All of lore.kernel.org
 help / color / mirror / Atom feed
* [zeus][PATCH] binutils: fix CVE-2019-17450
@ 2019-10-25  1:02 Trevor Gamblin
  2019-10-25  9:33 ` Khem Raj
  0 siblings, 1 reply; 2+ messages in thread
From: Trevor Gamblin @ 2019-10-25  1:02 UTC (permalink / raw)
  To: openembedded-core

Backport upstream fix to zeus.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 .../binutils/binutils-2.32.inc                |  1 +
 ...erflow-in-function-find_abstract_ins.patch | 99 +++++++++++++++++++
 2 files changed, 100 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 19baf8a883..48940fd3e5 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
      file://CVE-2019-12972.patch \
      file://CVE-2019-14250.patch \
      file://CVE-2019-14444.patch \
+     file://0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch b/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
new file mode 100644
index 0000000000..a6ce0b9a8a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
@@ -0,0 +1,99 @@
+From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17450, so backport it to master and zeus.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
+CVE: CVE-2019-17450
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+	PR 25078
+	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+	recur_count.  Error on recur_count reaching 100 rather than
+	info_ptr matching orig_info_ptr.  Adjust calls.
+
+---
+ bfd/dwarf2.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..20ec9e2e56 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
+ }
+ 
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+-			struct attribute *   attr_ptr,
+-			const char **        pname,
+-			bfd_boolean *        is_linkage,
+-			char **              filename_ptr,
+-			int *                linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++			struct attribute *attr_ptr,
++			unsigned int recur_count,
++			const char **pname,
++			bfd_boolean *is_linkage,
++			char **filename_ptr,
++			int *linenumber_ptr)
+ {
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr;
+@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
+   struct attribute attr;
+   const char *name = NULL;
+ 
++  if (recur_count == 100)
++    {
++      _bfd_error_handler
++	(_("DWARF error: abstract instance recursion detected"));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
+-- 
+2.23.0
+
-- 
2.23.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [zeus][PATCH] binutils: fix CVE-2019-17450
  2019-10-25  1:02 [zeus][PATCH] binutils: fix CVE-2019-17450 Trevor Gamblin
@ 2019-10-25  9:33 ` Khem Raj
  0 siblings, 0 replies; 2+ messages in thread
From: Khem Raj @ 2019-10-25  9:33 UTC (permalink / raw)
  To: Trevor Gamblin; +Cc: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 6259 bytes --]

On Fri, Oct 25, 2019 at 2:02 AM Trevor Gamblin <trevor.gamblin@windriver.com>
wrote:

> Backport upstream fix to zeus.
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> ---
>  .../binutils/binutils-2.32.inc                |  1 +
>  ...erflow-in-function-find_abstract_ins.patch | 99 +++++++++++++++++++
>  2 files changed, 100 insertions(+)
>  create mode 100644
> meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc
> b/meta/recipes-devtools/binutils/binutils-2.32.inc
> index 19baf8a883..48940fd3e5 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> @@ -49,6 +49,7 @@ SRC_URI = "\
>       file://CVE-2019-12972.patch \
>       file://CVE-2019-14250.patch \
>       file://CVE-2019-14444.patch \
> +
>  file://0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch \


Please retain the CVE patch naming convention


>  "
>  S  = "${WORKDIR}/git"
>
> diff --git
> a/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
> b/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
> new file mode 100644
> index 0000000000..a6ce0b9a8a
> --- /dev/null
> +++
> b/meta/recipes-devtools/binutils/binutils/0001-PR25078-stack-overflow-in-function-find_abstract_ins.patch
> @@ -0,0 +1,99 @@
> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 9 Oct 2019 00:07:29 +1030
> +Subject: [PATCH] PR25078, stack overflow in function
> find_abstract_instance
> +
> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> +file. There are newer versions of binutils, but none of them contain the
> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> +
> +Upstream-Status: Backport [
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
> +CVE: CVE-2019-17450
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +
> +       PR 25078
> +       * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
> +       recur_count.  Error on recur_count reaching 100 rather than
> +       info_ptr matching orig_info_ptr.  Adjust calls.
> +
> +---
> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
> + 1 file changed, 17 insertions(+), 18 deletions(-)
> +
> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> +index 0b4e485582..20ec9e2e56 100644
> +--- a/bfd/dwarf2.c
> ++++ b/bfd/dwarf2.c
> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit
> *unit,
> + }
> +
> + static bfd_boolean
> +-find_abstract_instance (struct comp_unit *   unit,
> +-                      bfd_byte *           orig_info_ptr,
> +-                      struct attribute *   attr_ptr,
> +-                      const char **        pname,
> +-                      bfd_boolean *        is_linkage,
> +-                      char **              filename_ptr,
> +-                      int *                linenumber_ptr)
> ++find_abstract_instance (struct comp_unit *unit,
> ++                      struct attribute *attr_ptr,
> ++                      unsigned int recur_count,
> ++                      const char **pname,
> ++                      bfd_boolean *is_linkage,
> ++                      char **filename_ptr,
> ++                      int *linenumber_ptr)
> + {
> +   bfd *abfd = unit->abfd;
> +   bfd_byte *info_ptr;
> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
> +   struct attribute attr;
> +   const char *name = NULL;
> +
> ++  if (recur_count == 100)
> ++    {
> ++      _bfd_error_handler
> ++      (_("DWARF error: abstract instance recursion detected"));
> ++      bfd_set_error (bfd_error_bad_value);
> ++      return FALSE;
> ++    }
> ++
> +   /* DW_FORM_ref_addr can reference an entry in a different CU. It
> +      is an offset from the .debug_info section, not the current CU.  */
> +   if (attr_ptr->form == DW_FORM_ref_addr)
> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
> +                                        info_ptr, info_ptr_end);
> +             if (info_ptr == NULL)
> +               break;
> +-            /* It doesn't ever make sense for DW_AT_specification to
> +-               refer to the same DIE.  Stop simple recursion.  */
> +-            if (info_ptr == orig_info_ptr)
> +-              {
> +-                _bfd_error_handler
> +-                  (_("DWARF error: abstract instance recursion
> detected"));
> +-                bfd_set_error (bfd_error_bad_value);
> +-                return FALSE;
> +-              }
> +             switch (attr.name)
> +               {
> +               case DW_AT_name:
> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
> +                   }
> +                 break;
> +               case DW_AT_specification:
> +-                if (!find_abstract_instance (unit, info_ptr, &attr,
> ++                if (!find_abstract_instance (unit, &attr, recur_count +
> 1,
> +                                              &name, is_linkage,
> +                                              filename_ptr,
> linenumber_ptr))
> +                   return FALSE;
> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
> +
> +               case DW_AT_abstract_origin:
> +               case DW_AT_specification:
> +-                if (!find_abstract_instance (unit, info_ptr, &attr,
> ++                if (!find_abstract_instance (unit, &attr, 0,
> +                                              &func->name,
> +                                              &func->is_linkage,
> +                                              &func->file,
> +--
> +2.23.0
> +
> --
> 2.23.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 8198 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-25  9:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-25  1:02 [zeus][PATCH] binutils: fix CVE-2019-17450 Trevor Gamblin
2019-10-25  9:33 ` Khem Raj

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.