binutils: CVE-2017-15024

Source: binutils-gdb.git MR: 76524 Type: Security Fix Disposition: Backport from binutils master ChangeID: 5f22a66eabb228b655605b964ecd350aee700806 Description: PR22187, infinite loop in find_abstract_instance_name This patch prevents the simple case of infinite recursion in find_abstract_instance_name by ensuring that the attributes being processed are not the same as the previous call. The patch also does a little cleanup, and leaves in place some changes to the nested_funcs array that I made when I wrongly thought looping might occur in scan_unit_for_symbols. PR 22187 * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and pname param. Return status. Make name const. Don't abort, return an error. Formatting. Exit if current info_ptr matches orig_info_ptr. Update callers. (scan_unit_for_symbols): Start at nesting_level of zero. Make nested_funcs an array of structs for extensibility. Formatting. Affects: <= 2.29 (From OE-Core rev: 3e88bb5e933ebbf9c3445bac1814dc0ac105bf45) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-11-08 13:41:00 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:09 +0000
commit: 7006ecaba3457fe48673b9c1da164a5165453eb0 (patch)
tree: de6859ddcbf2d511035530feb90b4bdd4ba2cfa5
parent: 05281ec4a64e22b2c8fcaa153e0f03464800092c (diff)
download: poky-7006ecaba3457fe48673b9c1da164a5165453eb0.tar.gz
2 files changed, 242 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index b1669a4ef0..ae43d2a5d2 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -101,6 +101,7 @@ SRC_URI = "\
     file://CVE-2017-9955_8.patch \
     file://CVE-2017-9955_9.patch \
     file://CVE-2017-14729.patch \
+     file://CVE-2017-15024.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
new file mode 100644
index 0000000000..ef42b13597
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
@@ -0,0 +1,241 @@
+commit 52a93b95ec0771c97e26f0bb28630a271a667bd2
+Author: Alan Modra <amodra@gmail.com>
+Date:   Sun Sep 24 14:37:16 2017 +0930
+    PR22187, infinite loop in find_abstract_instance_name
+    
+    This patch prevents the simple case of infinite recursion in
+    find_abstract_instance_name by ensuring that the attributes being
+    processed are not the same as the previous call.
+    
+    The patch also does a little cleanup, and leaves in place some changes
+    to the nested_funcs array that I made when I wrongly thought looping
+    might occur in scan_unit_for_symbols.
+    
+        PR 22187
+        * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
+        pname param.  Return status.  Make name const.  Don't abort,
+        return an error.  Formatting.  Exit if current info_ptr matches
+        orig_info_ptr.  Update callers.
+        (scan_unit_for_symbols): Start at nesting_level of zero.  Make
+        nested_funcs an array of structs for extensibility.  Formatting.
+Upstream-Status: Backport
+CVE: CVE-2017-15024
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c       2017-11-08 12:44:59.198052588 +0530
+++ git/bfd/dwarf2.c    2017-11-08 12:45:10.670155730 +0530
+@@ -2273,9 +2273,11 @@
+     return FALSE;
+ }
+ 
+-static char *
+static bfd_boolean
+ find_abstract_instance_name (struct comp_unit *unit,
+                            bfd_byte *orig_info_ptr,
+                             struct attribute *attr_ptr,
+                            const char **pname,
+                             bfd_boolean *is_linkage)
+ {
+   bfd *abfd = unit->abfd;
+@@ -2285,7 +2287,7 @@
+   struct abbrev_info *abbrev;
+   bfd_uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  char *name = NULL;
+  const char *name = NULL;
+ 
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+@@ -2294,7 +2296,12 @@
+       /* We only support DW_FORM_ref_addr within the same file, so
+         any relocations should be resolved already.  */
+       if (!die_ref)
+-       abort ();
+       {
+         _bfd_error_handler
+           (_("Dwarf Error: Abstract instance DIE ref zero."));
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+ 
+       info_ptr = unit->sec_info_ptr + die_ref;
+       info_ptr_end = unit->end_ptr;
