binutls: Security fix for CVE-2017-15024

Affects: <= 2.29.1 (From OE-Core rev: 349b3cfb39c76304e351481899de9f72e4f1295b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-06 19:21:59 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:45 +0100
commit: 8011a1aed9287f9c4c108c7ad00d1f8588aedade (patch)
tree: e409dfbf294196e918422be4fb126307a83f764b /meta/recipes-devtools
parent: 9e7dc232e714189a8dc1233bd8c956891c79e5eb (diff)
download: poky-8011a1aed9287f9c4c108c7ad00d1f8588aedade.tar.gz
2 files changed, 228 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index caff121b75..3a56e973fb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
     file://CVE-2017-15021.patch \
     file://CVE-2017-15022.patch \
     file://CVE-2017-15023.patch \
+     file://CVE-2017-15024.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
new file mode 100644
index 0000000000..53b072ebaf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
@@ -0,0 +1,227 @@
+From 52a93b95ec0771c97e26f0bb28630a271a667bd2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 24 Sep 2017 14:37:16 +0930
+Subject: [PATCH] PR22187, infinite loop in find_abstract_instance_name
+This patch prevents the simple case of infinite recursion in
+find_abstract_instance_name by ensuring that the attributes being
+processed are not the same as the previous call.
+The patch also does a little cleanup, and leaves in place some changes
+to the nested_funcs array that I made when I wrongly thought looping
+might occur in scan_unit_for_symbols.
+        PR 22187
+        * dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
+        pname param.  Return status.  Make name const.  Don't abort,
+        return an error.  Formatting.  Exit if current info_ptr matches
+        orig_info_ptr.  Update callers.
+        (scan_unit_for_symbols): Start at nesting_level of zero.  Make
+        nested_funcs an array of structs for extensibility.  Formatting.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-15024
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 10 ++++++++
+ bfd/dwarf2.c  | 76 +++++++++++++++++++++++++++++++++++++++--------------------
+ 2 files changed, 61 insertions(+), 25 deletions(-)
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -2823,9 +2823,11 @@ lookup_symbol_in_variable_table (struct
+   return FALSE;
+ }
+ 
+-static char *
+static bfd_boolean
+ find_abstract_instance_name (struct comp_unit *unit,
+                            bfd_byte *orig_info_ptr,
+                             struct attribute *attr_ptr,
+                            const char **pname,
+                             bfd_boolean *is_linkage)
+ {
+   bfd *abfd = unit->abfd;
+@@ -2835,7 +2837,7 @@ find_abstract_instance_name (struct comp
+   struct abbrev_info *abbrev;
+   bfd_uint64_t die_ref = attr_ptr->u.val;
+   struct attribute attr;
+-  char *name = NULL;
+  const char *name = NULL;
+ 
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+@@ -2844,7 +2846,12 @@ find_abstract_instance_name (struct comp
+       /* We only support DW_FORM_ref_addr within the same file, so
+         any relocations should be resolved already.  */
+       if (!die_ref)
+-       abort ();
+       {
+         _bfd_error_handler
+           (_("Dwarf Error: Abstract instance DIE ref zero."));
+         bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+       }
+ 
+       info_ptr = unit->sec_info_ptr + die_ref;
+       info_ptr_end = unit->end_ptr;
+@@ -2879,9 +2886,10 @@ find_abstract_instance_name (struct comp
+          _bfd_error_handler
+            (_("Dwarf Error: Unable to read alt ref %u."), die_ref);
+          bfd_set_error (bfd_error_bad_value);
+-         return NULL;
+         return FALSE;
+        }
+-      info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size;
