binutils: CVE-2017-9753_and_CVE-2017-9754

Source: binutils-gdb.git MR: 73958, 73945 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: a39fdc82900af3f5d6ae396c913ac902f4ef7f60 Description: Fix seg-faults in objdump when disassembling a corrupt versados binary. PR binutils/21591 * versados.c (versados_mkobject): Zero the allocated tdata structure. (process_otr): Check for an invalid offset in the otr structure. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: 7d46daa5e580e841f83b9070b3c84e87d8fd1181) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-21 19:28:06 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: 5f6bb8fe3d884e8f272f3aca2486d0f68e384977 (patch)
tree: e76f644bd523bcc4a09249af297cf5592820b6f3
parent: 3daf8af9487915421311042a9339de8e19b2d472 (diff)
download: poky-5f6bb8fe3d884e8f272f3aca2486d0f68e384977.tar.gz
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 54fb5d61c3..2b35cb154d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -85,6 +85,7 @@ SRC_URI = "\
     file://CVE-2017-9747.patch \
     file://CVE-2017-9750.patch \
     file://CVE-2017-9752.patch \
+     file://CVE-2017-9753_9754.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch
new file mode 100644
index 0000000000..fe1f9a100d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch
@@ -0,0 +1,76 @@
+commit 04f963fd489cae724a60140e13984415c205f4ac
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Jun 14 10:35:16 2017 +0100
+    Fix seg-faults in objdump when disassembling a corrupt versados binary.
+    
+        PR binutils/21591
+        * versados.c (versados_mkobject): Zero the allocated tdata structure.
+        (process_otr): Check for an invalid offset in the otr structure.
+Upstream-Status: Backport
+CVE: CVE-2017-9753 and CVE-2017-9754
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/versados.c
+===================================================================
+--- git.orig/bfd/versados.c     2017-09-21 15:08:34.445197987 +0530
+++ git/bfd/versados.c  2017-09-21 15:08:34.429197878 +0530
+@@ -149,7 +149,7 @@
+   if (abfd->tdata.versados_data == NULL)
+     {
+       bfd_size_type amt = sizeof (tdata_type);
+-      tdata_type *tdata = bfd_alloc (abfd, amt);
+      tdata_type *tdata = bfd_zalloc (abfd, amt);
+ 
+       if (tdata == NULL)
+        return FALSE;
+@@ -344,13 +344,13 @@
+ };
+ 
+ static int
+-get_offset (int len, unsigned char *ptr)
+get_offset (unsigned int len, unsigned char *ptr)
+ {
+   int val = 0;
+ 
+   if (len)
+     {
+-      int i;
+      unsigned int i;
+ 
+       val = *ptr++;
+       if (val & 0x80)
+@@ -393,9 +393,13 @@
+          int flag = *srcp++;
+          int esdids = (flag >> 5) & 0x7;
+          int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
+-         int offsetlen = flag & 0x7;
+         unsigned int offsetlen = flag & 0x7;
+          int j;
+ 
+         /* PR 21591: Check for invalid lengths.  */
+         if (srcp + esdids + offsetlen >= endp)
+           return;
+
+          if (esdids == 0)
+            {
+              /* A zero esdid means the new pc is the offset given.  */
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 15:08:34.445197987 +0530
+++ git/bfd/ChangeLog   2017-09-21 15:08:34.429197878 +0530
+@@ -90,6 +90,12 @@
+        (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+        end of etir record.
+ 
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21591
+       * versados.c (versados_mkobject): Zero the allocated tdata structure.
+       (process_otr): Check for an invalid offset in the otr structure.
+
+ 2017-04-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 21432
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-21 19:28:06 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	5f6bb8fe3d884e8f272f3aca2486d0f68e384977 (patch)
tree	e76f644bd523bcc4a09249af297cf5592820b6f3
parent	3daf8af9487915421311042a9339de8e19b2d472 (diff)
download	poky-5f6bb8fe3d884e8f272f3aca2486d0f68e384977.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 54fb5d61c3..2b35cb154d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -85,6 +85,7 @@ SRC_URI = "\
85	file://CVE-2017-9747.patch \	85	file://CVE-2017-9747.patch \
86	file://CVE-2017-9750.patch \	86	file://CVE-2017-9750.patch \
87	file://CVE-2017-9752.patch \	87	file://CVE-2017-9752.patch \
		88	file://CVE-2017-9753_9754.patch \
88	"	89	"
89	S = "${WORKDIR}/git"	90	S = "${WORKDIR}/git"
90		91


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch new file mode 100644 index 0000000000..fe1f9a100d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9753_9754.patch
@@ -0,0 +1,76 @@
		1	commit 04f963fd489cae724a60140e13984415c205f4ac
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Wed Jun 14 10:35:16 2017 +0100
		4
		5	Fix seg-faults in objdump when disassembling a corrupt versados binary.
		6
		7	PR binutils/21591
		8	* versados.c (versados_mkobject): Zero the allocated tdata structure.
		9	(process_otr): Check for an invalid offset in the otr structure.
		10
		11	Upstream-Status: Backport
		12
		13	CVE: CVE-2017-9753 and CVE-2017-9754
		14	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		15
		16	Index: git/bfd/versados.c
		17	===================================================================
		18	--- git.orig/bfd/versados.c 2017-09-21 15:08:34.445197987 +0530
		19	+++ git/bfd/versados.c 2017-09-21 15:08:34.429197878 +0530
		20	@@ -149,7 +149,7 @@
		21	if (abfd->tdata.versados_data == NULL)
		22	{
		23	bfd_size_type amt = sizeof (tdata_type);
		24	- tdata_type *tdata = bfd_alloc (abfd, amt);
		25	+ tdata_type *tdata = bfd_zalloc (abfd, amt);
		26
		27	if (tdata == NULL)
		28	return FALSE;
		29	@@ -344,13 +344,13 @@
		30	};
		31
		32	static int
		33	-get_offset (int len, unsigned char *ptr)
		34	+get_offset (unsigned int len, unsigned char *ptr)
		35	{
		36	int val = 0;
		37
		38	if (len)
		39	{
		40	- int i;
		41	+ unsigned int i;
		42
		43	val = *ptr++;
		44	if (val & 0x80)
		45	@@ -393,9 +393,13 @@
		46	int flag = *srcp++;
		47	int esdids = (flag >> 5) & 0x7;
		48	int sizeinwords = ((flag >> 3) & 1) ? 2 : 1;
		49	- int offsetlen = flag & 0x7;
		50	+ unsigned int offsetlen = flag & 0x7;
		51	int j;
		52
		53	+ /* PR 21591: Check for invalid lengths. */
		54	+ if (srcp + esdids + offsetlen >= endp)
		55	+ return;
		56	+
		57	if (esdids == 0)
		58	{
		59	/* A zero esdid means the new pc is the offset given. */
		60	Index: git/bfd/ChangeLog
		61	===================================================================
		62	--- git.orig/bfd/ChangeLog 2017-09-21 15:08:34.445197987 +0530
		63	+++ git/bfd/ChangeLog 2017-09-21 15:08:34.429197878 +0530
		64	@@ -90,6 +90,12 @@
		65	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
		66	end of etir record.
		67
		68	+2017-06-14 Nick Clifton <nickc@redhat.com>
		69	+
		70	+ PR binutils/21591
		71	+ * versados.c (versados_mkobject): Zero the allocated tdata structure.
		72	+ (process_otr): Check for an invalid offset in the otr structure.
		73	+
		74	2017-04-29 Alan Modra <amodra@gmail.com>
		75
		76	PR 21432