+@@ -2329,9 +2336,10 @@
+          (*_bfd_error_handler)
+            (_("Dwarf Error: Unable to read alt ref %u."), die_ref);
+          bfd_set_error (bfd_error_bad_value);
+-         return NULL;
+         return FALSE;
+        }
+-      info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size;
+      info_ptr_end = (unit->stash->alt_dwarf_info_buffer
+                     + unit->stash->alt_dwarf_info_size);
+ 
+       /* FIXME: Do we need to locate the correct CU, in a similar
+         fashion to the code in the DW_FORM_ref_addr case above ?  */
+@@ -2353,6 +2361,7 @@
+          (*_bfd_error_handler)
+            (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number);
+          bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+        }
+       else
+        {
+@@ -2362,6 +2371,15 @@
+                                         info_ptr, info_ptr_end);
+              if (info_ptr == NULL)
+                break;
+             /* It doesn't ever make sense for DW_AT_specification to
+                refer to the same DIE.  Stop simple recursion.  */
+             if (info_ptr == orig_info_ptr)
+               {
+                 _bfd_error_handler
+                   (_("Dwarf Error: Abstract instance recursion detected."));
+                 bfd_set_error (bfd_error_bad_value);
+                 return FALSE;
+               }
+              switch (attr.name)
+                {
+                case DW_AT_name:
+@@ -2375,7 +2393,9 @@
+                    }
+                  break;
+                case DW_AT_specification:
+-                 name = find_abstract_instance_name (unit, &attr, is_linkage);
+                 if (!find_abstract_instance_name (unit, info_ptr, &attr,
+                                                   pname, is_linkage))
+                   return FALSE;
+                  break;
+                case DW_AT_linkage_name:
+                case DW_AT_MIPS_linkage_name:
+@@ -2393,7 +2413,8 @@
+            }
+        }
+     }
+-  return name;
+  *pname = name;
+  return TRUE;
+ }
+ 
+ static bfd_boolean
+@@ -2454,20 +2475,22 @@
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr = unit->first_child_die_ptr;
+   bfd_byte *info_ptr_end = unit->stash->info_ptr_end;
+-  int nesting_level = 1;
+-  struct funcinfo **nested_funcs;
+  int nesting_level = 0;
+  struct nest_funcinfo {
+    struct funcinfo *func;
+  } *nested_funcs;
+   int nested_funcs_size;
+ 
+   /* Maintain a stack of in-scope functions and inlined functions, which we
+      can use to set the caller_func field.  */
+   nested_funcs_size = 32;
+-  nested_funcs = (struct funcinfo **)
+-    bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *));
+  nested_funcs = (struct nest_funcinfo *)
+    bfd_malloc (nested_funcs_size * sizeof (*nested_funcs));
+   if (nested_funcs == NULL)
+     return FALSE;
+-  nested_funcs[nesting_level] = 0;
+  nested_funcs[nesting_level].func = 0;
+ 
+-  while (nesting_level)
+  while (nesting_level >= 0)
+     {
+       unsigned int abbrev_number, bytes_read, i;
+       struct abbrev_info *abbrev;
+@@ -2516,13 +2539,13 @@
+          BFD_ASSERT (!unit->cached);
+ 
+          if (func->tag == DW_TAG_inlined_subroutine)
+-           for (i = nesting_level - 1; i >= 1; i--)
+-             if (nested_funcs[i])
+           for (i = nesting_level; i-- != 0; )
+             if (nested_funcs[i].func)
+                {
+-                 func->caller_func = nested_funcs[i];
+                 func->caller_func = nested_funcs[i].func;
+                  break;
+                }
+-         nested_funcs[nesting_level] = func;
+         nested_funcs[nesting_level].func = func;
+        }
+       else
+        {
+@@ -2541,12 +2564,13 @@
+            }
+ 
+          /* No inline function in scope at this nesting level.  */
+-         nested_funcs[nesting_level] = 0;
+         nested_funcs[nesting_level].func = 0;
+        }
+ 
+       for (i = 0; i < abbrev->num_attrs; ++i)
+        {
+-         info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end);
+         info_ptr = read_attribute (&attr, &abbrev->attrs[i],
+                                    unit, info_ptr, info_ptr_end);
+          if (info_ptr == NULL)
+            goto fail;
+ 
+@@ -2565,8 +2589,10 @@
+ 
+                case DW_AT_abstract_origin:
+                case DW_AT_specification:
+-                 func->name = find_abstract_instance_name (unit, &attr,
+-                                                           &func->is_linkage);
+                 if (!find_abstract_instance_name (unit, info_ptr, &attr,
+                                                   &func->name,
+                                                   &func->is_linkage))
+                   goto fail;
+                  break;
+ 
+                case DW_AT_name:
+@@ -2691,17 +2717,17 @@
+ 
+          if (nesting_level >= nested_funcs_size)
+            {
+-             struct funcinfo **tmp;
+             struct nest_funcinfo *tmp;
+ 
+              nested_funcs_size *= 2;
+-             tmp = (struct funcinfo **)
+             tmp = (struct nest_funcinfo *)
+                bfd_realloc (nested_funcs,
+-                            nested_funcs_size * sizeof (struct funcinfo *));
+                            nested_funcs_size * sizeof (*nested_funcs));
+              if (tmp == NULL)
+                goto fail;
+              nested_funcs = tmp;
+            }
+-         nested_funcs[nesting_level] = 0;
+         nested_funcs[nesting_level].func = 0;
+        }
+     }
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-11-08 12:45:10.614155229 +0530
+++ git/bfd/ChangeLog   2017-11-08 12:46:55.791054918 +0530
+@@ -1,3 +1,13 @@
+2017-09-24  Alan Modra  <amodra@gmail.com>
+
+       PR 22187
+       * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
+       pname param.  Return status.  Make name const.  Don't abort,
+       return an error.  Formatting.  Exit if current info_ptr matches
+       orig_info_ptr.  Update callers.
+       (scan_unit_for_symbols): Start at nesting_level of zero.  Make
+       nested_funcs an array of structs for extensibility.  Formatting.
+
+ 2017-09-22  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR binutils/22170
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-11-08 13:41:00 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:09 +0000
commit	7006ecaba3457fe48673b9c1da164a5165453eb0 (patch)
tree	de6859ddcbf2d511035530feb90b4bdd4ba2cfa5
parent	05281ec4a64e22b2c8fcaa153e0f03464800092c (diff)
download	poky-7006ecaba3457fe48673b9c1da164a5165453eb0.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index b1669a4ef0..ae43d2a5d2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -101,6 +101,7 @@ SRC_URI = "\
101	file://CVE-2017-9955_8.patch \	101	file://CVE-2017-9955_8.patch \
102	file://CVE-2017-9955_9.patch \	102	file://CVE-2017-9955_9.patch \
103	file://CVE-2017-14729.patch \	103	file://CVE-2017-14729.patch \
		104	file://CVE-2017-15024.patch \
104	"	105	"
105	S = "${WORKDIR}/git"	106	S = "${WORKDIR}/git"
106		107


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch new file mode 100644 index 0000000000..ef42b13597 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
@@ -0,0 +1,241 @@
		1	commit 52a93b95ec0771c97e26f0bb28630a271a667bd2
		2	Author: Alan Modra <amodra@gmail.com>
		3	Date: Sun Sep 24 14:37:16 2017 +0930
		4
		5	PR22187, infinite loop in find_abstract_instance_name
		6
		7	This patch prevents the simple case of infinite recursion in
		8	find_abstract_instance_name by ensuring that the attributes being
		9	processed are not the same as the previous call.
		10
		11	The patch also does a little cleanup, and leaves in place some changes
		12	to the nested_funcs array that I made when I wrongly thought looping
		13	might occur in scan_unit_for_symbols.
		14
		15	PR 22187
		16	* dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
		17	pname param. Return status. Make name const. Don't abort,
		18	return an error. Formatting. Exit if current info_ptr matches
		19	orig_info_ptr. Update callers.
		20	(scan_unit_for_symbols): Start at nesting_level of zero. Make
		21	nested_funcs an array of structs for extensibility. Formatting.
