binutils: CVE-2017-9752

Source: binutils-gdb.git MR: 73971 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: fe0e1d0f234ed157135818c24f4270c34e093828 Description: Fix potential address violations when processing a corrupt Alpha VMA binary. PR binutils/21589 * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the maximum value for the ascic pointer. Check that name processing does not read beyond this value. (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the end of etir record. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: ea89dfe868085b463dfc24df78b49d1703989484) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Thiruvadi Rajaraman <trajaraman@mvista.com> 2017-09-21 19:24:44 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:08 +0000
commit: 3daf8af9487915421311042a9339de8e19b2d472 (patch)
tree: 9f9ab3bf4b476827bf199be4e43d9195efe33bbe /meta/recipes-devtools/binutils
parent: d2b21b2a14a6f18f5185cb77fab7903762b52af8 (diff)
download: poky-3daf8af9487915421311042a9339de8e19b2d472.tar.gz
2 files changed, 205 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 6580270284..54fb5d61c3 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -84,6 +84,7 @@ SRC_URI = "\
     file://CVE-2017-9748.patch \
     file://CVE-2017-9747.patch \
     file://CVE-2017-9750.patch \
+     file://CVE-2017-9752.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
new file mode 100644
index 0000000000..fce5b14b20
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,204 @@
+commit c53d2e6d744da000aaafe0237bced090aab62818
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Jun 14 11:27:15 2017 +0100
+    Fix potential address violations when processing a corrupt Alpha VMA binary.
+    
+        PR binutils/21589
+        * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+        maximum value for the ascic pointer.  Check that name processing
+        does not read beyond this value.
+        (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+        end of etir record.
+Upstream-Status: Backport
+CVE: CVE-2017-9752
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c    2017-09-21 15:00:19.117805347 +0530
+++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530
+@@ -1507,7 +1507,7 @@
+ /* Write multiple bytes to section image.  */
+ 
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
+image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+   _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1654,14 +1654,16 @@
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+ 
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
+_bfd_vms_get_value (bfd *abfd,
+                   const unsigned char *ascic,
+                   const unsigned char *max_ascic,
+                     struct bfd_link_info *info,
+                     bfd_vma *vma,
+                     struct alpha_vms_link_hash_entry **hp)
+ {
+   char name[257];
+-  int len;
+-  int i;
+  unsigned int len;
+  unsigned int i;
+   struct alpha_vms_link_hash_entry *h;
+ 
+   /* Not linking.  Do not try to resolve the symbol.  */
+@@ -1673,6 +1675,14 @@
+     }
+ 
+   len = *ascic;
+  if (ascic + len >= max_ascic)
+    {
+      _bfd_error_handler (_("Corrupt vms value"));
+      *vma = 0;
+      *hp = NULL;
+      return;
+    }
+
+   for (i = 0; i < len; i++)
+     name[i] = ascic[i + 1];
+   name[i] = 0;
+@@ -1797,6 +1807,15 @@
+       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+ 
+      /* PR 21589: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4)
+       {
+       corrupt_etir:
+         _bfd_error_handler (_("Corrupt ETIR record encountered"));
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+
+       switch (cmd)
+         {
+           /* Stack global
+@@ -1804,7 +1823,7 @@
+ 
+              stack 32 bit value of symbol (high bits set to 0).  */
+         case ETIR__C_STA_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+           break;
+ 
+@@ -1813,6 +1832,8 @@
+ 
+              stack 32 bit value, sign extend to 64 bit.  */
+         case ETIR__C_STA_LW:
+         if (ptr + 4 >= maxptr)
+           goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1821,6 +1842,8 @@
+ 
+              stack 64 bit value of symbol.  */
+         case ETIR__C_STA_QW:
+         if (ptr + 8 >= maxptr)
+           goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1834,6 +1857,8 @@
+           {
+             int psect;
+ 
+           if (ptr + 12 >= maxptr)
+             goto corrupt_etir;
+             psect = bfd_getl32 (ptr);
+             if ((unsigned int) psect >= PRIV (section_count))
+               {
+@@ -1923,6 +1948,8 @@
+           {
+             int size;
+ 
+           if (ptr + 4 >= maxptr)
+             goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             _bfd_vms_pop (abfd, &op1, &rel1);
+             if (rel1 != RELC_NONE)
+@@ -1935,7 +1962,7 @@
+           /* Store global: write symbol value
+              arg: cs   global symbol name.  */
+         case ETIR__C_STO_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -1957,7 +1984,7 @@
+           /* Store code address: write address of entry point
+              arg: cs   global symbol name (procedure).  */
+         case ETIR__C_STO_CA:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->flags & EGSY__V_NORM)
+@@ -2002,8 +2029,10 @@
+              da        data.  */
+         case ETIR__C_STO_IMM:
+           {
+-            int size;
+            unsigned int size;
+ 
+           if (ptr + 4 >= maxptr)
+             goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             image_write (abfd, ptr + 4, size);
+           }
+@@ -2016,7 +2045,7 @@
+              store global longword: store 32bit value of symbol
+              arg: cs   symbol name.  */
+         case ETIR__C_STO_GBL_LW:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+           abort ();
+ #endif
+@@ -2069,7 +2098,7 @@
+              da        signature.  */
+ 
+         case ETIR__C_STC_LP_PSB:
+-          _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -2165,6 +2194,8 @@
+           /* Augment relocation base: increment image location counter by offset
+              arg: lw   offset value.  */
+         case ETIR__C_CTL_AUGRB:
+         if (ptr + 4 >= maxptr)
+           goto corrupt_etir;
+           op1 = bfd_getl32 (ptr);
+           image_inc_ptr (abfd, op1);
+           break;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog      2017-09-21 15:04:44.000000000 +0530
+++ git/bfd/ChangeLog   2017-09-21 15:07:58.268949291 +0530
+@@ -81,6 +81,15 @@
+        PR binutils/21581
+        (ieee_archive_p): Likewise.
