binutils: fix CVE-2019-12972 CVE-2019-9071

(From OE-Core rev: 093f0914f261a27d58ecba9c1e9d3b78a35af012) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2019-07-10 10:37:22 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-11 09:32:50 +0100
commit: 6beec1687f850b80cd3f1e8b0c498b0b2a435827 (patch)
tree: 24219be6fc4588a0af29facbcdd68f6fe342f0bd /meta/recipes-devtools/binutils
parent: 157dc99982a73e4245b29c1189f2b9d858dcd628 (diff)
download: poky-6beec1687f850b80cd3f1e8b0c498b0b2a435827.tar.gz
3 files changed, 217 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 49e6827c1f..31c24a37f5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -48,6 +48,8 @@ SRC_URI = "\
     file://CVE-2019-9075.patch \
     file://CVE-2019-9076.patch \
     file://CVE-2019-9077.patch \
+     file://CVE-2019-9071.patch \
+     file://CVE-2019-12972.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 0000000000..07d1d65467
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,51 @@
+From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+        PR 24689
+        * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+Upstream-Status: Backport
+CVE: CVE-2019-12972
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 91f09e6346..e66fb40a2c 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,3 +1,8 @@
+2019-06-21  Alan Modra  <amodra@gmail.com>
+
+       PR 24689
+       * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+ 2019-02-20  Alan Modra  <amodra@gmail.com>
+ 
+        PR 24236
+diff --git a/bfd/elfcode.h b/bfd/elfcode.h
+index ec5ea766de..a35a629087 100644
+--- a/bfd/elfcode.h
+++ b/bfd/elfcode.h
+@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+     {
+-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
+      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
+         || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+        {
+          /* PR 2257:
+             We used to just goto got_wrong_format_error here
+-- 
+2.20.1
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
new file mode 100644
index 0000000000..26f4809cf0
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -0,0 +1,164 @@
+From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 10 Apr 2019 15:49:36 +0100
+Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
+ when demangling a pathalogically constructed mangled name.
+        PR 89394
+        * cp-demangle.c (cplus_demangle_fill_name): Reject negative
+        lengths.
+        (d_count_templates_scopes): Replace num_templates and num_scopes
+        parameters with a struct d_print_info pointer parameter.  Adjust
+        body of the function accordingly.  Add recursion counter and check
+        that the recursion limit is not reached.
+        (d_print_init): Pass dpi parameter to d_count_templates_scopes.
+        Reset recursion counter afterwards, unless the recursion limit was
+        reached.
+CVE: CVE-2019-9071
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ ChangeLog               | 16 ++++++++++++++
+ libiberty/cp-demangle.c | 48 ++++++++++++++++++++++-------------------
+ 2 files changed, 42 insertions(+), 22 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index cd631a15b6..4df3aaa62c 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,19 @@
+2019-04-10  Nick Clifton  <nickc@redhat.com>
+
+       * libiberty: Sync with gcc.  Bring in:
+       2019-04-10  Nick Clifton  <nickc@redhat.com>
+
+       PR 89394
+       * cp-demangle.c (cplus_demangle_fill_name): Reject negative
+       lengths.
+       (d_count_templates_scopes): Replace num_templates and num_scopes
+       parameters with a struct d_print_info pointer parameter.  Adjust
+       body of the function accordingly.  Add recursion counter and check
+       that the recursion limit is not reached.
+       (d_print_init): Pass dpi parameter to d_count_templates_scopes.
+       Reset recursion counter afterwards, unless the recursion limit was
+       reached.
+
+ 2018-06-24  Nick Clifton  <nickc@redhat.com>
+ 
+        2.32 branch created.
+diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
+index b34b485692..779b4e763a 100644
+--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
+@@ -861,7 +861,7 @@ CP_STATIC_IF_GLIBCPP_V3
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+-  if (p == NULL || s == NULL || len == 0)
+  if (p == NULL || s == NULL || len <= 0)
+     return 0;
+   p->d_printing = 0;
+   p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4061,7 +4061,7 @@ d_growable_string_callback_adapter (const char *s, size_t l, void *opaque)
+    are larger than the actual numbers encountered.  */
+ 
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
+d_count_templates_scopes (struct d_print_info *dpi,
+                          const struct demangle_component *dc)
+ {
+   if (dc == NULL)
+@@ -4081,13 +4081,13 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+       break;
+ 
+     case DEMANGLE_COMPONENT_TEMPLATE:
+-      (*num_templates)++;
+      dpi->num_copy_templates++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_REFERENCE:
+     case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+       if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+-       (*num_scopes)++;
+       dpi->num_saved_scopes++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4152,42 +4152,42 @@ d_count_templates_scopes (int *num_templates, int *num_scopes,
+     case DEMANGLE_COMPONENT_TAGGED_NAME:
+     case DEMANGLE_COMPONENT_CLONE:
+     recurse_left_right:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               d_left (dc));
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               d_right (dc));
+      /* PR 89394 - Check for too much recursion.  */
+      if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
+       /* FIXME: There ought to be a way to report to the
+          user that the recursion limit has been reached.  */
+       return;
+
+      ++ dpi->recursion;
+      d_count_templates_scopes (dpi, d_left (dc));
+      d_count_templates_scopes (dpi, d_right (dc));
+      -- dpi->recursion;
+       break;
+ 
+     case DEMANGLE_COMPONENT_CTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               dc->u.s_ctor.name);
+      d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_DTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               dc->u.s_dtor.name);
+      d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               dc->u.s_extended_operator.name);
+      d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_FIXED_TYPE:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                                dc->u.s_fixed.length);
+      d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+       break;
+ 
+     case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+     case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               d_left (dc));
+      d_count_templates_scopes (dpi, d_left (dc));
+       break;
+ 
+     case DEMANGLE_COMPONENT_LAMBDA:
+     case DEMANGLE_COMPONENT_DEFAULT_ARG:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                               dc->u.s_unary_num.sub);
+      d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+       break;
+     }
+ }
+@@ -4222,8 +4222,12 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback,
+   dpi->next_copy_template = 0;
+   dpi->num_copy_templates = 0;
+ 
+-  d_count_templates_scopes (&dpi->num_copy_templates,
+-                           &dpi->num_saved_scopes, dc);
+  d_count_templates_scopes (dpi, dc);
+  /* If we did not reach the recursion limit, then reset the
+     current recursion value back to 0, so that we can print
+     the templates.  */
+  if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
+    dpi->recursion = 0;
+   dpi->num_copy_templates *= dpi->num_saved_scopes;
+ 
+   dpi->current_template = NULL;
+-- 
+2.20.1
author	Anuj Mittal <anuj.mittal@intel.com>	2019-07-10 10:37:22 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-11 09:32:50 +0100
commit	6beec1687f850b80cd3f1e8b0c498b0b2a435827 (patch)
tree	24219be6fc4588a0af29facbcdd68f6fe342f0bd /meta/recipes-devtools/binutils
parent	157dc99982a73e4245b29c1189f2b9d858dcd628 (diff)
download	poky-6beec1687f850b80cd3f1e8b0c498b0b2a435827.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index 49e6827c1f..31c24a37f5 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -48,6 +48,8 @@ SRC_URI = "\
48	file://CVE-2019-9075.patch \	48	file://CVE-2019-9075.patch \
49	file://CVE-2019-9076.patch \	49	file://CVE-2019-9076.patch \
50	file://CVE-2019-9077.patch \	50	file://CVE-2019-9077.patch \
		51	file://CVE-2019-9071.patch \
		52	file://CVE-2019-12972.patch \
51	"	53	"
52	S = "${WORKDIR}/git"	54	S = "${WORKDIR}/git"
53		55


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 0000000000..07d1d65467 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,51 @@
		1	From 30bcc01478433a1cb05b36dc5c4beef7d2c89b5b Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Fri, 21 Jun 2019 11:51:38 +0930
		4	Subject: [PATCH] PR24689, string table corruption
		5
		6	The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
		7	hdr->contents were initialized by setup_group rather than being read
		8	from the file, thus last byte was not zero and string dereference ran
		9	off the end of the buffer.
