summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2018-08-07 22:52:10 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 09:22:45 (GMT)
commit3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c (patch)
tree31605320d4136235930b0b587a07cefde7f9bdd9
parent8073f5664b646cc379ef3666cec02dfaedfc306f (diff)
downloadpoky-3a47233ad7e9513e0c29cf9bd85a6ff0b3e8693c.tar.gz
binutls: Security fix for CVE-2017-16828
Affects: <= 2.29.1 (From OE-Core rev: 98e5e27514a19d31038aec22408e27b84514c5b8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.29.1.inc2
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch79
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch149
3 files changed, 230 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index e6cfe33..ba60ecc 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -54,6 +54,8 @@ SRC_URI = "\
54 file://CVE-2017-15996.patch \ 54 file://CVE-2017-15996.patch \
55 file://CVE-2017-16826.patch \ 55 file://CVE-2017-16826.patch \
56 file://CVE-2017-16827.patch \ 56 file://CVE-2017-16827.patch \
57 file://CVE-2017-16828_p1.patch \
58 file://CVE-2017-16828_p2.patch \
57" 59"
58S = "${WORKDIR}/git" 60S = "${WORKDIR}/git"
59 61
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
new file mode 100644
index 0000000..310908f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p1.patch
@@ -0,0 +1,79 @@
1From 9c0f3d3f2017829ffd908c9893b85094985c3b58 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Thu, 5 Oct 2017 17:32:18 +1030
4Subject: [PATCH] PR22239 - invalid memory read in display_debug_frames
5
6Pointer comparisons have traps for the unwary. After adding a large
7unknown value to "start", the test "start < end" depends on where
8"start" is originally in memory.
9
10 PR 22239
11 * dwarf.c (read_cie): Don't compare "start" and "end" pointers
12 after adding a possibly wild length to "start", compare the length
13 to the difference of the pointers instead. Remove now redundant
14 "negative" length test.
15
16Upstream-Status: Backport
17Affects: <= 2.29.1
18CVE: CVE-2017-16828 patch1
19Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21---
22 binutils/ChangeLog | 8 ++++++++
23 binutils/dwarf.c | 15 ++++-----------
24 2 files changed, 12 insertions(+), 11 deletions(-)
25
26Index: git/binutils/dwarf.c
27===================================================================
28--- git.orig/binutils/dwarf.c
29+++ git/binutils/dwarf.c
30@@ -6652,14 +6652,14 @@ read_cie (unsigned char *start, unsigned
31 {
32 READ_ULEB (augmentation_data_len);
33 augmentation_data = start;
34- start += augmentation_data_len;
35 /* PR 17512: file: 11042-2589-0.004. */
36- if (start > end)
37+ if (augmentation_data_len > (size_t) (end - start))
38 {
39 warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
40- augmentation_data_len, (long)((end - start) + augmentation_data_len));
41+ augmentation_data_len, (unsigned long) (end - start));
42 return end;
43 }
44+ start += augmentation_data_len;
45 }
46
47 if (augmentation_data_len)
48@@ -6672,14 +6672,7 @@ read_cie (unsigned char *start, unsigned
49 q = augmentation_data;
50 qend = q + augmentation_data_len;
51
52- /* PR 17531: file: 015adfaa. */
53- if (qend < q)
54- {
55- warn (_("Negative augmentation data length: 0x%lx"), augmentation_data_len);
56- augmentation_data_len = 0;
57- }
58-
59- while (p < end && q < augmentation_data + augmentation_data_len)
60+ while (p < end && q < qend)
61 {
62 if (*p == 'L')
63 q++;
64Index: git/binutils/ChangeLog
65===================================================================
66--- git.orig/binutils/ChangeLog
67+++ git/binutils/ChangeLog
68@@ -1,3 +1,11 @@
69+2017-10-05 Alan Modra <amodra@gmail.com>
70+
71+ PR 22239
72+ * dwarf.c (read_cie): Don't compare "start" and "end" pointers
73+ after adding a possibly wild length to "start", compare the length
74+ to the difference of the pointers instead. Remove now redundant
75+ "negative" length test.
76+
77 2017-09-27 Nick Clifton <nickc@redhat.com>
78
79 PR 22219
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
new file mode 100644
index 0000000..5073d31
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-16828_p2.patch
@@ -0,0 +1,149 @@
1From bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Fri, 3 Nov 2017 13:57:15 +0000
4Subject: [PATCH] Fix integer overflow problems when reading an ELF binary with
5 corrupt augmentation data.
6
7 PR 22386
8 * dwarf.c (read_cie): Use bfd_size_type for
9 augmentation_data_len.
10 (display_augmentation_data): New function.
11 (display_debug_frames): Use it.
