Openembedded Core Discussions
 help / color / mirror / Atom feed
From: Armin Kuster <akuster808@gmail.com>
To: akuster@mvista.com, openembedded-core@lists.openembedded.org
Subject: [ROCKO][PATCH 10/12] Binutils: Security fix for CVE-2018-7568
Date: Wed,  8 Aug 2018 14:54:17 -0700	[thread overview]
Message-ID: <1533765259-10091-10-git-send-email-akuster808@gmail.com> (raw)
In-Reply-To: <1533765259-10091-1-git-send-email-akuster808@gmail.com>

From: Armin Kuster <akuster@mvista.com>

Affects: <= 2.30

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-devtools/binutils/binutils-2.29.1.inc |   2 +
 .../binutils/binutils/CVE-2018-7568_p1.patch       | 161 +++++++++++++++++++++
 .../binutils/binutils/CVE-2018-7568_p2.patch       |  73 ++++++++++
 3 files changed, 236 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.29.1.inc b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
index 13389a1..ceb8e85 100644
--- a/meta/recipes-devtools/binutils/binutils-2.29.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.29.1.inc
@@ -73,6 +73,8 @@ SRC_URI = "\
      file://CVE-2018-6323.patch \
      file://CVE-2018-6759.patch \
      file://CVE-2018-7208.patch \
+     file://CVE-2018-7568_p1.patch \
+     file://CVE-2018-7568_p2.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch
new file mode 100644
index 0000000..b014080
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p1.patch
@@ -0,0 +1,161 @@
+From 1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 25 Sep 2017 20:20:38 +0930
+Subject: [PATCH] PR22202, buffer overflow in parse_die
+
+There was a complete lack of sanity checking in dwarf1.c
+
+	PR 22202
+	* dwarf1.c (parse_die): Sanity check pointer against section limit
+	before dereferencing.
+	(parse_line_table): Likewise.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7568 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/dwarf1.c  | 56 ++++++++++++++++++++++++++++++++++++++------------------
+ 2 files changed, 45 insertions(+), 18 deletions(-)
+
+Index: git/bfd/dwarf1.c
+===================================================================
+--- git.orig/bfd/dwarf1.c
++++ git/bfd/dwarf1.c
+@@ -189,11 +189,14 @@ parse_die (bfd *             abfd,
+   memset (aDieInfo, 0, sizeof (* aDieInfo));
+ 
+   /* First comes the length.  */
+-  aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr);
++  if (xptr + 4 > aDiePtrEnd)
++    return FALSE;
++  aDieInfo->length = bfd_get_32 (abfd, xptr);
+   xptr += 4;
+   if (aDieInfo->length == 0
+-      || (this_die + aDieInfo->length) >= aDiePtrEnd)
++      || this_die + aDieInfo->length > aDiePtrEnd)
+     return FALSE;
++  aDiePtrEnd = this_die + aDieInfo->length;
+   if (aDieInfo->length < 6)
+     {
+       /* Just padding bytes.  */
+@@ -202,18 +205,20 @@ parse_die (bfd *             abfd,
+     }
+ 
+   /* Then the tag.  */
+-  aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr);
++  if (xptr + 2 > aDiePtrEnd)
++    return FALSE;
++  aDieInfo->tag = bfd_get_16 (abfd, xptr);
+   xptr += 2;
+ 
+   /* Then the attributes.  */
+-  while (xptr < (this_die + aDieInfo->length))
++  while (xptr + 2 <= aDiePtrEnd)
+     {
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+          must handle all dwarf1 forms, but need only handle the
+ 	 actual attributes that we care about.  */
+-      attr = bfd_get_16 (abfd, (bfd_byte *) xptr);
++      attr = bfd_get_16 (abfd, xptr);
+       xptr += 2;
+ 
+       switch (FORM_FROM_ATTR (attr))
+@@ -223,12 +228,15 @@ parse_die (bfd *             abfd,
+ 	  break;
+ 	case FORM_DATA4:
+ 	case FORM_REF:
+-	  if (attr == AT_sibling)
+-	    aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr);
+-	  else if (attr == AT_stmt_list)
++	  if (xptr + 4 <= aDiePtrEnd)
+ 	    {
+-	      aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr);
+-	      aDieInfo->has_stmt_list = 1;
++	      if (attr == AT_sibling)
++		aDieInfo->sibling = bfd_get_32 (abfd, xptr);
++	      else if (attr == AT_stmt_list)
++		{
++		  aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr);
++		  aDieInfo->has_stmt_list = 1;
++		}
+ 	    }
+ 	  xptr += 4;
+ 	  break;
+@@ -236,22 +244,29 @@ parse_die (bfd *             abfd,
+ 	  xptr += 8;
+ 	  break;
+ 	case FORM_ADDR:
+-	  if (attr == AT_low_pc)
+-	    aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);
+-	  else if (attr == AT_high_pc)
+-	    aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr);
++	  if (xptr + 4 <= aDiePtrEnd)
++	    {
++	      if (attr == AT_low_pc)
++		aDieInfo->low_pc = bfd_get_32 (abfd, xptr);
++	      else if (attr == AT_high_pc)
++		aDieInfo->high_pc = bfd_get_32 (abfd, xptr);
++	    }
+ 	  xptr += 4;
+ 	  break;
+ 	case FORM_BLOCK2:
+-	  xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr);
++	  if (xptr + 2 <= aDiePtrEnd)
++	    xptr += bfd_get_16 (abfd, xptr);
++	  xptr += 2;
+ 	  break;
+ 	case FORM_BLOCK4:
+-	  xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr);
++	  if (xptr + 4 <= aDiePtrEnd)
++	    xptr += bfd_get_32 (abfd, xptr);
++	  xptr += 4;
+ 	  break;
+ 	case FORM_STRING:
+ 	  if (attr == AT_name)
+ 	    aDieInfo->name = (char *) xptr;
+-	  xptr += strlen ((char *) xptr) + 1;
++	  xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1;
+ 	  break;
+ 	}
+     }
+@@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* s
+     }
+ 
+   xptr = stash->line_section + aUnit->stmt_list_offset;
+-  if (xptr < stash->line_section_end)
++  if (xptr + 8 <= stash->line_section_end)
+     {
+       unsigned long eachLine;
+       bfd_byte *tblend;
+@@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* s
+ 
+       for (eachLine = 0; eachLine < aUnit->line_count; eachLine++)
+ 	{
++	  if (xptr + 10 > stash->line_section_end)
++	    {
++	      aUnit->line_count = eachLine;
++	      break;
++	    }
+ 	  /* A line number.  */
+ 	  aUnit->linenumber_table[eachLine].linenumber
+ 	    = bfd_get_32 (stash->abfd, (bfd_byte *) xptr);
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2017-09-25  Alan Modra  <amodra@gmail.com>
++
++       PR 22202
++       * dwarf1.c (parse_die): Sanity check pointer against section limit
++       before dereferencing.
++       (parse_line_table): Likewise.
++
+ 2018-01-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22741
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch
new file mode 100644
index 0000000..b5511d7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-7568_p2.patch
@@ -0,0 +1,73 @@
+From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 10:13:54 +0000
+Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
+ debug information.
+
+	PR 22894
+	* dwarf1.c (parse_die): Check the length of form blocks before
+	advancing the data pointer.
+
+Upstream-Status: Backport
+Affects: <= 2.30
+CVE: CVE-2018-7568 patch2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/dwarf1.c  | 17 +++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+Index: git/bfd/dwarf1.c
+===================================================================
+--- git.orig/bfd/dwarf1.c
++++ git/bfd/dwarf1.c
+@@ -213,6 +213,7 @@ parse_die (bfd *             abfd,
+   /* Then the attributes.  */
+   while (xptr + 2 <= aDiePtrEnd)
+     {
++      unsigned int   block_len;
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+@@ -255,12 +256,24 @@ parse_die (bfd *             abfd,
+ 	  break;
+ 	case FORM_BLOCK2:
+ 	  if (xptr + 2 <= aDiePtrEnd)
+-	    xptr += bfd_get_16 (abfd, xptr);
++	    {
++	      block_len = bfd_get_16 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 2;
+ 	  break;
+ 	case FORM_BLOCK4:
+ 	  if (xptr + 4 <= aDiePtrEnd)
+-	    xptr += bfd_get_32 (abfd, xptr);
++	    {
++	      block_len = bfd_get_32 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 4;
+ 	  break;
+ 	case FORM_STRING:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2018-02-28  Nick Clifton  <nickc@redhat.com>
++
++       PR 22894
++       * dwarf1.c (parse_die): Check the length of form blocks before
++       advancing the data pointer.
++
+ 2017-09-25  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22202
-- 
2.7.4



