From: Armin Kuster <akuster808@gmail.com>
To: akuster@mvista.com, openembedded-core@lists.openembedded.org
Subject: [pyro][PATCH 21/26] binutls: Security fix for CVE-2017-9752
Date: Sun, 26 Nov 2017 18:35:07 -0800 [thread overview]
Message-ID: <1511750112-2263-21-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1511750112-2263-1-git-send-email-akuster808@gmail.com>
Affects: <= 2.28
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.28.inc | 1 +
.../binutils/binutils/CVE-2017-9752.patch | 208 +++++++++++++++++++++
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 99fc1b1..68d21c8 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -63,6 +63,7 @@ SRC_URI = "\
file://CVE-2017-9749.patch \
file://CVE-2017-9750.patch \
file://CVE-2017-9751.patch \
+ file://CVE-2017-9752.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
new file mode 100644
index 0000000..f63a993
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,208 @@
+From c53d2e6d744da000aaafe0237bced090aab62818 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 14 Jun 2017 11:27:15 +0100
+Subject: [PATCH] Fix potential address violations when processing a corrupt
+ Alpha VMA binary.
+
+ PR binutils/21589
+ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+ maximum value for the ascic pointer. Check that name processing
+ does not read beyond this value.
+ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+ end of etir record.
+
+Upstream-Status: Backport
+CVE: CVE-2017-9752
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 9 +++++++++
+ bfd/vms-alpha.c | 51 +++++++++++++++++++++++++++++++++++++++++----------
+ 2 files changed, 50 insertions(+), 10 deletions(-)
+
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -9,6 +9,15 @@
+
+ 2017-06-14 Nick Clifton <nickc@redhat.com>
+
++ PR binutils/21589
++ * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
++ maximum value for the ascic pointer. Check that name processing
++ does not read beyond this value.
++ (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
++ end of etir record.
++
++2017-06-14 Nick Clifton <nickc@redhat.com>
++
+ PR binutils/21578
+ * elf32-sh.c (sh_elf_set_mach_from_flags): Fix check for invalid
+ flag value.
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c
++++ git/bfd/vms-alpha.c
+@@ -1456,7 +1456,7 @@ dst_retrieve_location (bfd *abfd, unsign
+ /* Write multiple bytes to section image. */
+
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
++image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+ _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1603,14 +1603,16 @@ _bfd_vms_etir_name (int cmd)
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
++_bfd_vms_get_value (bfd *abfd,
++ const unsigned char *ascic,
++ const unsigned char *max_ascic,
+ struct bfd_link_info *info,
+ bfd_vma *vma,
+ struct alpha_vms_link_hash_entry **hp)
+ {
+ char name[257];
+- int len;
+- int i;
++ unsigned int len;
++ unsigned int i;
+ struct alpha_vms_link_hash_entry *h;
+
+ /* Not linking. Do not try to resolve the symbol. */
+@@ -1622,6 +1624,14 @@ _bfd_vms_get_value (bfd *abfd, const uns
+ }
+
+ len = *ascic;
++ if (ascic + len >= max_ascic)
++ {
++ _bfd_error_handler (_("Corrupt vms value"));
++ *vma = 0;
++ *hp = NULL;
++ return;
++ }
++
+ for (i = 0; i < len; i++)
+ name[i] = ascic[i + 1];
+ name[i] = 0;
+@@ -1741,6 +1751,15 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+
++ /* PR 21589: Check for a corrupt ETIR record. */
++ if (cmd_length < 4)
++ {
++ corrupt_etir:
++ _bfd_error_handler (_("Corrupt ETIR record encountered"));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++
+ switch (cmd)
+ {
+ /* Stack global
+@@ -1748,7 +1767,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+
+ stack 32 bit value of symbol (high bits set to 0). */
+ case ETIR__C_STA_GBL:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+ break;
+
+@@ -1757,6 +1776,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+
+ stack 32 bit value, sign extend to 64 bit. */
+ case ETIR__C_STA_LW:
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+ break;
+
+@@ -1765,6 +1786,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+
+ stack 64 bit value of symbol. */
+ case ETIR__C_STA_QW:
++ if (ptr + 8 >= maxptr)
++ goto corrupt_etir;
+ _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+ break;
+
+@@ -1778,6 +1801,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ {
+ int psect;
+
++ if (ptr + 12 >= maxptr)
++ goto corrupt_etir;
+ psect = bfd_getl32 (ptr);
+ if ((unsigned int) psect >= PRIV (section_count))
+ {
+@@ -1867,6 +1892,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ {
+ int size;
+
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ size = bfd_getl32 (ptr);
