[zeus][PATCH v3] binutils: fix CVE-2019-17450

[zeus][PATCH v3] binutils: fix CVE-2019-17450

[Trevor Gamblin]

Backport upstream fix to zeus.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 .../binutils/binutils-2.32.inc                |  1 +
 .../binutils/binutils/CVE-2019-17450.patch    | 99 +++++++++++++++++++
 2 files changed, 100 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 19baf8a883..1e96cf494d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
      file://CVE-2019-12972.patch \
      file://CVE-2019-14250.patch \
      file://CVE-2019-14444.patch \
+     file://CVE-2019-17450.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
new file mode 100644
index 0000000000..a6ce0b9a8a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
@@ -0,0 +1,99 @@
+From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17450, so backport it to master and zeus.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
+CVE: CVE-2019-17450
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+	PR 25078
+	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+	recur_count.  Error on recur_count reaching 100 rather than
+	info_ptr matching orig_info_ptr.  Adjust calls.
+
+---
+ bfd/dwarf2.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..20ec9e2e56 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
+ }
+ 
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+-			struct attribute *   attr_ptr,
+-			const char **        pname,
+-			bfd_boolean *        is_linkage,
+-			char **              filename_ptr,
+-			int *                linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++			struct attribute *attr_ptr,
++			unsigned int recur_count,
++			const char **pname,
++			bfd_boolean *is_linkage,
++			char **filename_ptr,
++			int *linenumber_ptr)
+ {
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr;
+@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
+   struct attribute attr;
+   const char *name = NULL;
+ 
++  if (recur_count == 100)
++    {
++      _bfd_error_handler
++	(_("DWARF error: abstract instance recursion detected"));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
+-- 
+2.23.0
+
-- 
2.23.0

Re: [zeus][PATCH v3] binutils: fix CVE-2019-17450

[akuster808]

On 10/25/19 5:22 AM, Trevor Gamblin wrote:
> Backport upstream fix to zeus.
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Does this affect Master?

- armin
> ---
>  .../binutils/binutils-2.32.inc                |  1 +
>  .../binutils/binutils/CVE-2019-17450.patch    | 99 +++++++++++++++++++
>  2 files changed, 100 insertions(+)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
> index 19baf8a883..1e96cf494d 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> @@ -49,6 +49,7 @@ SRC_URI = "\
>       file://CVE-2019-12972.patch \
>       file://CVE-2019-14250.patch \
>       file://CVE-2019-14444.patch \
> +     file://CVE-2019-17450.patch \
>  "
>  S  = "${WORKDIR}/git"
>  
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> new file mode 100644
> index 0000000000..a6ce0b9a8a
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> @@ -0,0 +1,99 @@
> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 9 Oct 2019 00:07:29 +1030
> +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
> +
> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> +file. There are newer versions of binutils, but none of them contain the
> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> +
> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
> +CVE: CVE-2019-17450
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +
> +	PR 25078
> +	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
> +	recur_count.  Error on recur_count reaching 100 rather than
> +	info_ptr matching orig_info_ptr.  Adjust calls.
> +
> +---
> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
> + 1 file changed, 17 insertions(+), 18 deletions(-)
> +
> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> +index 0b4e485582..20ec9e2e56 100644
> +--- a/bfd/dwarf2.c
> ++++ b/bfd/dwarf2.c
> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
> + }
> + 
> + static bfd_boolean
> +-find_abstract_instance (struct comp_unit *   unit,
> +-			bfd_byte *           orig_info_ptr,
> +-			struct attribute *   attr_ptr,
> +-			const char **        pname,
> +-			bfd_boolean *        is_linkage,
> +-			char **              filename_ptr,
> +-			int *                linenumber_ptr)
> ++find_abstract_instance (struct comp_unit *unit,
> ++			struct attribute *attr_ptr,
> ++			unsigned int recur_count,
> ++			const char **pname,
> ++			bfd_boolean *is_linkage,
> ++			char **filename_ptr,
> ++			int *linenumber_ptr)
> + {
> +   bfd *abfd = unit->abfd;
> +   bfd_byte *info_ptr;
> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
> +   struct attribute attr;
> +   const char *name = NULL;
> + 
> ++  if (recur_count == 100)
> ++    {
> ++      _bfd_error_handler
> ++	(_("DWARF error: abstract instance recursion detected"));
> ++      bfd_set_error (bfd_error_bad_value);
> ++      return FALSE;
> ++    }
> ++
> +   /* DW_FORM_ref_addr can reference an entry in a different CU. It
> +      is an offset from the .debug_info section, not the current CU.  */
> +   if (attr_ptr->form == DW_FORM_ref_addr)
> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
> + 					 info_ptr, info_ptr_end);
> + 	      if (info_ptr == NULL)
> + 		break;
> +-	      /* It doesn't ever make sense for DW_AT_specification to
> +-		 refer to the same DIE.  Stop simple recursion.  */
> +-	      if (info_ptr == orig_info_ptr)
> +-		{
> +-		  _bfd_error_handler
> +-		    (_("DWARF error: abstract instance recursion detected"));
> +-		  bfd_set_error (bfd_error_bad_value);
> +-		  return FALSE;
> +-		}
> + 	      switch (attr.name)
> + 		{
> + 		case DW_AT_name:
> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
> + 		    }
> + 		  break;
> + 		case DW_AT_specification:
> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
> ++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
> + 					       &name, is_linkage,
> + 					       filename_ptr, linenumber_ptr))
> + 		    return FALSE;
> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
> + 
> + 		case DW_AT_abstract_origin:
> + 		case DW_AT_specification:
> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
> ++		  if (!find_abstract_instance (unit, &attr, 0,
> + 					       &func->name,
> + 					       &func->is_linkage,
> + 					       &func->file,
> +-- 
> +2.23.0
> +