12 Check for integer overflow when testing augmentation_data_len.
13
14Upstream-Status: Backport
15Affects: <= 2.29.1
16CVE: CVE-2017-16828 patch2
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 binutils/ChangeLog | 10 +++++++++
21 binutils/dwarf.c | 65 +++++++++++++++++++++++++++++++++---------------------
22 2 files changed, 50 insertions(+), 25 deletions(-)
23
24Index: git/binutils/dwarf.c
25===================================================================
26--- git.orig/binutils/dwarf.c
27+++ git/binutils/dwarf.c
28@@ -6577,13 +6577,13 @@ frame_display_row (Frame_Chunk *fc, int
29 static unsigned char *
30 read_cie (unsigned char *start, unsigned char *end,
31 Frame_Chunk **p_cie, int *p_version,
32- unsigned long *p_aug_len, unsigned char **p_aug)
33+ bfd_size_type *p_aug_len, unsigned char **p_aug)
34 {
35 int version;
36 Frame_Chunk *fc;
37 unsigned int length_return;
38 unsigned char *augmentation_data = NULL;
39- unsigned long augmentation_data_len = 0;
40+ bfd_size_type augmentation_data_len = 0;
41
42 * p_cie = NULL;
43 /* PR 17512: file: 001-228113-0.004. */
44@@ -6653,10 +6653,11 @@ read_cie (unsigned char *start, unsigned
45 READ_ULEB (augmentation_data_len);
46 augmentation_data = start;
47 /* PR 17512: file: 11042-2589-0.004. */
48- if (augmentation_data_len > (size_t) (end - start))
49+ if (augmentation_data_len > (bfd_size_type) (end - start))
50 {
51- warn (_("Augmentation data too long: %#lx, expected at most %#lx\n"),
52- augmentation_data_len, (unsigned long) (end - start));
53+ warn (_("Augmentation data too long: 0x%s, expected at most %#lx\n"),
54+ dwarf_vmatoa ("x", augmentation_data_len),
55+ (unsigned long) (end - start));
56 return end;
57 }
58 start += augmentation_data_len;
59@@ -6701,6 +6702,31 @@ read_cie (unsigned char *start, unsigned
60 return start;
61 }
62
63+/* Prints out the contents on the augmentation data array.
64+ If do_wide is not enabled, then formats the output to fit into 80 columns. */
65+
66+static void
67+display_augmentation_data (const unsigned char * data, const bfd_size_type len)
68+{
69+ bfd_size_type i;
70+
71+ i = printf (_(" Augmentation data: "));
72+
73+ if (do_wide || len < ((80 - i) / 3))
74+ for (i = 0; i < len; ++i)
75+ printf (" %02x", data[i]);
76+ else
77+ {
78+ for (i = 0; i < len; ++i)
79+ {
80+ if (i % (80 / 3) == 0)
81+ putchar ('\n');
82+ printf (" %02x", data[i]);
83+ }
84+ }
85+ putchar ('\n');
86+}
87+
88 static int
89 display_debug_frames (struct dwarf_section *section,
90 void *file ATTRIBUTE_UNUSED)
91@@ -6729,7 +6755,7 @@ display_debug_frames (struct dwarf_secti
92 Frame_Chunk *cie;
93 int need_col_headers = 1;
94 unsigned char *augmentation_data = NULL;
95- unsigned long augmentation_data_len = 0;
96+ bfd_size_type augmentation_data_len = 0;
97 unsigned int encoded_ptr_size = saved_eh_addr_size;
98 unsigned int offset_size;
99 unsigned int initial_length_size;
100@@ -6823,16 +6849,8 @@ display_debug_frames (struct dwarf_secti
101 printf (" Return address column: %d\n", fc->ra);
102
103 if (augmentation_data_len)
104- {
105- unsigned long i;
106+ display_augmentation_data (augmentation_data, augmentation_data_len);
107
108- printf (" Augmentation data: ");
109- for (i = 0; i < augmentation_data_len; ++i)
110- /* FIXME: If do_wide is FALSE, then we should
111- add carriage returns at 80 columns... */
112- printf (" %02x", augmentation_data[i]);
113- putchar ('\n');
114- }
115 putchar ('\n');
116 }
117 }
118@@ -6988,11 +7006,13 @@ display_debug_frames (struct dwarf_secti
119 READ_ULEB (augmentation_data_len);
120 augmentation_data = start;
121 start += augmentation_data_len;
122- /* PR 17512: file: 722-8446-0.004. */
123- if (start >= end || ((signed long) augmentation_data_len) < 0)
124+ /* PR 17512 file: 722-8446-0.004 and PR 22386. */
125+ if (start >= end
126+ || ((bfd_signed_vma) augmentation_data_len) < 0
127+ || augmentation_data > start)
128 {
129- warn (_("Corrupt augmentation data length: %lx\n"),
130- augmentation_data_len);
131+ warn (_("Corrupt augmentation data length: 0x%s\n"),
132+ dwarf_vmatoa ("x", augmentation_data_len));
133 start = end;
134 augmentation_data = NULL;
135 augmentation_data_len = 0;
136@@ -7014,12 +7034,7 @@ display_debug_frames (struct dwarf_secti
137
138 if (! do_debug_frames_interp && augmentation_data_len)
139 {
140- unsigned long i;
141-
142- printf (" Augmentation data: ");
143- for (i = 0; i < augmentation_data_len; ++i)
144- printf (" %02x", augmentation_data[i]);
145- putchar ('\n');
146+ display_augmentation_data (augmentation_data, augmentation_data_len);
147 putchar ('\n');
148 }
149 }