+ _bfd_vms_pop (abfd, &op1, &rel1);
+ if (rel1 != RELC_NONE)
+@@ -1879,7 +1906,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ /* Store global: write symbol value
+ arg: cs global symbol name. */
+ case ETIR__C_STO_GBL:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->typ == EGSD__C_SYMG)
+@@ -1901,7 +1928,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ /* Store code address: write address of entry point
+ arg: cs global symbol name (procedure). */
+ case ETIR__C_STO_CA:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->flags & EGSY__V_NORM)
+@@ -1946,8 +1973,10 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ da data. */
+ case ETIR__C_STO_IMM:
+ {
+- int size;
++ unsigned int size;
+
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ size = bfd_getl32 (ptr);
+ image_write (abfd, ptr + 4, size);
+ }
+@@ -1960,7 +1989,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ store global longword: store 32bit value of symbol
+ arg: cs symbol name. */
+ case ETIR__C_STO_GBL_LW:
+- _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+ abort ();
+ #endif
+@@ -2013,7 +2042,7 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ da signature. */
+
+ case ETIR__C_STC_LP_PSB:
+- _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
++ _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+ if (h && h->sym)
+ {
+ if (h->sym->typ == EGSD__C_SYMG)
+@@ -2109,6 +2138,8 @@ _bfd_vms_slurp_etir (bfd *abfd, struct b
+ /* Augment relocation base: increment image location counter by offset
+ arg: lw offset value. */
+ case ETIR__C_CTL_AUGRB:
++ if (ptr + 4 >= maxptr)
++ goto corrupt_etir;
+ op1 = bfd_getl32 (ptr);
+ image_inc_ptr (abfd, op1);
+ break;
--
2.7.4
next prev parent reply other threads:[~2017-11-27 2:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-27 2:34 [pyro][PATCH 01/26] binutils: Security fix CVE-2017-7223 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 02/26] binutils: Security Fix CVE-2017-7614 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 03/26] binutils: Security fix CVE-2017-8393 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 04/26] binutls: Secuirty fix CVE-2017-8394 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 05/26] binutls: Security fix CVE-2017-8395 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 06/26] binutils: Secuirty fix CVE-2017-8396 and CVE-2017-8397 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 07/26] binutils: Security fix for CVE-2017-8398 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 08/26] binutils: Security fix CVE-2017-8421 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 09/26] binutils: Security fix for CVE-2017-9038 and CVE-2017-9044 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 10/26] binutils: Security fix for CVE-2017-9039 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 11/26] binutils: Security fix for CVE-2017-9040 and CVE-2017-9042 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 12/26] binutils: Security fix for CVE-2017-9742 Armin Kuster
2017-11-27 2:34 ` [pyro][PATCH 13/26] binutls: Security fix for CVE-2017-9744 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 14/26] binutils: Security fix for CVE-2017-9745 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 15/26] binutls: Security for fix CVE-2017-9746 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 16/26] binutls: Security fix for CVE-2017-9747 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 17/26] binutls: Security fix for CVE-2017-9748 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 18/26] binutils: Security fix for CVE-2017-9749 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 19/26] Binutils: Security fix for CVE-2017-9750 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 20/26] binutls: Security fix for CVE-2017-9751 Armin Kuster
2017-11-27 2:35 ` Armin Kuster [this message]
2017-11-27 2:35 ` [pyro][PATCH 22/26] binutls: Security fix for CVE-2017-9753 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 23/26] binutls: Security fix for CVE-2017-9755 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 24/26] binutls: Secuirty fix for CVE-2017-9756 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 25/26] binutils: Security fix for CVE-2017-9954 Armin Kuster
2017-11-27 2:35 ` [pyro][PATCH 26/26] binutls: Security fix for CVE-2017-9955 Armin Kuster
2017-11-27 3:04 ` ✗ patchtest: failure for "[pyro] binutils: Security fix ..." and 25 more Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1511750112-2263-21-git-send-email-akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=akuster@mvista.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox