[OE-core] [zeus][PATCH v3] binutils: fix CVE-2019-17450

Trevor Gamblin trevor.gamblin at windriver.com
Fri Oct 25 15:05:23 UTC 2019 

On 10/25/19 11:02 AM, akuster808 wrote:

>
> On 10/25/19 5:22 AM, Trevor Gamblin wrote:
>> Backport upstream fix to zeus.
>>
>> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> Does this affect Master?
>
> - armin
>> ---
>>   .../binutils/binutils-2.32.inc                |  1 +
>>   .../binutils/binutils/CVE-2019-17450.patch    | 99 +++++++++++++++++++
>>   2 files changed, 100 insertions(+)
>>   create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>>
>> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
>> index 19baf8a883..1e96cf494d 100644
>> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
>> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
>> @@ -49,6 +49,7 @@ SRC_URI = "\
>>        file://CVE-2019-12972.patch \
>>        file://CVE-2019-14250.patch \
>>        file://CVE-2019-14444.patch \
>> +     file://CVE-2019-17450.patch \
>>   "
>>   S  = "${WORKDIR}/git"
>>   
>> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>> new file mode 100644
>> index 0000000000..a6ce0b9a8a
>> --- /dev/null
>> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>> @@ -0,0 +1,99 @@
>> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
>> +From: Alan Modra <amodra at gmail.com>
>> +Date: Wed, 9 Oct 2019 00:07:29 +1030
>> +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
>> +
>> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
>> +file. There are newer versions of binutils, but none of them contain the
>> +commit fixing CVE-2019-17450, so backport it to master and zeus.
>> +
>> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
>> +CVE: CVE-2019-17450
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
>> +
>> +	PR 25078
>> +	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
>> +	recur_count.  Error on recur_count reaching 100 rather than
>> +	info_ptr matching orig_info_ptr.  Adjust calls.
>> +
>> +---
>> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
>> + 1 file changed, 17 insertions(+), 18 deletions(-)
>> +
>> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
>> +index 0b4e485582..20ec9e2e56 100644
>> +--- a/bfd/dwarf2.c
>> ++++ b/bfd/dwarf2.c
>> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
>> + }
>> +
>> + static bfd_boolean
>> +-find_abstract_instance (struct comp_unit *   unit,
>> +-			bfd_byte *           orig_info_ptr,
>> +-			struct attribute *   attr_ptr,
>> +-			const char **        pname,
>> +-			bfd_boolean *        is_linkage,
>> +-			char **              filename_ptr,
>> +-			int *                linenumber_ptr)
>> ++find_abstract_instance (struct comp_unit *unit,
>> ++			struct attribute *attr_ptr,
>> ++			unsigned int recur_count,
>> ++			const char **pname,
>> ++			bfd_boolean *is_linkage,
>> ++			char **filename_ptr,
>> ++			int *linenumber_ptr)
>> + {
>> +   bfd *abfd = unit->abfd;
>> +   bfd_byte *info_ptr;
>> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
>> +   struct attribute attr;
>> +   const char *name = NULL;
>> +
>> ++  if (recur_count == 100)
>> ++    {
>> ++      _bfd_error_handler
>> ++	(_("DWARF error: abstract instance recursion detected"));
>> ++      bfd_set_error (bfd_error_bad_value);
>> ++      return FALSE;
>> ++    }
>> ++
>> +   /* DW_FORM_ref_addr can reference an entry in a different CU. It
>> +      is an offset from the .debug_info section, not the current CU.  */
>> +   if (attr_ptr->form == DW_FORM_ref_addr)
>> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
>> + 					 info_ptr, info_ptr_end);
>> + 	      if (info_ptr == NULL)
>> + 		break;
>> +-	      /* It doesn't ever make sense for DW_AT_specification to
>> +-		 refer to the same DIE.  Stop simple recursion.  */
>> +-	      if (info_ptr == orig_info_ptr)
>> +-		{
>> +-		  _bfd_error_handler
>> +-		    (_("DWARF error: abstract instance recursion detected"));
>> +-		  bfd_set_error (bfd_error_bad_value);
>> +-		  return FALSE;
>> +-		}
>> + 	      switch (attr.name)
>> + 		{
>> + 		case DW_AT_name:
>> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
>> + 		    }
>> + 		  break;
>> + 		case DW_AT_specification:
>> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
>> ++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
>> + 					       &name, is_linkage,
>> + 					       filename_ptr, linenumber_ptr))
>> + 		    return FALSE;
>> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
>> +
>> + 		case DW_AT_abstract_origin:
>> + 		case DW_AT_specification:
>> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
>> ++		  if (!find_abstract_instance (unit, &attr, 0,
>> + 					       &func->name,
>> + 					       &func->is_linkage,
>> + 					       &func->file,
>> +--
>> +2.23.0
>> +
It does, but I'm working on an upgrade for binutils to 2.33 for master 
that I'll then apply this (and another CVE patch) on top of.

More information about the Openembedded-core mailing list