binutils: CVE-2017-9755

Source: binutils-gdb.git MR: 73932 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: 49ad5f3244cd51ee6714c1b60cc1c3f84d7de7c8 Description: i386-dis: Add 2 tests with invalid bnd register PR binutils/21594 * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd register. * testsuite/gas/i386/x86-64-mpx.s: Likewise. * testsuite/gas/i386/mpx.d: Updated. * testsuite/gas/i386/x86-64-mpx.d: Likewise. i386-dis: Check valid bnd register Since there are only 4 bnd registers, return "(bad)" for register number > 3. PR binutils/21594 * i386-dis.c (OP_E_register): Check valid bnd register. (OP_G): Likewise. Affects: <= 2.28 Author: H.J. Lu <hjl.tools@gmail.com> (From OE-Core rev: 98b66508f8b382f047d12df430b6e812a9336ab9) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-21 19:32:24 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: 1e97a1e6619a2fcb11b77eb117a79edeb552d66c (patch)
tree: 9c123d080eee5354247a4b46b3a066be21f28bac
parent: 5f6bb8fe3d884e8f272f3aca2486d0f68e384977 (diff)
download: poky-1e97a1e6619a2fcb11b77eb117a79edeb552d66c.tar.gz
3 files changed, 163 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 2b35cb154d..961364c81c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -86,6 +86,8 @@ SRC_URI = "\
     file://CVE-2017-9750.patch \
     file://CVE-2017-9752.patch \
     file://CVE-2017-9753_9754.patch \
+     file://CVE-2017-9755_1.patch \
+     file://CVE-2017-9755_2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
new file mode 100644
index 0000000000..3ad32189b1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
@@ -0,0 +1,60 @@
+commit 0d96e4df4812c3bad77c229dfef47a9bc115ac12
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 06:40:17 2017 -0700
+    i386-dis: Check valid bnd register
+    
+    Since there are only 4 bnd registers, return "(bad)" for register
+    number > 3.
+    
+        PR binutils/21594
+        * i386-dis.c (OP_E_register): Check valid bnd register.
+        (OP_G): Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/opcodes/i386-dis.c
+===================================================================
+--- git.orig/opcodes/i386-dis.c 2017-09-21 15:38:46.907182525 +0530
+++ git/opcodes/i386-dis.c      2017-09-21 15:38:54.703174976 +0530
+@@ -15211,6 +15211,11 @@
+       names = address_mode == mode_64bit ? names64 : names32;
+       break;
+     case bnd_mode:
+      if (reg > 0x3)
+       {
+         oappend ("(bad)");
+         return;
+       }
+       names = names_bnd;
+       break;
+     case indir_v_mode:
+@@ -15751,6 +15756,11 @@
+       oappend (names64[modrm.reg + add]);
+       break;
+     case bnd_mode:
+      if (modrm.reg > 0x3)
+       {
+         oappend ("(bad)");
+         return;
+       }
+       oappend (names_bnd[modrm.reg]);
+       break;
+     case v_mode:
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog  2017-09-21 15:38:54.531175122 +0530
+++ git/opcodes/ChangeLog       2017-09-21 15:45:32.264491166 +0530
+@@ -1,3 +1,9 @@
+2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
+
+       PR binutils/21594
+       * i386-dis.c (OP_E_register): Check valid bnd register.
+       (OP_G): Likewise.
+
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21586
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
new file mode 100644
index 0000000000..69e1607d8b
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
@@ -0,0 +1,101 @@
+commit 8cac017d35ef374e65acc98818a17cf8a652cbd0
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 08:21:48 2017 -0700
+    i386-dis: Add 2 tests with invalid bnd register
+    
+        PR binutils/21594
+        * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
+        register.
+        * testsuite/gas/i386/x86-64-mpx.s: Likewise.
+        * testsuite/gas/i386/mpx.d: Updated.
+        * testsuite/gas/i386/x86-64-mpx.d: Likewise.
