From 9be7b4f3db6243fc2a557ad63543173f2b1f5d86 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Mon, 6 Aug 2018 14:02:09 -0700 Subject: binutls: Security fix CVE-2017-14933 Affects: <= 2.29.1 (From OE-Core rev: 16cdbc7504cc14547bb99ed742484ae9e658ec6e) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.29.1.inc | 2 + .../binutils/binutils/CVE-2017-14933_p1.patch | 58 ++++++++++++ .../binutils/binutils/CVE-2017-14933_p2.patch | 102 +++++++++++++++++++++ 3 files changed, 162 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 76c5c439cb..78b5249ee1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc @@ -38,6 +38,8 @@ SRC_URI = "\ file://CVE-2017-17124.patch \ file://CVE-2017-14930.patch \ file://CVE-2017-14932.patch \ + file://CVE-2017-14933_p1.patch \ + file://CVE-2017-14933_p2.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch new file mode 100644 index 0000000000..9df8138401 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch @@ -0,0 +1,58 @@ +From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001 +From: Nick Clifton +Date: Tue, 26 Sep 2017 14:37:47 +0100 +Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF + directory or file name table. + + PR 22210 + * dwarf2.c (read_formatted_entries): Fail early if we know that + the loop parsing data entries will overflow the end of the + section. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14933 #1 +Signed-off-by: Armin Kuster + +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf2.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2017-09-26 Nick Clifton ++ ++ PR 22210 ++ * dwarf2.c (read_formatted_entries): Fail early if we know that ++ the loop parsing data entries will overflow the end of the ++ section. ++ + 2017-09-26 Alan Modra + + PR 22204 +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit + + data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end); + buf += bytes_read; ++ ++ /* PR 22210. Paranoia check. Don't bother running the loop ++ if we know that we are going to run out of buffer. */ ++ if (data_count > (bfd_vma) (buf_end - buf)) ++ { ++ _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."), ++ data_count); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + for (datai = 0; datai < data_count; datai++) + { + bfd_byte *format = format_header_data; diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch new file mode 100644 index 0000000000..607d92f3d4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch @@ -0,0 +1,102 @@ +From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Tue, 26 Sep 2017 23:20:06 +0930 +Subject: [PATCH] Tidy reading data in read_formatted_entries + +Using read_attribute_value accomplishes two things: It checks for +unexpected formats, and ensures the buffer pointer always increments. + + PR 22210 + * dwarf2.c (read_formatted_entries): Use read_attribute_value to + read data. + +Upstream-Status: Backport +Affects: <= 2.29.1 +CVE: CVE-2017-14933 #2 +Signed-off-by: Armin Kuster + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 37 +++++++------------------------------ + 2 files changed, 13 insertions(+), 30 deletions(-) + +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog ++++ git/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2017-09-26 Alan Modra ++ ++ PR 22210 ++ * dwarf2.c (read_formatted_entries): Use read_attribute_value to ++ read data. ++ + 2017-09-26 Nick Clifton + + PR 22210 +Index: git/bfd/dwarf2.c +=================================================================== +--- git.orig/bfd/dwarf2.c ++++ git/bfd/dwarf2.c +@@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit + char *string_trash; + char **stringp = &string_trash; + unsigned int uint_trash, *uintp = &uint_trash; ++ struct attribute attr; + + content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read, + FALSE, buf_end); +@@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit + form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE, + buf_end); + format += bytes_read; ++ ++ buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end); ++ if (buf == NULL) ++ return FALSE; + switch (form) + { + case DW_FORM_string: +- *stringp = read_string (abfd, buf, buf_end, &bytes_read); +- buf += bytes_read; +- break; +- + case DW_FORM_line_strp: +- *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read); +- buf += bytes_read; ++ *stringp = attr.u.str; + break; + + case DW_FORM_data1: +- *uintp = read_1_byte (abfd, buf, buf_end); +- buf += 1; +- break; +- + case DW_FORM_data2: +- *uintp = read_2_bytes (abfd, buf, buf_end); +- buf += 2; +- break; +- + case DW_FORM_data4: +- *uintp = read_4_bytes (abfd, buf, buf_end); +- buf += 4; +- break; +- + case DW_FORM_data8: +- *uintp = read_8_bytes (abfd, buf, buf_end); +- buf += 8; +- break; +- + case DW_FORM_udata: +- *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, +- buf_end); +- buf += bytes_read; +- break; +- +- case DW_FORM_block: +- /* It is valid only for DW_LNCT_timestamp which is ignored by +- current GDB. */ ++ *uintp = attr.u.val; + break; + } + } -- cgit v1.2.3-54-g00ecf