Re: [zeus][PATCH v3] binutils: fix CVE-2019-17450

[Trevor Gamblin]

On 10/25/19 11:02 AM, akuster808 wrote:

>
> On 10/25/19 5:22 AM, Trevor Gamblin wrote:
>> Backport upstream fix to zeus.
>>
>> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> Does this affect Master?
>
> - armin
>> ---
>>   .../binutils/binutils-2.32.inc                |  1 +
>>   .../binutils/binutils/CVE-2019-17450.patch    | 99 +++++++++++++++++++
>>   2 files changed, 100 insertions(+)
>>   create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>>
>> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
>> index 19baf8a883..1e96cf494d 100644
>> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
>> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
>> @@ -49,6 +49,7 @@ SRC_URI = "\
>>        file://CVE-2019-12972.patch \
>>        file://CVE-2019-14250.patch \
>>        file://CVE-2019-14444.patch \
>> +     file://CVE-2019-17450.patch \
>>   "
>>   S  = "${WORKDIR}/git"
>>   
>> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>> new file mode 100644
>> index 0000000000..a6ce0b9a8a
>> --- /dev/null
>> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
>> @@ -0,0 +1,99 @@
>> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
>> +From: Alan Modra <amodra@gmail.com>
>> +Date: Wed, 9 Oct 2019 00:07:29 +1030
>> +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
>> +
>> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
>> +file. There are newer versions of binutils, but none of them contain the
>> +commit fixing CVE-2019-17450, so backport it to master and zeus.
>> +
>> +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
>> +CVE: CVE-2019-17450
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
>> +
>> +	PR 25078
>> +	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
>> +	recur_count.  Error on recur_count reaching 100 rather than
>> +	info_ptr matching orig_info_ptr.  Adjust calls.
>> +
>> +---
>> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
>> + 1 file changed, 17 insertions(+), 18 deletions(-)
>> +
>> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
>> +index 0b4e485582..20ec9e2e56 100644
>> +--- a/bfd/dwarf2.c
>> ++++ b/bfd/dwarf2.c
>> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
>> + }
>> +
>> + static bfd_boolean
>> +-find_abstract_instance (struct comp_unit *   unit,
>> +-			bfd_byte *           orig_info_ptr,
>> +-			struct attribute *   attr_ptr,
>> +-			const char **        pname,
>> +-			bfd_boolean *        is_linkage,
>> +-			char **              filename_ptr,
>> +-			int *                linenumber_ptr)
>> ++find_abstract_instance (struct comp_unit *unit,
>> ++			struct attribute *attr_ptr,
>> ++			unsigned int recur_count,
>> ++			const char **pname,
>> ++			bfd_boolean *is_linkage,
>> ++			char **filename_ptr,
>> ++			int *linenumber_ptr)
>> + {
>> +   bfd *abfd = unit->abfd;
>> +   bfd_byte *info_ptr;
>> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *   unit,
>> +   struct attribute attr;
>> +   const char *name = NULL;
>> +
>> ++  if (recur_count == 100)
>> ++    {
>> ++      _bfd_error_handler
>> ++	(_("DWARF error: abstract instance recursion detected"));
>> ++      bfd_set_error (bfd_error_bad_value);
>> ++      return FALSE;
>> ++    }
>> ++
>> +   /* DW_FORM_ref_addr can reference an entry in a different CU. It
>> +      is an offset from the .debug_info section, not the current CU.  */
>> +   if (attr_ptr->form == DW_FORM_ref_addr)
>> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *   unit,
>> + 					 info_ptr, info_ptr_end);
>> + 	      if (info_ptr == NULL)
>> + 		break;
>> +-	      /* It doesn't ever make sense for DW_AT_specification to
>> +-		 refer to the same DIE.  Stop simple recursion.  */
>> +-	      if (info_ptr == orig_info_ptr)
>> +-		{
>> +-		  _bfd_error_handler
>> +-		    (_("DWARF error: abstract instance recursion detected"));
>> +-		  bfd_set_error (bfd_error_bad_value);
>> +-		  return FALSE;
>> +-		}
>> + 	      switch (attr.name)
>> + 		{
>> + 		case DW_AT_name:
>> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *   unit,
>> + 		    }
>> + 		  break;
>> + 		case DW_AT_specification:
>> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
>> ++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
>> + 					       &name, is_linkage,
>> + 					       filename_ptr, linenumber_ptr))
>> + 		    return FALSE;
>> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
>> +
>> + 		case DW_AT_abstract_origin:
>> + 		case DW_AT_specification:
>> +-		  if (!find_abstract_instance (unit, info_ptr, &attr,
>> ++		  if (!find_abstract_instance (unit, &attr, 0,
>> + 					       &func->name,
>> + 					       &func->is_linkage,
>> + 					       &func->file,
>> +--
>> +2.23.0
>> +
It does, but I'm working on an upgrade for binutils to 2.33 for master 
that I'll then apply this (and another CVE patch) on top of.

