binutls: Security fix CVE-2017-14933

Affects: <= 2.29.1 (From OE-Core rev: 16cdbc7504cc14547bb99ed742484ae9e658ec6e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2018-08-06 14:02:09 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-15 10:22:44 +0100
commit: 9be7b4f3db6243fc2a557ad63543173f2b1f5d86 (patch)
tree: 11260569fb2cda75a28ce876170d97f6672a0d81 /meta
parent: 4ad8bd4a60da3a09f7bd68855b2fa56ed07713be (diff)
download: poky-9be7b4f3db6243fc2a557ad63543173f2b1f5d86.tar.gz
3 files changed, 162 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 76c5c439cb..78b5249ee1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -38,6 +38,8 @@ SRC_URI = "\
     file://CVE-2017-17124.patch \
     file://CVE-2017-14930.patch \
     file://CVE-2017-14932.patch \
+     file://CVE-2017-14933_p1.patch \
+     file://CVE-2017-14933_p2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
new file mode 100644
index 0000000000..9df8138401
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
@@ -0,0 +1,58 @@
+From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 26 Sep 2017 14:37:47 +0100
+Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF
+ directory or file name table.
+        PR 22210
+        * dwarf2.c (read_formatted_entries): Fail early if we know that
+        the loop parsing data entries will overflow the end of the
+        section.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14933 #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf2.c  | 10 ++++++++++
+ 2 files changed, 17 insertions(+)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
+2017-09-26  Nick Clifton  <nickc@redhat.com>
+
+       PR 22210
+       * dwarf2.c (read_formatted_entries): Fail early if we know that
+       the loop parsing data entries will overflow the end of the
+       section.
+
+ 2017-09-26  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22204
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit
+ 
+   data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end);
+   buf += bytes_read;
+
+  /* PR 22210.  Paranoia check.  Don't bother running the loop
+     if we know that we are going to run out of buffer.  */
+  if (data_count > (bfd_vma) (buf_end - buf))
+    {
+      _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
+                         data_count);
+      bfd_set_error (bfd_error_bad_value);
+      return FALSE;
+    }
+
+   for (datai = 0; datai < data_count; datai++)
+     {
+       bfd_byte *format = format_header_data;
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch
new file mode 100644
index 0000000000..607d92f3d4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch
@@ -0,0 +1,102 @@
+From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 26 Sep 2017 23:20:06 +0930
+Subject: [PATCH] Tidy reading data in read_formatted_entries
+Using read_attribute_value accomplishes two things: It checks for
+unexpected formats, and ensures the buffer pointer always increments.
+        PR 22210
+        * dwarf2.c (read_formatted_entries): Use read_attribute_value to
+        read data.
+Upstream-Status: Backport
+Affects: <= 2.29.1
+CVE: CVE-2017-14933 #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/dwarf2.c  | 37 +++++++------------------------------
+ 2 files changed, 13 insertions(+), 30 deletions(-)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
+2017-09-26  Alan Modra  <amodra@gmail.com>
+
+       PR 22210
+       * dwarf2.c (read_formatted_entries): Use read_attribute_value to
+       read data.
+
+ 2017-09-26  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22210
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
+++ git/bfd/dwarf2.c
+@@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit
+          char *string_trash;
+          char **stringp = &string_trash;
+          unsigned int uint_trash, *uintp = &uint_trash;
+         struct attribute attr;
+ 
+          content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read,
+                                                FALSE, buf_end);
+@@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit
+          form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE,
+                                        buf_end);
+          format += bytes_read;
+
+         buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end);
+         if (buf == NULL)
+           return FALSE;
+          switch (form)
+            {
+            case DW_FORM_string:
+-             *stringp = read_string (abfd, buf, buf_end, &bytes_read);
+-             buf += bytes_read;
+-             break;
+-
+            case DW_FORM_line_strp:
+-             *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read);
+-             buf += bytes_read;
+             *stringp = attr.u.str;
+              break;
+ 
+            case DW_FORM_data1:
+-             *uintp = read_1_byte (abfd, buf, buf_end);
+-             buf += 1;
+-             break;
+-
+            case DW_FORM_data2:
+-             *uintp = read_2_bytes (abfd, buf, buf_end);
+-             buf += 2;
+-             break;
+-
+            case DW_FORM_data4:
+-             *uintp = read_4_bytes (abfd, buf, buf_end);
+-             buf += 4;
+-             break;
+-
+            case DW_FORM_data8:
+-             *uintp = read_8_bytes (abfd, buf, buf_end);
+-             buf += 8;
+-             break;
+-
+            case DW_FORM_udata:
+-             *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE,
+-                                             buf_end);
+-             buf += bytes_read;
+-             break;
+-
+-           case DW_FORM_block:
+-             /* It is valid only for DW_LNCT_timestamp which is ignored by
+-                current GDB.  */
+             *uintp = attr.u.val;
+              break;
+            }
+        }
author	Armin Kuster <akuster@mvista.com>	2018-08-06 14:02:09 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-15 10:22:44 +0100
commit	9be7b4f3db6243fc2a557ad63543173f2b1f5d86 (patch)
tree	11260569fb2cda75a28ce876170d97f6672a0d81 /meta
parent	4ad8bd4a60da3a09f7bd68855b2fa56ed07713be (diff)
download	poky-9be7b4f3db6243fc2a557ad63543173f2b1f5d86.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc index 76c5c439cb..78b5249ee1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -38,6 +38,8 @@ SRC_URI = "\
38	file://CVE-2017-17124.patch \	38	file://CVE-2017-17124.patch \
39	file://CVE-2017-14930.patch \	39	file://CVE-2017-14930.patch \
40	file://CVE-2017-14932.patch \	40	file://CVE-2017-14932.patch \
		41	file://CVE-2017-14933_p1.patch \
		42	file://CVE-2017-14933_p2.patch \
41	"	43	"
42	S = "${WORKDIR}/git"	44	S = "${WORKDIR}/git"
43		45


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch new file mode 100644 index 0000000000..9df8138401 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p1.patch
@@ -0,0 +1,58 @@
		1	From 30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Tue, 26 Sep 2017 14:37:47 +0100
		4	Subject: [PATCH] Avoid needless resource usage when processing a corrupt DWARF
		5	directory or file name table.
		6
		7	PR 22210
		8	* dwarf2.c (read_formatted_entries): Fail early if we know that
		9	the loop parsing data entries will overflow the end of the
		10	section.
		11
		12	Upstream-Status: Backport
		13	Affects: <= 2.29.1
		14	CVE: CVE-2017-14933 #1
		15	Signed-off-by: Armin Kuster <akuster@mvista.com>
		16
		17	---
		18	bfd/ChangeLog \| 7 +++++++
		19	bfd/dwarf2.c \| 10 ++++++++++
		20	2 files changed, 17 insertions(+)
		21
		22	Index: git/bfd/ChangeLog
		23	===================================================================
		24	--- git.orig/bfd/ChangeLog
		25	+++ git/bfd/ChangeLog
		26	@@ -1,3 +1,10 @@
		27	+2017-09-26 Nick Clifton <nickc@redhat.com>
		28	+
		29	+ PR 22210
		30	+ * dwarf2.c (read_formatted_entries): Fail early if we know that
		31	+ the loop parsing data entries will overflow the end of the
		32	+ section.
		33	+
		34	2017-09-26 Alan Modra <amodra@gmail.com>
		35
		36	PR 22204
		37	Index: git/bfd/dwarf2.c
		38	===================================================================
		39	--- git.orig/bfd/dwarf2.c
		40	+++ git/bfd/dwarf2.c
		41	@@ -1933,6 +1933,17 @@ read_formatted_entries (struct comp_unit
		42
		43	data_count = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE, buf_end);
		44	buf += bytes_read;
		45	+
		46	+ /* PR 22210. Paranoia check. Don't bother running the loop
		47	+ if we know that we are going to run out of buffer. */
		48	+ if (data_count > (bfd_vma) (buf_end - buf))
		49	+ {
		50	+ _bfd_error_handler (_("Dwarf Error: data count (%Lx) larger than buffer size."),
		51	+ data_count);
		52	+ bfd_set_error (bfd_error_bad_value);
		53	+ return FALSE;
		54	+ }
		55	+
		56	for (datai = 0; datai < data_count; datai++)
		57	{
		58	bfd_byte *format = format_header_data;


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch new file mode 100644 index 0000000000..607d92f3d4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-14933_p2.patch
@@ -0,0 +1,102 @@
		1	From 33e0a9a056bd23e923b929a4f2ab049ade0b1c32 Mon Sep 17 00:00:00 2001
		2	From: Alan Modra <amodra@gmail.com>
		3	Date: Tue, 26 Sep 2017 23:20:06 +0930
		4	Subject: [PATCH] Tidy reading data in read_formatted_entries
		5
		6	Using read_attribute_value accomplishes two things: It checks for
		7	unexpected formats, and ensures the buffer pointer always increments.
		8
		9	PR 22210
		10	* dwarf2.c (read_formatted_entries): Use read_attribute_value to
		11	read data.
		12
		13	Upstream-Status: Backport
		14	Affects: <= 2.29.1
		15	CVE: CVE-2017-14933 #2
		16	Signed-off-by: Armin Kuster <akuster@mvista.com>
		17
		18	---
		19	bfd/ChangeLog \| 6 ++++++
		20	bfd/dwarf2.c \| 37 +++++++------------------------------
		21	2 files changed, 13 insertions(+), 30 deletions(-)
		22
		23	Index: git/bfd/ChangeLog
		24	===================================================================
		25	--- git.orig/bfd/ChangeLog
		26	+++ git/bfd/ChangeLog
		27	@@ -1,3 +1,9 @@
		28	+2017-09-26 Alan Modra <amodra@gmail.com>
		29	+
		30	+ PR 22210
		31	+ * dwarf2.c (read_formatted_entries): Use read_attribute_value to
		32	+ read data.
		33	+
		34	2017-09-26 Nick Clifton <nickc@redhat.com>
		35
		36	PR 22210
		37	Index: git/bfd/dwarf2.c
		38	===================================================================
		39	--- git.orig/bfd/dwarf2.c
		40	+++ git/bfd/dwarf2.c
		41	@@ -1955,6 +1955,7 @@ read_formatted_entries (struct comp_unit
		42	char *string_trash;
		43	char **stringp = &string_trash;
		44	unsigned int uint_trash, *uintp = &uint_trash;
		45	+ struct attribute attr;
		46
		47	content_type = _bfd_safe_read_leb128 (abfd, format, &bytes_read,
		48	FALSE, buf_end);
		49	@@ -1986,47 +1987,23 @@ read_formatted_entries (struct comp_unit
		50	form = _bfd_safe_read_leb128 (abfd, format, &bytes_read, FALSE,
		51	buf_end);
		52	format += bytes_read;
		53	+
		54	+ buf = read_attribute_value (&attr, form, 0, unit, buf, buf_end);
		55	+ if (buf == NULL)
		56	+ return FALSE;
		57	switch (form)
		58	{
		59	case DW_FORM_string:
		60	- *stringp = read_string (abfd, buf, buf_end, &bytes_read);
		61	- buf += bytes_read;
		62	- break;
		63	-
		64	case DW_FORM_line_strp:
		65	- *stringp = read_indirect_line_string (unit, buf, buf_end, &bytes_read);
		66	- buf += bytes_read;
		67	+ *stringp = attr.u.str;
		68	break;
		69
		70	case DW_FORM_data1:
		71	- *uintp = read_1_byte (abfd, buf, buf_end);
		72	- buf += 1;
		73	- break;
		74	-
		75	case DW_FORM_data2:
		76	- *uintp = read_2_bytes (abfd, buf, buf_end);
		77	- buf += 2;
		78	- break;
		79	-
		80	case DW_FORM_data4:
		81	- *uintp = read_4_bytes (abfd, buf, buf_end);
		82	- buf += 4;
		83	- break;
		84	-
		85	case DW_FORM_data8:
		86	- *uintp = read_8_bytes (abfd, buf, buf_end);
		87	- buf += 8;
		88	- break;
		89	-
		90	case DW_FORM_udata:
		91	- *uintp = _bfd_safe_read_leb128 (abfd, buf, &bytes_read, FALSE,
		92	- buf_end);
		93	- buf += bytes_read;
		94	- break;
		95	-
		96	- case DW_FORM_block:
		97	- /* It is valid only for DW_LNCT_timestamp which is ignored by
		98	- current GDB. */
		99	+ *uintp = attr.u.val;
		100	break;
		101	}
		102	}