[oe-commits] [openembedded-core] 43/51: binutils: CVE-2017-15938
git at git.openembedded.org
git at git.openembedded.org
Sun Jan 7 17:11:52 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch morty
in repository openembedded-core.
commit 592f315516e602bd9a9bdc3d116771528cd433d1
Author: Thiruvadi Rajaraman <trajaraman at mvista.com>
AuthorDate: Wed Nov 8 13:44:34 2017 +0530
binutils: CVE-2017-15938
Source: binutils-gdb.git
MR: 76766
Type: Security Fix
Disposition: Backport from binutils master
ChangeID: f080669b4e6f7c9088e30858238da5f4315192f3
Description:
PR22209, invalid memory read in find_abstract_instance_name
This patch adds bounds checking for DW_FORM_ref_addr die refs, and
calculates them relative to the first .debug_info section. See the
big comment for why calculating relative to the current .debug_info
section was wrong for relocatable object files.
PR 22209
* dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
(find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
to stash->info_ptr_memory, and check die_ref is within that memory.
Set info_ptr_end correctly when another CU is refd. Check die_ref
for DW_FORM_ref4 etc. is within CU.
Affects: <= 2.29
Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
Reviewed-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.27.inc | 1 +
.../binutils/binutils/CVE-2017-15938.patch | 153 +++++++++++++++++++++
2 files changed, 154 insertions(+)
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index ae43d2a..1311b65 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -102,6 +102,7 @@ SRC_URI = "\
file://CVE-2017-9955_9.patch \
file://CVE-2017-14729.patch \
file://CVE-2017-15024.patch \
+ file://CVE-2017-15938.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch
new file mode 100644
index 0000000..25d6f3a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-15938.patch
@@ -0,0 +1,153 @@
+commit 1b86808a86077722ee4f42ff97f836b12420bb2a
+Author: Alan Modra <amodra at gmail.com>
+Date: Tue Sep 26 21:47:24 2017 +0930
+
+ PR22209, invalid memory read in find_abstract_instance_name
+
+ This patch adds bounds checking for DW_FORM_ref_addr die refs, and
+ calculates them relative to the first .debug_info section. See the
+ big comment for why calculating relative to the current .debug_info
+ section was wrong for relocatable object files.
+
+ PR 22209
+ * dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
+ (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
+ to stash->info_ptr_memory, and check die_ref is within that memory.
+ Set info_ptr_end correctly when another CU is refd. Check die_ref
+ for DW_FORM_ref4 etc. is within CU.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-15938
+Signed-off-by: Thiruvadi Rajaraman <trajaraman at mvista.com>
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c 2017-11-07 18:52:19.896253364 +0530
++++ git/bfd/dwarf2.c 2017-11-07 18:52:19.952253802 +0530
+@@ -119,8 +119,7 @@
+
+ /* A pointer to the memory block allocated for info_ptr. Neither
+ info_ptr nor sec_info_ptr are guaranteed to stay pointing to the
+- beginning of the malloc block. This is used only to free the
+- memory later. */
++ beginning of the malloc block. */
+ bfd_byte *info_ptr_memory;
+
+ /* Pointer to the symbol table. */
+@@ -238,9 +237,6 @@
+ by its reference. */
+ bfd_byte *info_ptr_unit;
+
+- /* Pointer to the start of the debug section, for DW_FORM_ref_addr. */
+- bfd_byte *sec_info_ptr;
+-
+ /* The offset into .debug_line of the line number table. */
+ unsigned long line_offset;
+
+@@ -2294,21 +2290,37 @@
+ if (attr_ptr->form == DW_FORM_ref_addr)
+ {
+ /* We only support DW_FORM_ref_addr within the same file, so
+- any relocations should be resolved already. */
+- if (!die_ref)
++ any relocations should be resolved already. Check this by
++ testing for a zero die_ref; There can't be a valid reference
++ to the header of a .debug_info section.
++ DW_FORM_ref_addr is an offset relative to .debug_info.
++ Normally when using the GNU linker this is accomplished by
++ emitting a symbolic reference to a label, because .debug_info
++ sections are linked at zero. When there are multiple section
++ groups containing .debug_info, as there might be in a
++ relocatable object file, it would be reasonable to assume that
++ a symbolic reference to a label in any .debug_info section
++ might be used. Since we lay out multiple .debug_info
++ sections at non-zero VMAs (see place_sections), and read
++ them contiguously into stash->info_ptr_memory, that means
++ the reference is relative to stash->info_ptr_memory. */
++ size_t total;
++
++ info_ptr = unit->stash->info_ptr_memory;
++ info_ptr_end = unit->stash->info_ptr_end;
++ total = info_ptr_end - info_ptr;
++ if (!die_ref || die_ref >= total)
+ {
+ _bfd_error_handler
+- (_("Dwarf Error: Abstract instance DIE ref zero."));
++ (_("Dwarf Error: Invalid abstract instance DIE ref."));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+-
+- info_ptr = unit->sec_info_ptr + die_ref;
+- info_ptr_end = unit->end_ptr;
++ info_ptr += die_ref;
+
+ /* Now find the CU containing this pointer. */
+ if (info_ptr >= unit->info_ptr_unit && info_ptr < unit->end_ptr)
+- ;
++ info_ptr_end = unit->end_ptr;
+ else
+ {
+ /* Check other CUs to see if they contain the abbrev. */
+@@ -2324,7 +2336,10 @@
+ break;
+
+ if (u)
+- unit = u;
++ {
++ unit = u;
++ info_ptr_end = unit->end_ptr;
++ }
+ /* else FIXME: What do we do now ? */
+ }
+ }
+@@ -2346,8 +2361,22 @@
+ }
+ else
+ {
+- info_ptr = unit->info_ptr_unit + die_ref;
++ /* DW_FORM_ref1, DW_FORM_ref2, DW_FORM_ref4, DW_FORM_ref8 or
++ DW_FORM_ref_udata. These are all references relative to the
++ start of the current CU. */
++ size_t total;
++
++ info_ptr = unit->info_ptr_unit;
+ info_ptr_end = unit->end_ptr;
++ total = info_ptr_end - info_ptr;
++ if (!die_ref || die_ref >= total)
++ {
++ _bfd_error_handler
++ (_("Dwarf Error: Invalid abstract instance DIE ref."));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++ info_ptr += die_ref;
+ }
+
+ abbrev_number = safe_read_leb128 (abfd, info_ptr, &bytes_read, FALSE, info_ptr_end);
+@@ -2846,7 +2875,6 @@
+ unit->end_ptr = end_ptr;
+ unit->stash = stash;
+ unit->info_ptr_unit = info_ptr_unit;
+- unit->sec_info_ptr = stash->sec_info_ptr;
+
+ for (i = 0; i < abbrev->num_attrs; ++i)
+ {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog 2017-11-07 18:52:19.900253395 +0530
++++ git/bfd/ChangeLog 2017-11-07 18:53:29.668799630 +0530
+@@ -1,3 +1,12 @@
++2017-09-26 Alan Modra <amodra at gmail.com>
++
++ PR 22209
++ * dwarf2.c (struct comp_unit): Delete sec_info_ptr field.
++ (find_abstract_instance_name): Calculate DW_FORM_ref_addr relative
++ to stash->info_ptr_memory, and check die_ref is within that memory.
++ Set info_ptr_end correctly when another CU is refd. Check die_ref
++ for DW_FORM_ref4 etc. is within CU.
++
+ 2017-09-24 Alan Modra <amodra at gmail.com>
+
+ PR 22187
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list