+      info_ptr_end = (unit->stash->alt_dwarf_info_buffer
+                     + unit->stash->alt_dwarf_info_size);
+ 
+       /* FIXME: Do we need to locate the correct CU, in a similar
+         fashion to the code in the DW_FORM_ref_addr case above ?  */
+@@ -2904,6 +2912,7 @@ find_abstract_instance_name (struct comp
+          _bfd_error_handler
+            (_("Dwarf Error: Could not find abbrev number %u."), abbrev_number);
+          bfd_set_error (bfd_error_bad_value);
+         return FALSE;
+        }
+       else
+        {
+@@ -2913,6 +2922,15 @@ find_abstract_instance_name (struct comp
+                                         info_ptr, info_ptr_end);
+              if (info_ptr == NULL)
+                break;
+             /* It doesn't ever make sense for DW_AT_specification to
+                refer to the same DIE.  Stop simple recursion.  */
+             if (info_ptr == orig_info_ptr)
+               {
+                 _bfd_error_handler
+                   (_("Dwarf Error: Abstract instance recursion detected."));
+                 bfd_set_error (bfd_error_bad_value);
+                 return FALSE;
+               }
+              switch (attr.name)
+                {
+                case DW_AT_name:
+@@ -2926,7 +2944,9 @@ find_abstract_instance_name (struct comp
+                    }
+                  break;
+                case DW_AT_specification:
+-                 name = find_abstract_instance_name (unit, &attr, is_linkage);
+                 if (!find_abstract_instance_name (unit, info_ptr, &attr,
+                                                   pname, is_linkage))
+                   return FALSE;
+                  break;
+                case DW_AT_linkage_name:
+                case DW_AT_MIPS_linkage_name:
+@@ -2944,7 +2964,8 @@ find_abstract_instance_name (struct comp
+            }
+        }
+     }
+-  return name;
+  *pname = name;
+  return TRUE;
+ }
+ 
+ static bfd_boolean
+@@ -3005,20 +3026,22 @@ scan_unit_for_symbols (struct comp_unit
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr = unit->first_child_die_ptr;
+   bfd_byte *info_ptr_end = unit->stash->info_ptr_end;
+-  int nesting_level = 1;
+-  struct funcinfo **nested_funcs;
+  int nesting_level = 0;
+  struct nest_funcinfo {
+    struct funcinfo *func;
+  } *nested_funcs;
+   int nested_funcs_size;
+ 
+   /* Maintain a stack of in-scope functions and inlined functions, which we
+      can use to set the caller_func field.  */
+   nested_funcs_size = 32;
+-  nested_funcs = (struct funcinfo **)
+-    bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *));
+  nested_funcs = (struct nest_funcinfo *)
+    bfd_malloc (nested_funcs_size * sizeof (*nested_funcs));
+   if (nested_funcs == NULL)
+     return FALSE;
+-  nested_funcs[nesting_level] = 0;
+  nested_funcs[nesting_level].func = 0;
+ 
+-  while (nesting_level)
+  while (nesting_level >= 0)
+     {
+       unsigned int abbrev_number, bytes_read, i;
+       struct abbrev_info *abbrev;
+@@ -3076,13 +3099,13 @@ scan_unit_for_symbols (struct comp_unit
+          BFD_ASSERT (!unit->cached);
+ 
+          if (func->tag == DW_TAG_inlined_subroutine)
+-           for (i = nesting_level - 1; i >= 1; i--)
+-             if (nested_funcs[i])
+           for (i = nesting_level; i-- != 0; )
+             if (nested_funcs[i].func)
+                {
+-                 func->caller_func = nested_funcs[i];
+                 func->caller_func = nested_funcs[i].func;
+                  break;
+                }
+-         nested_funcs[nesting_level] = func;
+         nested_funcs[nesting_level].func = func;
+        }
+       else
+        {
+@@ -3102,12 +3125,13 @@ scan_unit_for_symbols (struct comp_unit
+            }
+ 
+          /* No inline function in scope at this nesting level.  */