[zeus][PATCH] binutils: fix CVE-2019-17451

[Trevor Gamblin]

Backport upstream fix to zeus.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 .../binutils/binutils-2.32.inc                |  1 +
 .../binutils/binutils/CVE-2019-17451.patch    | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 1e96cf494d..349c3e1154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
      file://CVE-2019-14250.patch \
      file://CVE-2019-14444.patch \
      file://CVE-2019-17450.patch \
+     file://CVE-2019-17451.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
new file mode 100644
index 0000000000..1ae50a8ef4
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
+From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17450, so backport it to master and zeus.
+
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
+CVE: CVE-2019-17451
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+	PR 25070
+	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+	total_size calculation.
+---
+ bfd/dwarf2.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..a91597b1d0 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
++	{
++	  /* Catch PR25070 testcase overflowing size calculation here.  */
++	  if (total_size + msec->size < total_size
++	      || total_size + msec->size < msec->size)
++	    {
++	      bfd_set_error (bfd_error_no_memory);
++	      return FALSE;
++	    }
++	  total_size += msec->size;
++	}
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+-- 
+2.23.0
+
-- 
2.23.0

Re: [zeus][PATCH] binutils: fix CVE-2019-17451

[Trevor Gamblin]

On 10/25/19 11:41 AM, Trevor Gamblin wrote:

> Backport upstream fix to zeus.
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> ---
>   .../binutils/binutils-2.32.inc                |  1 +
>   .../binutils/binutils/CVE-2019-17451.patch    | 51 +++++++++++++++++++
>   2 files changed, 52 insertions(+)
>   create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
> index 1e96cf494d..349c3e1154 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> @@ -50,6 +50,7 @@ SRC_URI = "\
>        file://CVE-2019-14250.patch \
>        file://CVE-2019-14444.patch \
>        file://CVE-2019-17450.patch \
> +     file://CVE-2019-17451.patch \
>   "
>   S  = "${WORKDIR}/git"
>   
> diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
> new file mode 100644
> index 0000000000..1ae50a8ef4
> --- /dev/null
> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
> @@ -0,0 +1,51 @@
> +From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
> +From: Alan Modra <amodra@gmail.com>
> +Date: Wed, 9 Oct 2019 10:47:13 +1030
> +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
> +
> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> +file. There are newer versions of binutils, but none of them contain the
> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> +
> +Upstream-Status: Backport
> +[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
> +CVE: CVE-2019-17451
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +
> +
> +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
> +and ffffd5555453b140 result in a total size of 1.  Reading the first
> +section of course overflows the buffer and tramples on other memory.
> +
> +	PR 25070
> +	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
> +	total_size calculation.
> +---
> + bfd/dwarf2.c | 11 ++++++++++-
> + 1 file changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> +index 0b4e485582..a91597b1d0 100644
> +--- a/bfd/dwarf2.c
> ++++ b/bfd/dwarf2.c
> +@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
> +       for (total_size = 0;
> + 	   msec;
> + 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
> +-	total_size += msec->size;
> ++	{
> ++	  /* Catch PR25070 testcase overflowing size calculation here.  */
> ++	  if (total_size + msec->size < total_size
> ++	      || total_size + msec->size < msec->size)
> ++	    {
> ++	      bfd_set_error (bfd_error_no_memory);
> ++	      return FALSE;
> ++	    }
> ++	  total_size += msec->size;
> ++	}
> +
> +       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
> +       if (stash->info_ptr_memory == NULL)
> +--
> +2.23.0
> +
Patch file references the wrong CVE in the description. Sending a v2..

