62 | - break; | ||
63 | - | ||
64 | case DW_FORM_line_strp: | ||
65 | - *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read); | ||
66 | - buf += bytes_read; | ||
67 | + *stringp = attr.u.str; | ||
68 | break; | ||
69 | |||
70 | case DW_FORM_data1: | ||
71 | - *uintp = read_1_byte (abfd, buf, buf_end); | ||
72 | - buf += 1; | ||
73 | - break; | ||
74 | - | ||
75 | case DW_FORM_data2: | ||
76 | - *uintp = read_2_bytes (abfd, buf, buf_end); | ||
77 | - buf += 2; | ||
78 | - break; | ||
79 | - | ||
80 | case DW_FORM_data4: | ||
81 | - *uintp = read_4_bytes (abfd, buf, buf_end); | ||
82 | - buf += 4; | ||
83 | - break; | ||
84 | - | ||
85 | case DW_FORM_data8: | ||
86 | - *uintp = read_8_bytes (abfd, buf, buf_end); | ||
87 | - buf += 8; | ||
88 | - break; | ||
89 | - | ||
90 | case DW_FORM_udata: | ||
91 | - *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, | ||
92 | - buf_end); | ||
93 | - buf += bytes_read; | ||
94 | - break; | ||
95 | - | ||
96 | - case DW_FORM_block: | ||
97 | - /* It is valid only for DW_LNCT_timestamp which is ignored by | ||
98 | - current GDB. */ | ||
99 | + *uintp = attr.u.val; | ||
100 | break; | ||
101 | } | ||
102 | } | ||