[OE-core] [zeus][PATCH v3] binutils: fix CVE-2019-17450
Khem Raj
raj.khem at gmail.com
Fri Oct 25 17:04:01 UTC 2019
On Fri, Oct 25, 2019 at 4:05 PM Trevor Gamblin <trevor.gamblin at windriver.com>
wrote:
> On 10/25/19 11:02 AM, akuster808 wrote:
>
> >
> > On 10/25/19 5:22 AM, Trevor Gamblin wrote:
> >> Backport upstream fix to zeus.
> >>
> >> Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> > Does this affect Master?
> >
> > - armin
> >> ---
> >> .../binutils/binutils-2.32.inc | 1 +
> >> .../binutils/binutils/CVE-2019-17450.patch | 99 +++++++++++++++++++
> >> 2 files changed, 100 insertions(+)
> >> create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >>
> >> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc
> b/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> index 19baf8a883..1e96cf494d 100644
> >> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> @@ -49,6 +49,7 @@ SRC_URI = "\
> >> file://CVE-2019-12972.patch \
> >> file://CVE-2019-14250.patch \
> >> file://CVE-2019-14444.patch \
> >> + file://CVE-2019-17450.patch \
> >> "
> >> S = "${WORKDIR}/git"
> >>
> >> diff --git
> a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >> new file mode 100644
> >> index 0000000000..a6ce0b9a8a
> >> --- /dev/null
> >> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >> @@ -0,0 +1,99 @@
> >> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
> >> +From: Alan Modra <amodra at gmail.com>
> >> +Date: Wed, 9 Oct 2019 00:07:29 +1030
> >> +Subject: [PATCH] PR25078, stack overflow in function
> find_abstract_instance
> >> +
> >> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> >> +file. There are newer versions of binutils, but none of them contain
> the
> >> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> >> +
> >> +Upstream-Status: Backport [
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
> >> +CVE: CVE-2019-17450
> >> +Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
> >> +
> >> + PR 25078
> >> + * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
> >> + recur_count. Error on recur_count reaching 100 rather than
> >> + info_ptr matching orig_info_ptr. Adjust calls.
> >> +
> >> +---
> >> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
> >> + 1 file changed, 17 insertions(+), 18 deletions(-)
> >> +
> >> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> >> +index 0b4e485582..20ec9e2e56 100644
> >> +--- a/bfd/dwarf2.c
> >> ++++ b/bfd/dwarf2.c
> >> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct
> comp_unit *unit,
> >> + }
> >> +
> >> + static bfd_boolean
> >> +-find_abstract_instance (struct comp_unit * unit,
> >> +- bfd_byte * orig_info_ptr,
> >> +- struct attribute * attr_ptr,
> >> +- const char ** pname,
> >> +- bfd_boolean * is_linkage,
> >> +- char ** filename_ptr,
> >> +- int * linenumber_ptr)
> >> ++find_abstract_instance (struct comp_unit *unit,
> >> ++ struct attribute *attr_ptr,
> >> ++ unsigned int recur_count,
> >> ++ const char **pname,
> >> ++ bfd_boolean *is_linkage,
> >> ++ char **filename_ptr,
> >> ++ int *linenumber_ptr)
> >> + {
> >> + bfd *abfd = unit->abfd;
> >> + bfd_byte *info_ptr;
> >> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *
> unit,
> >> + struct attribute attr;
> >> + const char *name = NULL;
> >> +
> >> ++ if (recur_count == 100)
> >> ++ {
> >> ++ _bfd_error_handler
> >> ++ (_("DWARF error: abstract instance recursion detected"));
> >> ++ bfd_set_error (bfd_error_bad_value);
> >> ++ return FALSE;
> >> ++ }
> >> ++
> >> + /* DW_FORM_ref_addr can reference an entry in a different CU. It
> >> + is an offset from the .debug_info section, not the current CU.
> */
> >> + if (attr_ptr->form == DW_FORM_ref_addr)
> >> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *
> unit,
> >> + info_ptr, info_ptr_end);
> >> + if (info_ptr == NULL)
> >> + break;
> >> +- /* It doesn't ever make sense for DW_AT_specification to
> >> +- refer to the same DIE. Stop simple recursion. */
> >> +- if (info_ptr == orig_info_ptr)
> >> +- {
> >> +- _bfd_error_handler
> >> +- (_("DWARF error: abstract instance recursion
> detected"));
> >> +- bfd_set_error (bfd_error_bad_value);
> >> +- return FALSE;
> >> +- }
> >> + switch (attr.name)
> >> + {
> >> + case DW_AT_name:
> >> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *
> unit,
> >> + }
> >> + break;
> >> + case DW_AT_specification:
> >> +- if (!find_abstract_instance (unit, info_ptr, &attr,
> >> ++ if (!find_abstract_instance (unit, &attr, recur_count +
> 1,
> >> + &name, is_linkage,
> >> + filename_ptr,
> linenumber_ptr))
> >> + return FALSE;
> >> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
> >> +
> >> + case DW_AT_abstract_origin:
> >> + case DW_AT_specification:
> >> +- if (!find_abstract_instance (unit, info_ptr, &attr,
> >> ++ if (!find_abstract_instance (unit, &attr, 0,
> >> + &func->name,
> >> + &func->is_linkage,
> >> + &func->file,
> >> +--
> >> +2.23.0
> >> +
> It does, but I'm working on an upgrade for binutils to 2.33 for master
> that I'll then apply this (and another CVE patch) on top of.
Then sequence it first so it can be backported to Zeus straightforwardly
then you can do the 2.33 upgrade
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191025/b9d24fed/attachment-0001.html>
More information about the Openembedded-core
mailing list