+ 
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21589
+       * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+       maximum value for the ascic pointer.  Check that name processing
+       does not read beyond this value.
+       (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+       end of etir record.
+
+ 2017-04-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 21432
author	Thiruvadi Rajaraman <trajaraman@mvista.com>	2017-09-21 19:24:44 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:08 +0000
commit	3daf8af9487915421311042a9339de8e19b2d472 (patch)
tree	9f9ab3bf4b476827bf199be4e43d9195efe33bbe /meta/recipes-devtools/binutils
parent	d2b21b2a14a6f18f5185cb77fab7903762b52af8 (diff)
download	poky-3daf8af9487915421311042a9339de8e19b2d472.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 6580270284..54fb5d61c3 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -84,6 +84,7 @@ SRC_URI = "\
84	file://CVE-2017-9748.patch \	84	file://CVE-2017-9748.patch \
85	file://CVE-2017-9747.patch \	85	file://CVE-2017-9747.patch \
86	file://CVE-2017-9750.patch \	86	file://CVE-2017-9750.patch \
		87	file://CVE-2017-9752.patch \
87	"	88	"
88	S = "${WORKDIR}/git"	89	S = "${WORKDIR}/git"
89		90


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch new file mode 100644 index 0000000000..fce5b14b20 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,204 @@
		1	commit c53d2e6d744da000aaafe0237bced090aab62818
		2	Author: Nick Clifton <nickc@redhat.com>
		3	Date: Wed Jun 14 11:27:15 2017 +0100
		4
		5	Fix potential address violations when processing a corrupt Alpha VMA binary.
		6
		7	PR binutils/21589
		8	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
		9	maximum value for the ascic pointer. Check that name processing
		10	does not read beyond this value.
		11	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
		12	end of etir record.
		13
		14	Upstream-Status: Backport
		15
		16	CVE: CVE-2017-9752
		17	Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
		18
		19	Index: git/bfd/vms-alpha.c
		20	===================================================================
		21	--- git.orig/bfd/vms-alpha.c 2017-09-21 15:00:19.117805347 +0530
		22	+++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530
		23	@@ -1507,7 +1507,7 @@
		24	/* Write multiple bytes to section image. */
		25
		26	static bfd_boolean
		27	-image_write (bfd abfd, unsigned char ptr, int size)
		28	+image_write (bfd abfd, unsigned char ptr, unsigned int size)
		29	{
		30	#if VMS_DEBUG
		31	_bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
		32	@@ -1654,14 +1654,16 @@
		33	#define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
		34
		35	static void
		36	-_bfd_vms_get_value (bfd abfd, const unsigned char ascic,
		37	+_bfd_vms_get_value (bfd *abfd,
		38	+ const unsigned char *ascic,
		39	+ const unsigned char *max_ascic,
		40	struct bfd_link_info *info,
		41	bfd_vma *vma,
		42	struct alpha_vms_link_hash_entry **hp)
		43	{
		44	char name[257];
		45	- int len;
		46	- int i;
		47	+ unsigned int len;
		48	+ unsigned int i;
		49	struct alpha_vms_link_hash_entry *h;
		50
		51	/* Not linking. Do not try to resolve the symbol. */
		52	@@ -1673,6 +1675,14 @@
		53	}
		54
		55	len = *ascic;
		56	+ if (ascic + len >= max_ascic)
		57	+ {
		58	+ _bfd_error_handler (_("Corrupt vms value"));
		59	+ *vma = 0;
		60	+ *hp = NULL;
		61	+ return;
		62	+ }
		63	+
		64	for (i = 0; i < len; i++)
		65	name[i] = ascic[i + 1];
		66	name[i] = 0;
		67	@@ -1797,6 +1807,15 @@
		68	_bfd_hexdump (8, ptr, cmd_length - 4, 0);
		69	#endif
		70
		71	+ /* PR 21589: Check for a corrupt ETIR record. */
		72	+ if (cmd_length < 4)
		73	+ {
		74	+ corrupt_etir:
		75	+ _bfd_error_handler (_("Corrupt ETIR record encountered"));
		76	+ bfd_set_error (bfd_error_bad_value);
		77	+ return FALSE;
		78	+ }
		79	+
		80	switch (cmd)