		10
		11	PR 24689
		12	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
		13
		14	Upstream-Status: Backport
		15	CVE: CVE-2019-12972
		16	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		17	---
		18	bfd/ChangeLog \| 5 +++++
		19	bfd/elfcode.h \| 3 ++-
		20	2 files changed, 7 insertions(+), 1 deletion(-)
		21
		22	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
		23	index 91f09e6346..e66fb40a2c 100644
		24	--- a/bfd/ChangeLog
		25	+++ b/bfd/ChangeLog
		26	@@ -1,3 +1,8 @@
		27	+2019-06-21 Alan Modra <amodra@gmail.com>
		28	+
		29	+ PR 24689
		30	+ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
		31	+
		32	2019-02-20 Alan Modra <amodra@gmail.com>
		33
		34	PR 24236
		35	diff --git a/bfd/elfcode.h b/bfd/elfcode.h
		36	index ec5ea766de..a35a629087 100644
		37	--- a/bfd/elfcode.h
		38	+++ b/bfd/elfcode.h
		39	@@ -755,7 +755,8 @@ elf_object_p (bfd *abfd)
		40	/* A further sanity check. */
		41	if (i_ehdrp->e_shnum != 0)
		42	{
		43	- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
		44	+ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
		45	+ \|\| i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
		46	{
		47	/* PR 2257:
		48	We used to just goto got_wrong_format_error here
		49	--
		50	2.20.1
		51


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch new file mode 100644 index 0000000000..26f4809cf0 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9071.patch
@@ -0,0 +1,164 @@
		1	From c1202057eb9161a86af27d867703235fee7b7555 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Wed, 10 Apr 2019 15:49:36 +0100
		4	Subject: [PATCH] Pull in patch for libiberty that fixes a stack exhaustion bug
		5	when demangling a pathalogically constructed mangled name.
		6
		7	PR 89394
		8	* cp-demangle.c (cplus_demangle_fill_name): Reject negative
		9	lengths.
		10	(d_count_templates_scopes): Replace num_templates and num_scopes
		11	parameters with a struct d_print_info pointer parameter. Adjust
		12	body of the function accordingly. Add recursion counter and check
		13	that the recursion limit is not reached.
		14	(d_print_init): Pass dpi parameter to d_count_templates_scopes.
		15	Reset recursion counter afterwards, unless the recursion limit was
		16	reached.
		17
		18	CVE: CVE-2019-9071
		19	Upstream-Status: Backport
		20	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
		21	---
		22	ChangeLog \| 16 ++++++++++++++
		23	libiberty/cp-demangle.c \| 48 ++++++++++++++++++++++-------------------
		24	2 files changed, 42 insertions(+), 22 deletions(-)
		25
		26	diff --git a/ChangeLog b/ChangeLog
		27	index cd631a15b6..4df3aaa62c 100644
		28	--- a/ChangeLog
		29	+++ b/ChangeLog
		30	@@ -1,3 +1,19 @@
		31	+2019-04-10 Nick Clifton <nickc@redhat.com>
		32	+
		33	+ * libiberty: Sync with gcc. Bring in:
		34	+ 2019-04-10 Nick Clifton <nickc@redhat.com>
		35	+
		36	+ PR 89394
		37	+ * cp-demangle.c (cplus_demangle_fill_name): Reject negative
		38	+ lengths.
		39	+ (d_count_templates_scopes): Replace num_templates and num_scopes
		40	+ parameters with a struct d_print_info pointer parameter. Adjust
		41	+ body of the function accordingly. Add recursion counter and check
		42	+ that the recursion limit is not reached.
		43	+ (d_print_init): Pass dpi parameter to d_count_templates_scopes.
		44	+ Reset recursion counter afterwards, unless the recursion limit was
		45	+ reached.
		46	+
		47	2018-06-24 Nick Clifton <nickc@redhat.com>
		48
		49	2.32 branch created.
