* [PATCH] binutils: CVE-2019-17450 and CVE-2019-17451
@ 2019-10-29 2:36 Zhixiong Chi
2019-10-29 3:02 ` ✗ patchtest: failure for " Patchwork
0 siblings, 1 reply; 2+ messages in thread
From: Zhixiong Chi @ 2019-10-29 2:36 UTC (permalink / raw)
To: openembedded-core
This patch fix the stack overflow issue for recursive call
and the segment fault issue.
Backport the two CVE pathces from the binutils upstream:
commit 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1
commit 063c511bd79281f33fd33f0964541a73511b9e2b
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
.../binutils/binutils-2.32.inc | 2 +
.../binutils/binutils/CVE-2019-17450.patch | 104 ++++++++++++++++++
.../binutils/binutils/CVE-2019-17451.patch | 54 +++++++++
3 files changed, 160 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 19baf8a883..349c3e1154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -49,6 +49,8 @@ SRC_URI = "\
file://CVE-2019-12972.patch \
file://CVE-2019-14250.patch \
file://CVE-2019-14444.patch \
+ file://CVE-2019-17450.patch \
+ file://CVE-2019-17451.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
new file mode 100644
index 0000000000..e95c9f7aba
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
@@ -0,0 +1,104 @@
+From 18360106e144b3584fc2f822118021086dc17da3 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+ PR 25078
+ * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+ recur_count. Error on recur_count reaching 100 rather than
+ info_ptr matching orig_info_ptr. Adjust calls.
+
+---
+ bfd/ChangeLog | 7 +++++++
+ bfd/dwarf2.c | 35 +++++++++++++++++------------------
+ 2 files changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index e66fb40a2c..2f568ff9bf 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2019-10-08 Alan Modra <amodra@gmail.com>
++
++ PR 25078
++ * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
++ recur_count. Error on recur_count reaching 100 rather than
++ info_ptr matching orig_info_ptr. Adjust calls.
++
+ 2019-06-21 Alan Modra <amodra@gmail.com>
+
+ PR 24689
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..20ec9e2e56 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
+ }
+
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit * unit,
+- bfd_byte * orig_info_ptr,
+- struct attribute * attr_ptr,
+- const char ** pname,
+- bfd_boolean * is_linkage,
+- char ** filename_ptr,
+- int * linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++ struct attribute *attr_ptr,
++ unsigned int recur_count,
++ const char **pname,
++ bfd_boolean *is_linkage,
++ char **filename_ptr,
++ int *linenumber_ptr)
+ {
+ bfd *abfd = unit->abfd;
+ bfd_byte *info_ptr;
+@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit * unit,
+ struct attribute attr;
+ const char *name = NULL;
+
++ if (recur_count == 100)
++ {
++ _bfd_error_handler
++ (_("DWARF error: abstract instance recursion detected"));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++
+ /* DW_FORM_ref_addr can reference an entry in a different CU. It
+ is an offset from the .debug_info section, not the current CU. */
+ if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit * unit,
+ info_ptr, info_ptr_end);
+ if (info_ptr == NULL)
+ break;
+- /* It doesn't ever make sense for DW_AT_specification to
+- refer to the same DIE. Stop simple recursion. */
+- if (info_ptr == orig_info_ptr)
+- {
+- _bfd_error_handler
+- (_("DWARF error: abstract instance recursion detected"));
+- bfd_set_error (bfd_error_bad_value);
+- return FALSE;
+- }
+ switch (attr.name)
+ {
+ case DW_AT_name:
+@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit * unit,
+ }
+ break;
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ &name, is_linkage,
+ filename_ptr, linenumber_ptr))
+ return FALSE;
+@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+
+ case DW_AT_abstract_origin:
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, 0,
+ &func->name,
+ &func->is_linkage,
+ &func->file,
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
new file mode 100644
index 0000000000..f00808e229
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,54 @@
+From 9b88c7910f36fbc957bc365349d6cf43cf000c24 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1. Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+ PR 25070
+ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+ total_size calculation.
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/dwarf2.c | 11 ++++++++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 2f568ff9bf..adbcc9bb84 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2019-10-09 Alan Modra <amodra@gmail.com>
++
++ PR 25070
++ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
++ total_size calculation.
++
+ 2019-10-08 Alan Modra <amodra@gmail.com>
+
+ PR 25078
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 20ec9e2e56..9bbf2025cf 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4425,7 +4425,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+ for (total_size = 0;
+ msec;
+ msec = find_debug_info (debug_bfd, debug_sections, msec))
+- total_size += msec->size;
++ {
++ /* Catch PR25070 testcase overflowing size calculation here. */
++ if (total_size + msec->size < total_size
++ || total_size + msec->size < msec->size)
++ {
++ bfd_set_error (bfd_error_no_memory);
++ return FALSE;
++ }
++ total_size += msec->size;
++ }
+
+ stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+ if (stash->info_ptr_memory == NULL)
--
2.17.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* ✗ patchtest: failure for binutils: CVE-2019-17450 and CVE-2019-17451
2019-10-29 2:36 [PATCH] binutils: CVE-2019-17450 and CVE-2019-17451 Zhixiong Chi
@ 2019-10-29 3:02 ` Patchwork
0 siblings, 0 replies; 2+ messages in thread
From: Patchwork @ 2019-10-29 3:02 UTC (permalink / raw)
To: Zhixiong Chi; +Cc: openembedded-core
== Series Details ==
Series: binutils: CVE-2019-17450 and CVE-2019-17451
Revision: 1
URL : https://patchwork.openembedded.org/series/20742/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch binutils: CVE-2019-17450 and CVE-2019-17451
Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
* Issue A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence]
Suggested fix Sign off the added patch file (meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch)
* Issue Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format]
Suggested fix Add Upstream-Status: <Valid status> to the header of meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
Standard format Upstream-Status: <Valid status>
Valid status Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-29 3:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-29 2:36 [PATCH] binutils: CVE-2019-17450 and CVE-2019-17451 Zhixiong Chi
2019-10-29 3:02 ` ✗ patchtest: failure for " Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.