  parent reply	other threads:[~2018-08-08 21:54 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-08 21:54 [ROCKO][PATCH 01/12] binutils: Security fix for CVE-2017-17123 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 02/12] Binutils: Security fix for CVE-2018-10372 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 03/12] Binutils: Security fix for CVE-2018-10373 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 04/12] Binutils: Security fix for CVE-2018-10534 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 05/12] Binutils: Security fix for CVE-2018-10535 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 06/12] Binutils: Security fix for CVE-2018-13033 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 07/12] Binutils: Security fix for CVE-2018-6323 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 08/12] Binutils: Security fix for CVE-2018-6759 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 09/12] Binutils: Security fix for CVE-2018-7208 Armin Kuster
2018-08-08 21:54 ` Armin Kuster [this message]
2018-08-08 21:54 ` [ROCKO][PATCH 11/12] Binutils: Security fix for CVE-2018-7569 Armin Kuster
2018-08-08 21:54 ` [ROCKO][PATCH 12/12] Binutils: Security fix for CVE-2018-7642 Armin Kuster
2018-08-08 22:08 ` ✗ patchtest: failure for "[ROCKO] binutils: Security fix..." and 11 more Patchwork

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1533765259-10091-10-git-send-email-akuster808@gmail.com \
    --to=akuster808@gmail.com \
    --cc=akuster@mvista.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox