[oe-commits] [openembedded-core] 34/51: binutils: CVE-2017-9752
git at git.openembedded.org
git at git.openembedded.org
Sun Jan 7 17:11:43 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch morty
in repository openembedded-core.
commit ea89dfe868085b463dfc24df78b49d1703989484
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Thu Sep 21 19:24:44 2017 +0530
binutils: CVE-2017-9752
Source: binutils-gdb.git
MR: 73971
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: fe0e1d0f234ed157135818c24f4270c34e093828
Description:
Fix potential address violations when processing a corrupt Alpha VMA binary.
PR binutils/21589
* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
maximum value for the ascic pointer. Check that name processing
does not read beyond this value.
(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
end of etir record.
Affects: <= 2.28
Author: Nick Clifton <nickc at redhat.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
Reviewed-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.27.inc | 1 +
.../binutils/binutils/CVE-2017-9752.patch | 204 +++++++++++++++++++++
2 files changed, 205 insertions(+)
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 6580270..54fb5d6 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -84,6 +84,7 @@ SRC_URI = "\
file://CVE-2017-9748.patch \
file://CVE-2017-9747.patch \
file://CVE-2017-9750.patch \
+ file://CVE-2017-9752.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
new file mode 100644
index 0000000..fce5b14
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,204 @@
+commit c53d2e6d744da000aaafe0237bced090aab62818
+Author: Nick Clifton <nickc at redhat.com>
+Date: Wed Jun 14 11:27:15 2017 +0100
+
+ Fix potential address violations when processing a corrupt Alpha VMA binary.
+
+ PR binutils/21589
+ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+ maximum value for the ascic pointer. Check that name processing
+ does not read beyond this value.
+ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+ end of etir record.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9752
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c 2017-09-21 15:00:19.117805347 +0530
++++ git/bfd/vms-alpha.c 2017-09-21 15:00:20.673815960 +0530
+@@ -1507,7 +1507,7 @@
+ /* Write multiple bytes to section image. */
+
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
++image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+ _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1654,14 +1654,16 @@
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
++_bfd_vms_get_value (bfd *abfd,
++ const unsigned char *ascic,
++ const unsigned char *max_ascic,
+ struct bfd_link_info *info,
+ bfd_vma *vma,
+ struct alpha_vms_link_hash_entry **hp)
+ {
+ char name[257];
+- int len;
+- int i;
++ unsigned int len;
++ unsigned int i;
+ struct alpha_vms_link_hash_entry *h;
+
+ /* Not linking. Do not try to resolve the symbol. */
+@@ -1673,6 +1675,14 @@
+ }
+
+ len = *ascic;
++ if (ascic + len >= max_ascic)
++ {
++ _bfd_error_handler (_("Corrupt vms value"));
++ *vma = 0;
++ *hp = NULL;
++ return;
++ }
++
+ for (i = 0; i < len; i++)
+ name[i] = ascic[i + 1];
+ name[i] = 0;
+@@ -1797,6 +1807,15 @@
+ _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+
++ /* PR 21589: Check for a corrupt ETIR record. */
++ if (cmd_length < 4)
++ {
++ corrupt_etir:
++ _bfd_error_handler (_("Corrupt ETIR record encountered"));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++
+ switch (cmd)
+ {
+ /* Stack global
+@@ -1804,7 +1823,7 @@
+
+ stack 32 bit value of symbol (high bits set to 0). */
+ case ETIR__C_STA_GBL:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+ break;
+
+@@ -1813,6 +1832,8 @@
+
+ stack 32 bit value, sign extend to 64 bit. */
+ case ETIR__C_STA_LW:
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+ break;
+
+@@ -1821,6 +1842,8 @@
+
+ stack 64 bit value of symbol. */
+ case ETIR__C_STA_QW:
++ if (ptr + 8 >= maxptr)
++ goto corrupt_etir;
+ _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+ break;
+
+@@ -1834,6 +1857,8 @@
+ {
+ int psect;
+
++ if (ptr + 12 >= maxptr)
++ goto corrupt_etir;
+ psect = bfd_getl32 (ptr);
+ if ((unsigned int) psect >= PRIV (section_count))
+ {
+@@ -1923,6 +1948,8 @@
+ {
+ int size;
+
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ size = bfd_getl32 (ptr);
+ _bfd_vms_pop (abfd, &op1, &rel1);
+ if (rel1 != RELC_NONE)
+@@ -1935,7 +1962,7 @@
+ /* Store global: write symbol value
+ arg: cs global symbol name. */
+ case ETIR__C_STO_GBL:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->typ == EGSD__C_SYMG)
+@@ -1957,7 +1984,7 @@
+ /* Store code address: write address of entry point
+ arg: cs global symbol name (procedure). */
+ case ETIR__C_STO_CA:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->flags & EGSY__V_NORM)
+@@ -2002,8 +2029,10 @@
+ da data. */
+ case ETIR__C_STO_IMM:
+ {
+- int size;
++ unsigned int size;
+
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ size = bfd_getl32 (ptr);
+ image_write (abfd, ptr + 4, size);
+ }
+@@ -2016,7 +2045,7 @@
+ store global longword: store 32bit value of symbol
+ arg: cs symbol name. */
+ case ETIR__C_STO_GBL_LW:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+ abort ();
+ #endif
+@@ -2069,7 +2098,7 @@
+ da signature. */
+
+ case ETIR__C_STC_LP_PSB:
+- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->typ == EGSD__C_SYMG)
+@@ -2165,6 +2194,8 @@
+ /* Augment relocation base: increment image location counter by offset
+ arg: lw offset value. */
+ case ETIR__C_CTL_AUGRB:
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ op1 = bfd_getl32 (ptr);
+ image_inc_ptr (abfd, op1);
+ break;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog 2017-09-21 15:04:44.000000000 +0530
++++ git/bfd/ChangeLog 2017-09-21 15:07:58.268949291 +0530
+@@ -81,6 +81,15 @@
+ PR binutils/21581
+ (ieee_archive_p): Likewise.
+
++2017-06-14 Nick Clifton <nickc at redhat.com>
++
++ PR binutils/21589
++ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
++ maximum value for the ascic pointer. Check that name processing
++ does not read beyond this value.
++ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
++ end of etir record.
++
+ 2017-04-29 Alan Modra <amodra at gmail.com>
+
+ PR 21432
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list