+-         nested_funcs[nesting_level] = 0;
+         nested_funcs[nesting_level].func = 0;
+        }
+ 
+       for (i = 0; i < abbrev->num_attrs; ++i)
+        {
+-         info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end);
+         info_ptr = read_attribute (&attr, &abbrev->attrs[i],
+                                    unit, info_ptr, info_ptr_end);
+          if (info_ptr == NULL)
+            goto fail;
+ 
+@@ -3126,8 +3150,10 @@ scan_unit_for_symbols (struct comp_unit
+ 
+                case DW_AT_abstract_origin:
+                case DW_AT_specification:
+-                 func->name = find_abstract_instance_name (unit, &attr,
+-                                                           &func->is_linkage);
+                 if (!find_abstract_instance_name (unit, info_ptr, &attr,
+                                                   &func->name,
+                                                   &func->is_linkage))
+                   goto fail;
+                  break;
+ 
+                case DW_AT_name:
+@@ -3254,17 +3280,17 @@ scan_unit_for_symbols (struct comp_unit
+ 
+          if (nesting_level >= nested_funcs_size)
+            {
+-             struct funcinfo **tmp;
+             struct nest_funcinfo *tmp;
+ 
+              nested_funcs_size *= 2;
+-             tmp = (struct funcinfo **)
+             tmp = (struct nest_funcinfo *)
+                bfd_realloc (nested_funcs,
+-                            nested_funcs_size * sizeof (struct funcinfo *));
+                            nested_funcs_size * sizeof (*nested_funcs));
+              if (tmp == NULL)
+                goto fail;
+              nested_funcs = tmp;
+            }
+-         nested_funcs[nesting_level] = 0;
+         nested_funcs[nesting_level].func = 0;
+        }
+     }
+
author	Armin Kuster <akuster@mvista.com>	2018-08-06 19:21:59 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:45 +0100
commit	8011a1aed9287f9c4c108c7ad00d1f8588aedade (patch)
tree	e409dfbf294196e918422be4fb126307a83f764b /meta/recipes-devtools
parent	9e7dc232e714189a8dc1233bd8c956891c79e5eb (diff)
download	poky-8011a1aed9287f9c4c108c7ad00d1f8588aedade.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index caff121b75..3a56e973fb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
47	file://CVE-2017-15021.patch \	47	file://CVE-2017-15021.patch \
48	file://CVE-2017-15022.patch \	48	file://CVE-2017-15022.patch \
49	file://CVE-2017-15023.patch \	49	file://CVE-2017-15023.patch \
		50	file://CVE-2017-15024.patch \
50	"	51	"
51	S = "${WORKDIR}/git"	52	S = "${WORKDIR}/git"
52		53


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch new file mode 100644 index 0000000000..53b072ebaf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15024.patch
@@ -0,0 +1,227 @@
		1	From 52a93b95ec0771c97e26f0bb28630a271a667bd2 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Sun, 24 Sep 2017 14:37:16 +0930
		4	Subject: [PATCH] PR22187, infinite loop in find_abstract_instance_name
		5
		6	This patch prevents the simple case of infinite recursion in
		7	find_abstract_instance_name by ensuring that the attributes being
		8	processed are not the same as the previous call.
		9
		10	The patch also does a little cleanup, and leaves in place some changes
		11	to the nested_funcs array that I made when I wrongly thought looping
		12	might occur in scan_unit_for_symbols.
		13
		14	PR 22187
		15	* dwarf2.c (find_abstract_instance_name): Add orig_info_ptr and
		16	pname param. Return status. Make name const. Don't abort,
		17	return an error. Formatting. Exit if current info_ptr matches
		18	orig_info_ptr. Update callers.
		19	(scan_unit_for_symbols): Start at nesting_level of zero. Make
		20	nested_funcs an array of structs for extensibility. Formatting.