		81	{
		82	/* Stack global
		83	@@ -1804,7 +1823,7 @@
		84
		85	stack 32 bit value of symbol (high bits set to 0). */
		86	case ETIR__C_STA_GBL:
		87	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		88	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		89	_bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
		90	break;
		91
		92	@@ -1813,6 +1832,8 @@
		93
		94	stack 32 bit value, sign extend to 64 bit. */
		95	case ETIR__C_STA_LW:
		96	+ if (ptr + 4 >= maxptr)
		97	+ goto corrupt_etir;
		98	_bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
		99	break;
		100
		101	@@ -1821,6 +1842,8 @@
		102
		103	stack 64 bit value of symbol. */
		104	case ETIR__C_STA_QW:
		105	+ if (ptr + 8 >= maxptr)
		106	+ goto corrupt_etir;
		107	_bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
		108	break;
		109
		110	@@ -1834,6 +1857,8 @@
		111	{
		112	int psect;
		113
		114	+ if (ptr + 12 >= maxptr)
		115	+ goto corrupt_etir;
		116	psect = bfd_getl32 (ptr);
		117	if ((unsigned int) psect >= PRIV (section_count))
		118	{
		119	@@ -1923,6 +1948,8 @@
		120	{
		121	int size;
		122
		123	+ if (ptr + 4 >= maxptr)
		124	+ goto corrupt_etir;
		125	size = bfd_getl32 (ptr);
		126	_bfd_vms_pop (abfd, &op1, &rel1);
		127	if (rel1 != RELC_NONE)
		128	@@ -1935,7 +1962,7 @@
		129	/* Store global: write symbol value
		130	arg: cs global symbol name. */
		131	case ETIR__C_STO_GBL:
		132	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		133	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		134	if (h && h->sym)
		135	{
		136	if (h->sym->typ == EGSD__C_SYMG)
		137	@@ -1957,7 +1984,7 @@
		138	/* Store code address: write address of entry point
		139	arg: cs global symbol name (procedure). */
		140	case ETIR__C_STO_CA:
		141	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		142	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		143	if (h && h->sym)
		144	{
		145	if (h->sym->flags & EGSY__V_NORM)
		146	@@ -2002,8 +2029,10 @@
		147	da data. */
		148	case ETIR__C_STO_IMM:
		149	{
		150	- int size;
		151	+ unsigned int size;
		152
		153	+ if (ptr + 4 >= maxptr)
		154	+ goto corrupt_etir;
		155	size = bfd_getl32 (ptr);
		156	image_write (abfd, ptr + 4, size);
		157	}
		158	@@ -2016,7 +2045,7 @@
		159	store global longword: store 32bit value of symbol
		160	arg: cs symbol name. */
		161	case ETIR__C_STO_GBL_LW:
		162	- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
		163	+ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
		164	#if 0
		165	abort ();
		166	#endif
		167	@@ -2069,7 +2098,7 @@
		168	da signature. */
		169
		170	case ETIR__C_STC_LP_PSB:
		171	- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
		172	+ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
		173	if (h && h->sym)
		174	{
		175	if (h->sym->typ == EGSD__C_SYMG)
		176	@@ -2165,6 +2194,8 @@
		177	/* Augment relocation base: increment image location counter by offset
		178	arg: lw offset value. */
		179	case ETIR__C_CTL_AUGRB:
		180	+ if (ptr + 4 >= maxptr)
		181	+ goto corrupt_etir;
		182	op1 = bfd_getl32 (ptr);
		183	image_inc_ptr (abfd, op1);
		184	break;
		185	Index: git/bfd/ChangeLog
		186	===================================================================
		187	--- git.orig/bfd/ChangeLog 2017-09-21 15:04:44.000000000 +0530
		188	+++ git/bfd/ChangeLog 2017-09-21 15:07:58.268949291 +0530
		189	@@ -81,6 +81,15 @@
		190	PR binutils/21581
		191	(ieee_archive_p): Likewise.
		192
		193	+2017-06-14 Nick Clifton <nickc@redhat.com>
		194	+
		195	+ PR binutils/21589
		196	+ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
		197	+ maximum value for the ascic pointer. Check that name processing
		198	+ does not read beyond this value.
		199	+ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
		200	+ end of etir record.
		201	+
		202	2017-04-29 Alan Modra <amodra@gmail.com>
		203
		204	PR 21432