		22
		23	Upstream-Status: Backport
		24
		25	CVE: CVE-2017-15024
		26	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		27
		28	Index: git/bfd/dwarf2.c
		29	===================================================================
		30	--- git.orig/bfd/dwarf2.c 2017-11-08 12:44:59.198052588 +0530
		31	+++ git/bfd/dwarf2.c 2017-11-08 12:45:10.670155730 +0530
		32	@@ -2273,9 +2273,11 @@
		33	return FALSE;
		34	}
		35
		36	-static char *
		37	+static bfd_boolean
		38	find_abstract_instance_name (struct comp_unit *unit,
		39	+ bfd_byte *orig_info_ptr,
		40	struct attribute *attr_ptr,
		41	+ const char **pname,
		42	bfd_boolean *is_linkage)
		43	{
		44	bfd *abfd = unit->abfd;
		45	@@ -2285,7 +2287,7 @@
		46	struct abbrev_info *abbrev;
		47	bfd_uint64_t die_ref = attr_ptr->u.val;
		48	struct attribute attr;
		49	- char *name = NULL;
		50	+ const char *name = NULL;
		51
		52	/* DW_FORM_ref_addr can reference an entry in a different CU. It
		53	is an offset from the .debug_info section, not the current CU. */
		54	@@ -2294,7 +2296,12 @@
		55	/* We only support DW_FORM_ref_addr within the same file, so
		56	any relocations should be resolved already. */
		57	if (!die_ref)
		58	- abort ();
		59	+ {
		60	+ _bfd_error_handler
		61	+ (_("Dwarf Error: Abstract instance DIE ref zero."));
		62	+ bfd_set_error (bfd_error_bad_value);
		63	+ return FALSE;
		64	+ }
		65
		66	info_ptr = unit->sec_info_ptr + die_ref;
		67	info_ptr_end = unit->end_ptr;
		68	@@ -2329,9 +2336,10 @@
		69	(*_bfd_error_handler)
		70	(_("Dwarf Error: Unable to read alt ref %u."), die_ref);
		71	bfd_set_error (bfd_error_bad_value);
		72	- return NULL;
		73	+ return FALSE;
		74	}
		75	- info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size;
		76	+ info_ptr_end = (unit->stash->alt_dwarf_info_buffer
		77	+ + unit->stash->alt_dwarf_info_size);
		78
		79	/* FIXME: Do we need to locate the correct CU, in a similar
		80	fashion to the code in the DW_FORM_ref_addr case above ? */
		81	@@ -2353,6 +2361,7 @@
		82	(*_bfd_error_handler)
		83	(_("Dwarf Error: Could not find abbrev number %u."), abbrev_number);
		84	bfd_set_error (bfd_error_bad_value);
		85	+ return FALSE;
		86	}
		87	else
		88	{
		89	@@ -2362,6 +2371,15 @@
		90	info_ptr, info_ptr_end);
		91	if (info_ptr == NULL)
		92	break;
		93	+ /* It doesn't ever make sense for DW_AT_specification to
		94	+ refer to the same DIE. Stop simple recursion. */
		95	+ if (info_ptr == orig_info_ptr)
		96	+ {
		97	+ _bfd_error_handler
		98	+ (_("Dwarf Error: Abstract instance recursion detected."));
		99	+ bfd_set_error (bfd_error_bad_value);
		100	+ return FALSE;
		101	+ }
		102	switch (attr.name)
		103	{
		104	case DW_AT_name:
		105	@@ -2375,7 +2393,9 @@
		106	}
		107	break;
		108	case DW_AT_specification:
		109	- name = find_abstract_instance_name (unit, &attr, is_linkage);
		110	+ if (!find_abstract_instance_name (unit, info_ptr, &attr,
		111	+ pname, is_linkage))
		112	+ return FALSE;
		113	break;
		114	case DW_AT_linkage_name:
		115	case DW_AT_MIPS_linkage_name:
		116	@@ -2393,7 +2413,8 @@
		117	}
		118	}
		119	}
		120	- return name;
		121	+ *pname = name;
		122	+ return TRUE;
		123	}
		124
		125	static bfd_boolean
		126	@@ -2454,20 +2475,22 @@
		127	bfd *abfd = unit->abfd;
		128	bfd_byte *info_ptr = unit->first_child_die_ptr;
		129	bfd_byte *info_ptr_end = unit->stash->info_ptr_end;
		130	- int nesting_level = 1;
		131	- struct funcinfo **nested_funcs;
		132	+ int nesting_level = 0;
		133	+ struct nest_funcinfo {
		134	+ struct funcinfo *func;