+Upstream-Status: Backport
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/gas/testsuite/gas/i386/mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.d       2017-09-21 15:45:57.640640603 +0530
+++ git/gas/testsuite/gas/i386/mpx.d    2017-09-21 15:45:57.616640460 +0530
+@@ -130,4 +130,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [      ]*[a-f0-9]+:    f2 c3                   bnd ret 
+
+[a-f0-9]+ <bad>:
+[      ]*[a-f0-9]+:    0f 1a 30                bndldx \(%eax\),\(bad\)
+[      ]*[a-f0-9]+:    66 0f 1a c4             bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.s       2017-09-21 15:45:57.640640603 +0530
+++ git/gas/testsuite/gas/i386/mpx.s    2017-09-21 15:45:57.616640460 +0530
+@@ -157,3 +157,15 @@
+        bnd ret
+ 
+ foo:   bnd ret
+
+bad:
+       # bndldx (%eax),(bad)
+       .byte 0x0f
+       .byte 0x1a
+       .byte 0x30
+
+       # bndmov (bad),%bnd0
+       .byte 0x66
+       .byte 0x0f
+       .byte 0x1a
+       .byte 0xc4
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.d        2017-09-21 15:45:57.640640603 +0530
+++ git/gas/testsuite/gas/i386/x86-64-mpx.d     2017-09-21 15:45:57.616640460 +0530
+@@ -182,4 +182,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [      ]*[a-f0-9]+:    f2 c3                   bnd retq 
+
+[a-f0-9]+ <bad>:
+[      ]*[a-f0-9]+:    0f 1a 30                bndldx \(%rax\),\(bad\)
+[      ]*[a-f0-9]+:    66 0f 1a c4             bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.s        2017-09-21 15:45:57.640640603 +0530
+++ git/gas/testsuite/gas/i386/x86-64-mpx.s     2017-09-21 15:45:57.616640460 +0530
+@@ -209,3 +209,15 @@
+        bnd ret
+ 
+ foo:   bnd ret
+
+bad:
+       # bndldx (%eax),(bad)
+       .byte 0x0f
+       .byte 0x1a
+       .byte 0x30
+
+       # bndmov (bad),%bnd0
+       .byte 0x66
+       .byte 0x0f
+       .byte 0x1a
+       .byte 0xc4
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog      2017-09-21 15:38:53.143176323 +0530
+++ git/gas/ChangeLog   2017-09-21 15:48:07.134368927 +0530
+@@ -1,3 +1,12 @@
+2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
+
+       PR binutils/21594
+       * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
+       register.
+       * testsuite/gas/i386/x86-64-mpx.s: Likewise.
+       * testsuite/gas/i386/mpx.d: Updated.
+       * testsuite/gas/i386/x86-64-mpx.d: Likewise.
+
+ 2016-12-01  Nick Clifton  <nickc@redhat.com>
+ 
+        PR gas/20898
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-21 19:32:24 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	1e97a1e6619a2fcb11b77eb117a79edeb552d66c (patch)
tree	9c123d080eee5354247a4b46b3a066be21f28bac
parent	5f6bb8fe3d884e8f272f3aca2486d0f68e384977 (diff)
download	poky-1e97a1e6619a2fcb11b77eb117a79edeb552d66c.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 2b35cb154d..961364c81c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -86,6 +86,8 @@ SRC_URI = "\
86	file://CVE-2017-9750.patch \	86	file://CVE-2017-9750.patch \
87	file://CVE-2017-9752.patch \	87	file://CVE-2017-9752.patch \
88	file://CVE-2017-9753_9754.patch \	88	file://CVE-2017-9753_9754.patch \
		89	file://CVE-2017-9755_1.patch \
		90	file://CVE-2017-9755_2.patch \
89	"	91	"
90	S = "${WORKDIR}/git"	92	S = "${WORKDIR}/git"
91		93


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch new file mode 100644 index 0000000000..3ad32189b1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
@@ -0,0 +1,60 @@
		1	commit 0d96e4df4812c3bad77c229dfef47a9bc115ac12
		2	Author: H.J. Lu <hjl.tools@gmail.com>
		3	Date: Thu Jun 15 06:40:17 2017 -0700
		4
		5	i386-dis: Check valid bnd register
		6
		7	Since there are only 4 bnd registers, return "(bad)" for register
		8	number > 3.
		9
		10	PR binutils/21594
		11	* i386-dis.c (OP_E_register): Check valid bnd register.
		12	(OP_G): Likewise.
		13
		14	Upstream-Status: Backport
		15
		16	CVE: CVE-2017-9755
		17	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		18
		19	Index: git/opcodes/i386-dis.c
		20	===================================================================
		21	--- git.orig/opcodes/i386-dis.c 2017-09-21 15:38:46.907182525 +0530
		22	+++ git/opcodes/i386-dis.c 2017-09-21 15:38:54.703174976 +0530
		23	@@ -15211,6 +15211,11 @@
		24	names = address_mode == mode_64bit ? names64 : names32;
		25	break;
		26	case bnd_mode:
		27	+ if (reg > 0x3)
		28	+ {
		29	+ oappend ("(bad)");
		30	+ return;
		31	+ }
		32	names = names_bnd;
		33	break;
		34	case indir_v_mode:
		35	@@ -15751,6 +15756,11 @@
		36	oappend (names64[modrm.reg + add]);
		37	break;
		38	case bnd_mode:
		39	+ if (modrm.reg > 0x3)
		40	+ {
		41	+ oappend ("(bad)");
		42	+ return;
		43	+ }
		44	oappend (names_bnd[modrm.reg]);
		45	break;
		46	case v_mode:
		47	Index: git/opcodes/ChangeLog
		48	===================================================================
		49	--- git.orig/opcodes/ChangeLog 2017-09-21 15:38:54.531175122 +0530
		50	+++ git/opcodes/ChangeLog 2017-09-21 15:45:32.264491166 +0530
		51	@@ -1,3 +1,9 @@
		52	+2017-06-15 H.J. Lu <hongjiu.lu@intel.com>
		53	+
		54	+ PR binutils/21594
		55	+ * i386-dis.c (OP_E_register): Check valid bnd register.
		56	+ (OP_G): Likewise.
