From 3daf8af9487915421311042a9339de8e19b2d472 Mon Sep 17 00:00:00 2001 From: Thiruvadi Rajaraman Date: Thu, 21 Sep 2017 19:24:44 +0530 Subject: binutils: CVE-2017-9752 Source: binutils-gdb.git MR: 73971 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: fe0e1d0f234ed157135818c24f4270c34e093828 Description: Fix potential address violations when processing a corrupt Alpha VMA binary. PR binutils/21589 * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the maximum value for the ascic pointer. Check that name processing does not read beyond this value. (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the end of etir record. Affects: <= 2.28 Author: Nick Clifton (From OE-Core rev: ea89dfe868085b463dfc24df78b49d1703989484) Signed-off-by: Thiruvadi Rajaraman Reviewed-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-devtools/binutils/binutils-2.27.inc | 1 + .../binutils/binutils/CVE-2017-9752.patch | 204 +++++++++++++++++++++ 2 files changed, 205 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch (limited to 'meta/recipes-devtools') diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 6580270284..54fb5d61c3 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc @@ -84,6 +84,7 @@ SRC_URI = "\ file://CVE-2017-9748.patch \ file://CVE-2017-9747.patch \ file://CVE-2017-9750.patch \ + file://CVE-2017-9752.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..fce5b14b20 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch @@ -0,0 +1,204 @@ +commit c53d2e6d744da000aaafe0237bced090aab62818 +Author: Nick Clifton +Date: Wed Jun 14 11:27:15 2017 +0100 + + Fix potential address violations when processing a corrupt Alpha VMA binary. + + PR binutils/21589 + * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the + maximum value for the ascic pointer. Check that name processing + does not read beyond this value. + (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the + end of etir record. + +Upstream-Status: Backport + +CVE: CVE-2017-9752 +Signed-off-by: Thiruvadi Rajaraman + +Index: git/bfd/vms-alpha.c +=================================================================== +--- git.orig/bfd/vms-alpha.c 2017-09-21 15:00:19.117805347 +0530 ++++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530 +@@ -1507,7 +1507,7 @@ + /* Write multiple bytes to section image. */ + + static bfd_boolean +-image_write (bfd *abfd, unsigned char *ptr, int size) ++image_write (bfd *abfd, unsigned char *ptr, unsigned int size) + { + #if VMS_DEBUG + _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size, +@@ -1654,14 +1654,16 @@ + #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L) + + static void +-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic, ++_bfd_vms_get_value (bfd *abfd, ++ const unsigned char *ascic, ++ const unsigned char *max_ascic, + struct bfd_link_info *info, + bfd_vma *vma, + struct alpha_vms_link_hash_entry **hp) + { + char name[257]; +- int len; +- int i; ++ unsigned int len; ++ unsigned int i; + struct alpha_vms_link_hash_entry *h; + + /* Not linking. Do not try to resolve the symbol. */ +@@ -1673,6 +1675,14 @@ + } + + len = *ascic; ++ if (ascic + len >= max_ascic) ++ { ++ _bfd_error_handler (_("Corrupt vms value")); ++ *vma = 0; ++ *hp = NULL; ++ return; ++ } ++ + for (i = 0; i < len; i++) + name[i] = ascic[i + 1]; + name[i] = 0; +@@ -1797,6 +1807,15 @@ + _bfd_hexdump (8, ptr, cmd_length - 4, 0); + #endif + ++ /* PR 21589: Check for a corrupt ETIR record. */ ++ if (cmd_length < 4) ++ { ++ corrupt_etir: ++ _bfd_error_handler (_("Corrupt ETIR record encountered")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + switch (cmd) + { + /* Stack global +@@ -1804,7 +1823,7 @@ + + stack 32 bit value of symbol (high bits set to 0). */ + case ETIR__C_STA_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h)); + break; + +@@ -1813,6 +1832,8 @@ + + stack 32 bit value, sign extend to 64 bit. */ + case ETIR__C_STA_LW: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE); + break; + +@@ -1821,6 +1842,8 @@ + + stack 64 bit value of symbol. */ + case ETIR__C_STA_QW: ++ if (ptr + 8 >= maxptr) ++ goto corrupt_etir; + _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE); + break; + +@@ -1834,6 +1857,8 @@ + { + int psect; + ++ if (ptr + 12 >= maxptr) ++ goto corrupt_etir; + psect = bfd_getl32 (ptr); + if ((unsigned int) psect >= PRIV (section_count)) + { +@@ -1923,6 +1948,8 @@ + { + int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + _bfd_vms_pop (abfd, &op1, &rel1); + if (rel1 != RELC_NONE) +@@ -1935,7 +1962,7 @@ + /* Store global: write symbol value + arg: cs global symbol name. */ + case ETIR__C_STO_GBL: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -1957,7 +1984,7 @@ + /* Store code address: write address of entry point + arg: cs global symbol name (procedure). */ + case ETIR__C_STO_CA: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->flags & EGSY__V_NORM) +@@ -2002,8 +2029,10 @@ + da data. */ + case ETIR__C_STO_IMM: + { +- int size; ++ unsigned int size; + ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + size = bfd_getl32 (ptr); + image_write (abfd, ptr + 4, size); + } +@@ -2016,7 +2045,7 @@ + store global longword: store 32bit value of symbol + arg: cs symbol name. */ + case ETIR__C_STO_GBL_LW: +- _bfd_vms_get_value (abfd, ptr, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h); + #if 0 + abort (); + #endif +@@ -2069,7 +2098,7 @@ + da signature. */ + + case ETIR__C_STC_LP_PSB: +- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h); ++ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h); + if (h && h->sym) + { + if (h->sym->typ == EGSD__C_SYMG) +@@ -2165,6 +2194,8 @@ + /* Augment relocation base: increment image location counter by offset + arg: lw offset value. */ + case ETIR__C_CTL_AUGRB: ++ if (ptr + 4 >= maxptr) ++ goto corrupt_etir; + op1 = bfd_getl32 (ptr); + image_inc_ptr (abfd, op1); + break; +Index: git/bfd/ChangeLog +=================================================================== +--- git.orig/bfd/ChangeLog 2017-09-21 15:04:44.000000000 +0530 ++++ git/bfd/ChangeLog 2017-09-21 15:07:58.268949291 +0530 +@@ -81,6 +81,15 @@ + PR binutils/21581 + (ieee_archive_p): Likewise. + ++2017-06-14 Nick Clifton ++ ++ PR binutils/21589 ++ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the ++ maximum value for the ascic pointer. Check that name processing ++ does not read beyond this value. ++ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the ++ end of etir record. ++ + 2017-04-29 Alan Modra + + PR 21432 -- cgit v1.2.3-54-g00ecf