[zeus][PATCH v2] binutils: fix CVE-2019-17451

[Trevor Gamblin]

Backport upstream fix to zeus.

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
 .../binutils/binutils-2.32.inc                |  1 +
 .../binutils/binutils/CVE-2019-17451.patch    | 51 +++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 1e96cf494d..349c3e1154 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -50,6 +50,7 @@ SRC_URI = "\
      file://CVE-2019-14250.patch \
      file://CVE-2019-14444.patch \
      file://CVE-2019-17450.patch \
+     file://CVE-2019-17451.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
new file mode 100644
index 0000000000..b36a532668
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch
@@ -0,0 +1,51 @@
+From 0192438051a7e781585647d5581a2a6f62fda362 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17451, so backport it to master and zeus.
+
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848]
+CVE: CVE-2019-17451
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+	PR 25070
+	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+	total_size calculation.
+---
+ bfd/dwarf2.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..a91597b1d0 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4426,7 +4426,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
++	{
++	  /* Catch PR25070 testcase overflowing size calculation here.  */
++	  if (total_size + msec->size < total_size
++	      || total_size + msec->size < msec->size)
++	    {
++	      bfd_set_error (bfd_error_no_memory);
++	      return FALSE;
++	    }
++	  total_size += msec->size;
++	}
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+-- 
+2.23.0
+
-- 
2.23.0

✗ patchtest: failure for binutils: fix CVE-2019-17450 (rev4)

[Patchwork]

== Series Details ==

Series: binutils: fix CVE-2019-17450 (rev4)
Revision: 4
URL   : https://patchwork.openembedded.org/series/20658/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  zeus (currently at 59938780e7)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

✗ patchtest: failure for binutils: fix CVE-2019-17450 (rev5)

[Patchwork]

== Series Details ==

Series: binutils: fix CVE-2019-17450 (rev5)
Revision: 5
URL   : https://patchwork.openembedded.org/series/20658/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             Series does not apply on top of target branch [test_series_merge_on_head] 
  Suggested fix    Rebase your series on top of targeted branch
  Targeted branch  zeus (currently at 59938780e7)



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: [zeus][PATCH v3] binutils: fix CVE-2019-17450

[Randy MacLeod]

On 10/25/19 11:05 AM, Trevor Gamblin wrote:
> It does, but I'm working on an upgrade for binutils to 2.33 for master 
> that I'll then apply this (and another CVE patch) on top of.

You should probably send the CVE fix to master so it gets tested there
even if there's an upgrade coming in a few days. It might take a while
for the upgrade to get merged.

Khem has been doing binutils upgrades recently.
CC him in case there needs to be some co-ordination with glibc or
other recipe upgrades.



-- 
# Randy MacLeod
# Wind River Linux

Re: [zeus][PATCH v3] binutils: fix CVE-2019-17450

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 6626 bytes --]

On Fri, Oct 25, 2019 at 4:05 PM Trevor Gamblin <trevor.gamblin@windriver.com>
wrote:

> On 10/25/19 11:02 AM, akuster808 wrote:
>
> >
> > On 10/25/19 5:22 AM, Trevor Gamblin wrote:
> >> Backport upstream fix to zeus.
> >>
> >> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> > Does this affect Master?
> >
> > - armin
> >> ---
> >>   .../binutils/binutils-2.32.inc                |  1 +
> >>   .../binutils/binutils/CVE-2019-17450.patch    | 99 +++++++++++++++++++
> >>   2 files changed, 100 insertions(+)
> >>   create mode 100644
> meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >>
> >> diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc
> b/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> index 19baf8a883..1e96cf494d 100644
> >> --- a/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
> >> @@ -49,6 +49,7 @@ SRC_URI = "\
> >>        file://CVE-2019-12972.patch \
> >>        file://CVE-2019-14250.patch \
> >>        file://CVE-2019-14444.patch \
> >> +     file://CVE-2019-17450.patch \
> >>   "
> >>   S  = "${WORKDIR}/git"
> >>
> >> diff --git
> a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >> new file mode 100644
> >> index 0000000000..a6ce0b9a8a
> >> --- /dev/null
> >> +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
> >> @@ -0,0 +1,99 @@
> >> +From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
> >> +From: Alan Modra <amodra@gmail.com>
> >> +Date: Wed, 9 Oct 2019 00:07:29 +1030
> >> +Subject: [PATCH] PR25078, stack overflow in function
> find_abstract_instance
> >> +
> >> +Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
> >> +file. There are newer versions of binutils, but none of them contain
> the
> >> +commit fixing CVE-2019-17450, so backport it to master and zeus.
> >> +
> >> +Upstream-Status: Backport [
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
> >> +CVE: CVE-2019-17450
> >> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> >> +
> >> +    PR 25078
> >> +    * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
> >> +    recur_count.  Error on recur_count reaching 100 rather than
> >> +    info_ptr matching orig_info_ptr.  Adjust calls.
> >> +
> >> +---
> >> + bfd/dwarf2.c | 35 +++++++++++++++++------------------
> >> + 1 file changed, 17 insertions(+), 18 deletions(-)
> >> +
> >> +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
> >> +index 0b4e485582..20ec9e2e56 100644
> >> +--- a/bfd/dwarf2.c
> >> ++++ b/bfd/dwarf2.c
> >> +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct
> comp_unit *unit,
> >> + }
> >> +
> >> + static bfd_boolean
> >> +-find_abstract_instance (struct comp_unit *   unit,
> >> +-                   bfd_byte *           orig_info_ptr,
> >> +-                   struct attribute *   attr_ptr,
> >> +-                   const char **        pname,
> >> +-                   bfd_boolean *        is_linkage,
> >> +-                   char **              filename_ptr,
> >> +-                   int *                linenumber_ptr)
> >> ++find_abstract_instance (struct comp_unit *unit,
> >> ++                   struct attribute *attr_ptr,
> >> ++                   unsigned int recur_count,
> >> ++                   const char **pname,
> >> ++                   bfd_boolean *is_linkage,
> >> ++                   char **filename_ptr,
> >> ++                   int *linenumber_ptr)
> >> + {
> >> +   bfd *abfd = unit->abfd;
> >> +   bfd_byte *info_ptr;
> >> +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit *
>  unit,
> >> +   struct attribute attr;
> >> +   const char *name = NULL;
> >> +
> >> ++  if (recur_count == 100)
> >> ++    {
> >> ++      _bfd_error_handler
> >> ++   (_("DWARF error: abstract instance recursion detected"));
> >> ++      bfd_set_error (bfd_error_bad_value);
> >> ++      return FALSE;
> >> ++    }
> >> ++
> >> +   /* DW_FORM_ref_addr can reference an entry in a different CU. It
> >> +      is an offset from the .debug_info section, not the current CU.
> */
> >> +   if (attr_ptr->form == DW_FORM_ref_addr)
> >> +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit *
>  unit,
> >> +                                     info_ptr, info_ptr_end);
> >> +          if (info_ptr == NULL)
> >> +            break;
> >> +-         /* It doesn't ever make sense for DW_AT_specification to
> >> +-            refer to the same DIE.  Stop simple recursion.  */
> >> +-         if (info_ptr == orig_info_ptr)
> >> +-           {
> >> +-             _bfd_error_handler
> >> +-               (_("DWARF error: abstract instance recursion
> detected"));
> >> +-             bfd_set_error (bfd_error_bad_value);
> >> +-             return FALSE;
> >> +-           }
> >> +          switch (attr.name)
> >> +            {
> >> +            case DW_AT_name:
> >> +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit *
>  unit,
> >> +                }
> >> +              break;
> >> +            case DW_AT_specification:
> >> +-             if (!find_abstract_instance (unit, info_ptr, &attr,
> >> ++             if (!find_abstract_instance (unit, &attr, recur_count +
> 1,
> >> +                                           &name, is_linkage,
> >> +                                           filename_ptr,
> linenumber_ptr))
> >> +                return FALSE;
> >> +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
> >> +
> >> +            case DW_AT_abstract_origin:
> >> +            case DW_AT_specification:
> >> +-             if (!find_abstract_instance (unit, info_ptr, &attr,
> >> ++             if (!find_abstract_instance (unit, &attr, 0,
> >> +                                           &func->name,
> >> +                                           &func->is_linkage,
> >> +                                           &func->file,
> >> +--
> >> +2.23.0
> >> +
> It does, but I'm working on an upgrade for binutils to 2.33 for master
> that I'll then apply this (and another CVE patch) on top of.


Then sequence it first so it can be backported to Zeus straightforwardly
then you can do the 2.33 upgrade

>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

[-- Attachment #2: Type: text/html, Size: 9266 bytes --]