		21
		22	Upstream-Status: Backport
		23	Affects: <= 2.29.1
		24	CVE: CVE-2017-15024
		25	Signed-off-by: Armin Kuster <akuster@mvista.com>
		26
		27	---
		28	bfd/ChangeLog \| 10 ++++++++
		29	bfd/dwarf2.c \| 76 +++++++++++++++++++++++++++++++++++++++--------------------
		30	2 files changed, 61 insertions(+), 25 deletions(-)
		31
		32	Index: git/bfd/dwarf2.c
		33	===================================================================
		34	--- git.orig/bfd/dwarf2.c
		35	+++ git/bfd/dwarf2.c
		36	@@ -2823,9 +2823,11 @@ lookup_symbol_in_variable_table (struct
		37	return FALSE;
		38	}
		39
		40	-static char *
		41	+static bfd_boolean
		42	find_abstract_instance_name (struct comp_unit *unit,
		43	+ bfd_byte *orig_info_ptr,
		44	struct attribute *attr_ptr,
		45	+ const char **pname,
		46	bfd_boolean *is_linkage)
		47	{
		48	bfd *abfd = unit->abfd;
		49	@@ -2835,7 +2837,7 @@ find_abstract_instance_name (struct comp
		50	struct abbrev_info *abbrev;
		51	bfd_uint64_t die_ref = attr_ptr->u.val;
		52	struct attribute attr;
		53	- char *name = NULL;
		54	+ const char *name = NULL;
		55
		56	/* DW_FORM_ref_addr can reference an entry in a different CU. It
		57	is an offset from the .debug_info section, not the current CU. */
		58	@@ -2844,7 +2846,12 @@ find_abstract_instance_name (struct comp
		59	/* We only support DW_FORM_ref_addr within the same file, so
		60	any relocations should be resolved already. */
		61	if (!die_ref)
		62	- abort ();
		63	+ {
		64	+ _bfd_error_handler
		65	+ (_("Dwarf Error: Abstract instance DIE ref zero."));
		66	+ bfd_set_error (bfd_error_bad_value);
		67	+ return FALSE;
		68	+ }
		69
		70	info_ptr = unit->sec_info_ptr + die_ref;
		71	info_ptr_end = unit->end_ptr;
		72	@@ -2879,9 +2886,10 @@ find_abstract_instance_name (struct comp
		73	_bfd_error_handler
		74	(_("Dwarf Error: Unable to read alt ref %u."), die_ref);
		75	bfd_set_error (bfd_error_bad_value);
		76	- return NULL;
		77	+ return FALSE;
		78	}
		79	- info_ptr_end = unit->stash->alt_dwarf_info_buffer + unit->stash->alt_dwarf_info_size;
		80	+ info_ptr_end = (unit->stash->alt_dwarf_info_buffer
		81	+ + unit->stash->alt_dwarf_info_size);
		82
		83	/* FIXME: Do we need to locate the correct CU, in a similar
		84	fashion to the code in the DW_FORM_ref_addr case above ? */
		85	@@ -2904,6 +2912,7 @@ find_abstract_instance_name (struct comp
		86	_bfd_error_handler
		87	(_("Dwarf Error: Could not find abbrev number %u."), abbrev_number);
		88	bfd_set_error (bfd_error_bad_value);
		89	+ return FALSE;
		90	}
		91	else
		92	{
		93	@@ -2913,6 +2922,15 @@ find_abstract_instance_name (struct comp
		94	info_ptr, info_ptr_end);
		95	if (info_ptr == NULL)
		96	break;
		97	+ /* It doesn't ever make sense for DW_AT_specification to
		98	+ refer to the same DIE. Stop simple recursion. */
		99	+ if (info_ptr == orig_info_ptr)
		100	+ {
		101	+ _bfd_error_handler
		102	+ (_("Dwarf Error: Abstract instance recursion detected."));
		103	+ bfd_set_error (bfd_error_bad_value);
		104	+ return FALSE;
		105	+ }
		106	switch (attr.name)
		107	{
		108	case DW_AT_name:
		109	@@ -2926,7 +2944,9 @@ find_abstract_instance_name (struct comp
		110	}
		111	break;
		112	case DW_AT_specification:
		113	- name = find_abstract_instance_name (unit, &attr, is_linkage);
		114	+ if (!find_abstract_instance_name (unit, info_ptr, &attr,
		115	+ pname, is_linkage))
		116	+ return FALSE;
		117	break;
		118	case DW_AT_linkage_name:
		119	case DW_AT_MIPS_linkage_name:
		120	@@ -2944,7 +2964,8 @@ find_abstract_instance_name (struct comp
		121	}
		122	}
		123	}
		124	- return name;
		125	+ *pname = name;
		126	+ return TRUE;
		127	}
		128
		129	static bfd_boolean
		130	@@ -3005,20 +3026,22 @@ scan_unit_for_symbols (struct comp_unit
		131	bfd *abfd = unit->abfd;
		132	bfd_byte *info_ptr = unit->first_child_die_ptr;
		133	bfd_byte *info_ptr_end = unit->stash->info_ptr_end;
		134	- int nesting_level = 1;
		135	- struct funcinfo **nested_funcs;
		136	+ int nesting_level = 0;
		137	+ struct nest_funcinfo {
		138	+ struct funcinfo *func;
		139	+ } *nested_funcs;
		140	int nested_funcs_size;
		141
		142	/* Maintain a stack of in-scope functions and inlined functions, which we
		143	can use to set the caller_func field. */
		144	nested_funcs_size = 32;
		145	- nested_funcs = (struct funcinfo **)
		146	- bfd_malloc (nested_funcs_size * sizeof (struct funcinfo *));
		147	+ nested_funcs = (struct nest_funcinfo *)
		148	+ bfd_malloc (nested_funcs_size * sizeof (*nested_funcs));
		149	if (nested_funcs == NULL)
		150	return FALSE;
		151	- nested_funcs[nesting_level] = 0;
		152	+ nested_funcs[nesting_level].func = 0;
		153
		154	- while (nesting_level)
		155	+ while (nesting_level >= 0)
		156	{
		157	unsigned int abbrev_number, bytes_read, i;
		158	struct abbrev_info *abbrev;
		159	@@ -3076,13 +3099,13 @@ scan_unit_for_symbols (struct comp_unit
		160	BFD_ASSERT (!unit->cached);
		161
		162	if (func->tag == DW_TAG_inlined_subroutine)
		163	- for (i = nesting_level - 1; i >= 1; i--)
		164	- if (nested_funcs[i])
		165	+ for (i = nesting_level; i-- != 0; )
		166	+ if (nested_funcs[i].func)
		167	{
		168	- func->caller_func = nested_funcs[i];
		169	+ func->caller_func = nested_funcs[i].func;
		170	break;
		171	}
		172	- nested_funcs[nesting_level] = func;
		173	+ nested_funcs[nesting_level].func = func;
		174	}
		175	else
		176	{
		177	@@ -3102,12 +3125,13 @@ scan_unit_for_symbols (struct comp_unit
		178	}
		179
		180	/* No inline function in scope at this nesting level. */
		181	- nested_funcs[nesting_level] = 0;
		182	+ nested_funcs[nesting_level].func = 0;
		183	}
		184
		185	for (i = 0; i < abbrev->num_attrs; ++i)
		186	{
		187	- info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, info_ptr_end);
		188	+ info_ptr = read_attribute (&attr, &abbrev->attrs[i],
		189	+ unit, info_ptr, info_ptr_end);
		190	if (info_ptr == NULL)
		191	goto fail;
		192
		193	@@ -3126,8 +3150,10 @@ scan_unit_for_symbols (struct comp_unit
		194
		195	case DW_AT_abstract_origin:
		196	case DW_AT_specification:
		197	- func->name = find_abstract_instance_name (unit, &attr,
		198	- &func->is_linkage);
		199	+ if (!find_abstract_instance_name (unit, info_ptr, &attr,
		200	+ &func->name,
		201	+ &func->is_linkage))
		202	+ goto fail;
		203	break;
		204
		205	case DW_AT_name:
		206	@@ -3254,17 +3280,17 @@ scan_unit_for_symbols (struct comp_unit
		207
		208	if (nesting_level >= nested_funcs_size)
		209	{
		210	- struct funcinfo **tmp;
		211	+ struct nest_funcinfo *tmp;
		212
		213	nested_funcs_size *= 2;
		214	- tmp = (struct funcinfo **)
		215	+ tmp = (struct nest_funcinfo *)
		216	bfd_realloc (nested_funcs,
		217	- nested_funcs_size * sizeof (struct funcinfo *));
		218	+ nested_funcs_size * sizeof (*nested_funcs));
		219	if (tmp == NULL)
		220	goto fail;
		221	nested_funcs = tmp;
		222	}
		223	- nested_funcs[nesting_level] = 0;
		224	+ nested_funcs[nesting_level].func = 0;
		225	}
		226	}
		227