		57	+
		58	2017-06-15 Nick Clifton <nickc@redhat.com>
		59
		60	PR binutils/21586


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch new file mode 100644 index 0000000000..69e1607d8b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
@@ -0,0 +1,101 @@
		1	commit 8cac017d35ef374e65acc98818a17cf8a652cbd0
		2	Author: H.J. Lu <hjl.tools@gmail.com>
		3	Date: Thu Jun 15 08:21:48 2017 -0700
		4
		5	i386-dis: Add 2 tests with invalid bnd register
		6
		7	PR binutils/21594
		8	* testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
		9	register.
		10	* testsuite/gas/i386/x86-64-mpx.s: Likewise.
		11	* testsuite/gas/i386/mpx.d: Updated.
		12	* testsuite/gas/i386/x86-64-mpx.d: Likewise.
		13
		14	Upstream-Status: Backport
		15
		16	CVE: CVE-2017-9755
		17	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		18
		19	Index: git/gas/testsuite/gas/i386/mpx.d
		20	===================================================================
		21	--- git.orig/gas/testsuite/gas/i386/mpx.d 2017-09-21 15:45:57.640640603 +0530
		22	+++ git/gas/testsuite/gas/i386/mpx.d 2017-09-21 15:45:57.616640460 +0530
		23	@@ -130,4 +130,8 @@
		24
		25	[a-f0-9]+ <foo>:
		26	[ ]*[a-f0-9]+: f2 c3 bnd ret
		27	+
		28	+[a-f0-9]+ <bad>:
		29	+[ ]*[a-f0-9]+: 0f 1a 30 bndldx \(%eax\),\(bad\)
		30	+[ ]*[a-f0-9]+: 66 0f 1a c4 bndmov \(bad\),%bnd0
		31	#pass
		32	Index: git/gas/testsuite/gas/i386/mpx.s
		33	===================================================================
		34	--- git.orig/gas/testsuite/gas/i386/mpx.s 2017-09-21 15:45:57.640640603 +0530
		35	+++ git/gas/testsuite/gas/i386/mpx.s 2017-09-21 15:45:57.616640460 +0530
		36	@@ -157,3 +157,15 @@
		37	bnd ret
		38
		39	foo: bnd ret
		40	+
		41	+bad:
		42	+ # bndldx (%eax),(bad)
		43	+ .byte 0x0f
		44	+ .byte 0x1a
		45	+ .byte 0x30
		46	+
		47	+ # bndmov (bad),%bnd0
		48	+ .byte 0x66
		49	+ .byte 0x0f
		50	+ .byte 0x1a
		51	+ .byte 0xc4
		52	Index: git/gas/testsuite/gas/i386/x86-64-mpx.d
		53	===================================================================
		54	--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.d 2017-09-21 15:45:57.640640603 +0530
		55	+++ git/gas/testsuite/gas/i386/x86-64-mpx.d 2017-09-21 15:45:57.616640460 +0530
		56	@@ -182,4 +182,8 @@
		57
		58	[a-f0-9]+ <foo>:
		59	[ ]*[a-f0-9]+: f2 c3 bnd retq
		60	+
		61	+[a-f0-9]+ <bad>:
		62	+[ ]*[a-f0-9]+: 0f 1a 30 bndldx \(%rax\),\(bad\)
		63	+[ ]*[a-f0-9]+: 66 0f 1a c4 bndmov \(bad\),%bnd0
		64	#pass
		65	Index: git/gas/testsuite/gas/i386/x86-64-mpx.s
		66	===================================================================
		67	--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.s 2017-09-21 15:45:57.640640603 +0530
		68	+++ git/gas/testsuite/gas/i386/x86-64-mpx.s 2017-09-21 15:45:57.616640460 +0530
		69	@@ -209,3 +209,15 @@
		70	bnd ret
		71
		72	foo: bnd ret
		73	+
		74	+bad:
		75	+ # bndldx (%eax),(bad)
		76	+ .byte 0x0f
		77	+ .byte 0x1a
		78	+ .byte 0x30
		79	+
		80	+ # bndmov (bad),%bnd0
		81	+ .byte 0x66
		82	+ .byte 0x0f
		83	+ .byte 0x1a
		84	+ .byte 0xc4
		85	Index: git/gas/ChangeLog
		86	===================================================================
		87	--- git.orig/gas/ChangeLog 2017-09-21 15:38:53.143176323 +0530
		88	+++ git/gas/ChangeLog 2017-09-21 15:48:07.134368927 +0530
		89	@@ -1,3 +1,12 @@
		90	+2017-06-15 H.J. Lu <hongjiu.lu@intel.com>
		91	+
		92	+ PR binutils/21594
		93	+ * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
		94	+ register.
		95	+ * testsuite/gas/i386/x86-64-mpx.s: Likewise.
		96	+ * testsuite/gas/i386/mpx.d: Updated.
		97	+ * testsuite/gas/i386/x86-64-mpx.d: Likewise.
		98	+
		99	2016-12-01 Nick Clifton <nickc@redhat.com>
		100
		101	PR gas/20898