		135	+ } *nested_funcs;
		136	int nested_funcs_size;
		137
		138	/* Maintain a stack of in-scope functions and inlined functions, which we
		139	can use to set the caller_func field. */
		140	nested_funcs_size = 32;
		141	- nested_funcs = (struct funcinfo **)
		142	- bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *));
		143	+ nested_funcs = (struct nest_funcinfo *)
		144	+ bfd_malloc (nested_funcs_size * sizeof (*nested_funcs));
		145	if (nested_funcs == NULL)
		146	return FALSE;
		147	- nested_funcs[nesting_level] = 0;
		148	+ nested_funcs[nesting_level].func = 0;
		149
		150	- while (nesting_level)
		151	+ while (nesting_level >= 0)
		152	{
		153	unsigned int abbrev_number, bytes_read, i;
		154	struct abbrev_info *abbrev;
		155	@@ -2516,13 +2539,13 @@
		156	BFD_ASSERT (!unit->cached);
		157
		158	if (func->tag == DW_TAG_inlined_subroutine)
		159	- for (i = nesting_level - 1; i >= 1; i--)
		160	- if (nested_funcs[i])
		161	+ for (i = nesting_level; i-- != 0; )
		162	+ if (nested_funcs[i].func)
		163	{
		164	- func->caller_func = nested_funcs[i];
		165	+ func->caller_func = nested_funcs[i].func;
		166	break;
		167	}
		168	- nested_funcs[nesting_level] = func;
		169	+ nested_funcs[nesting_level].func = func;
		170	}
		171	else
		172	{
		173	@@ -2541,12 +2564,13 @@
		174	}
		175
		176	/* No inline function in scope at this nesting level. */
		177	- nested_funcs[nesting_level] = 0;
		178	+ nested_funcs[nesting_level].func = 0;
		179	}
		180
		181	for (i = 0; i < abbrev->num_attrs; ++i)
		182	{
		183	- info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end);
		184	+ info_ptr = read_attribute (&attr, &abbrev->attrs[i],
		185	+ unit, info_ptr, info_ptr_end);
		186	if (info_ptr == NULL)
		187	goto fail;
		188
		189	@@ -2565,8 +2589,10 @@
		190
		191	case DW_AT_abstract_origin:
		192	case DW_AT_specification:
		193	- func->name = find_abstract_instance_name (unit, &attr,
		194	- &func->is_linkage);
		195	+ if (!find_abstract_instance_name (unit, info_ptr, &attr,
		196	+ &func->name,
		197	+ &func->is_linkage))
		198	+ goto fail;
		199	break;
		200
		201	case DW_AT_name:
		202	@@ -2691,17 +2717,17 @@
		203
		204	if (nesting_level >= nested_funcs_size)
		205	{
		206	- struct funcinfo **tmp;
		207	+ struct nest_funcinfo *tmp;
		208
		209	nested_funcs_size *= 2;
		210	- tmp = (struct funcinfo **)
		211	+ tmp = (struct nest_funcinfo *)
		212	bfd_realloc (nested_funcs,
		213	- nested_funcs_size * sizeof (struct funcinfo *));
		214	+ nested_funcs_size * sizeof (*nested_funcs));
		215	if (tmp == NULL)
		216	goto fail;
		217	nested_funcs = tmp;
		218	}
		219	- nested_funcs[nesting_level] = 0;
		220	+ nested_funcs[nesting_level].func = 0;
		221	}
		222	}
		223
		224	Index: git/bfd/ChangeLog
		225	===================================================================
		226	--- git.orig/bfd/ChangeLog 2017-11-08 12:45:10.614155229 +0530
		227	+++ git/bfd/ChangeLog 2017-11-08 12:46:55.791054918 +0530
		228	@@ -1,3 +1,13 @@
		229	+2017-09-24 Alan Modra <amodra@gmail.com>
		230	+
		231	+ PR 22187
		232	+ * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
		233	+ pname param. Return status. Make name const. Don't abort,
		234	+ return an error. Formatting. Exit if current info_ptr matches
		235	+ orig_info_ptr. Update callers.
		236	+ (scan_unit_for_symbols): Start at nesting_level of zero. Make
		237	+ nested_funcs an array of structs for extensibility. Formatting.
		238	+
		239	2017-09-22 H.J. Lu <hongjiu.lu@intel.com>
		240
		241	PR binutils/22170