		50	diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
		51	index b34b485692..779b4e763a 100644
		52	--- a/libiberty/cp-demangle.c
		53	+++ b/libiberty/cp-demangle.c
		54	@@ -861,7 +861,7 @@ CP_STATIC_IF_GLIBCPP_V3
		55	int
		56	cplus_demangle_fill_name (struct demangle_component p, const char s, int len)
		57	{
		58	- if (p == NULL \|\| s == NULL \|\| len == 0)
		59	+ if (p == NULL \|\| s == NULL \|\| len <= 0)
		60	return 0;
		61	p->d_printing = 0;
		62	p->type = DEMANGLE_COMPONENT_NAME;
		63	@@ -4061,7 +4061,7 @@ d_growable_string_callback_adapter (const char s, size_t l, void opaque)
		64	are larger than the actual numbers encountered. */
		65
		66	static void
		67	-d_count_templates_scopes (int num_templates, int num_scopes,
		68	+d_count_templates_scopes (struct d_print_info *dpi,
		69	const struct demangle_component *dc)
		70	{
		71	if (dc == NULL)
		72	@@ -4081,13 +4081,13 @@ d_count_templates_scopes (int num_templates, int num_scopes,
		73	break;
		74
		75	case DEMANGLE_COMPONENT_TEMPLATE:
		76	- (*num_templates)++;
		77	+ dpi->num_copy_templates++;
		78	goto recurse_left_right;
		79
		80	case DEMANGLE_COMPONENT_REFERENCE:
		81	case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
		82	if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
		83	- (*num_scopes)++;
		84	+ dpi->num_saved_scopes++;
		85	goto recurse_left_right;
		86
		87	case DEMANGLE_COMPONENT_QUAL_NAME:
		88	@@ -4152,42 +4152,42 @@ d_count_templates_scopes (int num_templates, int num_scopes,
		89	case DEMANGLE_COMPONENT_TAGGED_NAME:
		90	case DEMANGLE_COMPONENT_CLONE:
		91	recurse_left_right:
		92	- d_count_templates_scopes (num_templates, num_scopes,
		93	- d_left (dc));
		94	- d_count_templates_scopes (num_templates, num_scopes,
		95	- d_right (dc));
		96	+ /* PR 89394 - Check for too much recursion. */
		97	+ if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
		98	+ /* FIXME: There ought to be a way to report to the
		99	+ user that the recursion limit has been reached. */
		100	+ return;
		101	+
		102	+ ++ dpi->recursion;
		103	+ d_count_templates_scopes (dpi, d_left (dc));
		104	+ d_count_templates_scopes (dpi, d_right (dc));
		105	+ -- dpi->recursion;
		106	break;
		107
		108	case DEMANGLE_COMPONENT_CTOR:
		109	- d_count_templates_scopes (num_templates, num_scopes,
		110	- dc->u.s_ctor.name);
		111	+ d_count_templates_scopes (dpi, dc->u.s_ctor.name);
		112	break;
		113
		114	case DEMANGLE_COMPONENT_DTOR:
		115	- d_count_templates_scopes (num_templates, num_scopes,
		116	- dc->u.s_dtor.name);
		117	+ d_count_templates_scopes (dpi, dc->u.s_dtor.name);
		118	break;
		119
		120	case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
		121	- d_count_templates_scopes (num_templates, num_scopes,
		122	- dc->u.s_extended_operator.name);
		123	+ d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
		124	break;
		125
		126	case DEMANGLE_COMPONENT_FIXED_TYPE:
		127	- d_count_templates_scopes (num_templates, num_scopes,
		128	- dc->u.s_fixed.length);
		129	+ d_count_templates_scopes (dpi, dc->u.s_fixed.length);
		130	break;
		131
		132	case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
		133	case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
		134	- d_count_templates_scopes (num_templates, num_scopes,
		135	- d_left (dc));
		136	+ d_count_templates_scopes (dpi, d_left (dc));
		137	break;
		138
		139	case DEMANGLE_COMPONENT_LAMBDA:
		140	case DEMANGLE_COMPONENT_DEFAULT_ARG:
		141	- d_count_templates_scopes (num_templates, num_scopes,
		142	- dc->u.s_unary_num.sub);
		143	+ d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
		144	break;
		145	}
		146	}
		147	@@ -4222,8 +4222,12 @@ d_print_init (struct d_print_info *dpi, demangle_callbackref callback,
		148	dpi->next_copy_template = 0;
		149	dpi->num_copy_templates = 0;
		150
		151	- d_count_templates_scopes (&dpi->num_copy_templates,
		152	- &dpi->num_saved_scopes, dc);
		153	+ d_count_templates_scopes (dpi, dc);
		154	+ /* If we did not reach the recursion limit, then reset the
		155	+ current recursion value back to 0, so that we can print
		156	+ the templates. */
		157	+ if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
		158	+ dpi->recursion = 0;
		159	dpi->num_copy_templates *= dpi->num_saved_scopes;
		160
		161	dpi->current_template = NULL;
		162	--
		163	2.20.1
		164