This patch fix the stack overflow issue for recursive call and the segment fault issue.
Backport the two CVE pathces from the binutils upstream: commit 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 commit 063c511bd79281f33fd33f0964541a73511b9e2b Signed-off-by: Zhixiong Chi <[email protected]> --- .../binutils/binutils-2.32.inc | 2 + .../binutils/binutils/CVE-2019-17450.patch | 107 ++++++++++++++++++ .../binutils/binutils/CVE-2019-17451.patch | 57 ++++++++++ 3 files changed, 166 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc index 19baf8a883..349c3e1154 100644 --- a/meta/recipes-devtools/binutils/binutils-2.32.inc +++ b/meta/recipes-devtools/binutils/binutils-2.32.inc @@ -49,6 +49,8 @@ SRC_URI = "\ file://CVE-2019-12972.patch \ file://CVE-2019-14250.patch \ file://CVE-2019-14444.patch \ + file://CVE-2019-17450.patch \ + file://CVE-2019-17451.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch new file mode 100644 index 0000000000..1068873447 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch @@ -0,0 +1,107 @@ +From 18360106e144b3584fc2f822118021086dc17da3 Mon Sep 17 00:00:00 2001 +From: Alan Modra <[email protected]> +Date: Wed, 9 Oct 2019 00:07:29 +1030 +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance + + PR 25078 + * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add + recur_count. Error on recur_count reaching 100 rather than + info_ptr matching orig_info_ptr. Adjust calls. + +CVE: CVE-2019-17450 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi <[email protected]> +--- + bfd/ChangeLog | 7 +++++++ + bfd/dwarf2.c | 35 +++++++++++++++++------------------ + 2 files changed, 24 insertions(+), 18 deletions(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index e66fb40a2c..2f568ff9bf 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,3 +1,10 @@ ++2019-10-08 Alan Modra <[email protected]> ++ ++ PR 25078 ++ * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add ++ recur_count. Error on recur_count reaching 100 rather than ++ info_ptr matching orig_info_ptr. Adjust calls. ++ + 2019-06-21 Alan Modra <[email protected]> + + PR 24689 +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0b4e485582..20ec9e2e56 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit, + } + + static bfd_boolean +-find_abstract_instance (struct comp_unit * unit, +- bfd_byte * orig_info_ptr, +- struct attribute * attr_ptr, +- const char ** pname, +- bfd_boolean * is_linkage, +- char ** filename_ptr, +- int * linenumber_ptr) ++find_abstract_instance (struct comp_unit *unit, ++ struct attribute *attr_ptr, ++ unsigned int recur_count, ++ const char **pname, ++ bfd_boolean *is_linkage, ++ char **filename_ptr, ++ int *linenumber_ptr) + { + bfd *abfd = unit->abfd; + bfd_byte *info_ptr; +@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit * unit, + struct attribute attr; + const char *name = NULL; + ++ if (recur_count == 100) ++ { ++ _bfd_error_handler ++ (_("DWARF error: abstract instance recursion detected")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + /* DW_FORM_ref_addr can reference an entry in a different CU. It + is an offset from the .debug_info section, not the current CU. */ + if (attr_ptr->form == DW_FORM_ref_addr) +@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit * unit, + info_ptr, info_ptr_end); + if (info_ptr == NULL) + break; +- /* It doesn't ever make sense for DW_AT_specification to +- refer to the same DIE. Stop simple recursion. */ +- if (info_ptr == orig_info_ptr) +- { +- _bfd_error_handler +- (_("DWARF error: abstract instance recursion detected")); +- bfd_set_error (bfd_error_bad_value); +- return FALSE; +- } + switch (attr.name) + { + case DW_AT_name: +@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit * unit, + } + break; + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, recur_count + 1, + &name, is_linkage, + filename_ptr, linenumber_ptr)) + return FALSE; +@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_abstract_origin: + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, 0, + &func->name, + &func->is_linkage, + &func->file, diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch new file mode 100644 index 0000000000..171aaf3218 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17451.patch @@ -0,0 +1,57 @@ +From 9b88c7910f36fbc957bc365349d6cf43cf000c24 Mon Sep 17 00:00:00 2001 +From: Alan Modra <[email protected]> +Date: Wed, 9 Oct 2019 10:47:13 +1030 +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line + +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 +and ffffd5555453b140 result in a total size of 1. Reading the first +section of course overflows the buffer and tramples on other memory. + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. + +CVE: CVE-2019-17451 +Upstream-Status: Backport +Signed-off-by: Zhixiong Chi <[email protected]> +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 11 ++++++++++- + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/bfd/ChangeLog b/bfd/ChangeLog +index 2f568ff9bf..adbcc9bb84 100644 +--- a/bfd/ChangeLog ++++ b/bfd/ChangeLog +@@ -1,3 +1,9 @@ ++2019-10-09 Alan Modra <[email protected]> ++ ++ PR 25070 ++ * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of ++ total_size calculation. ++ + 2019-10-08 Alan Modra <[email protected]> + + PR 25078 +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 20ec9e2e56..9bbf2025cf 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4425,7 +4425,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + for (total_size = 0; + msec; + msec = find_debug_info (debug_bfd, debug_sections, msec)) +- total_size += msec->size; ++ { ++ /* Catch PR25070 testcase overflowing size calculation here. */ ++ if (total_size + msec->size < total_size ++ || total_size + msec->size < msec->size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ total_size += msec->size; ++ } + + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); + if (stash->info_ptr_memory == NULL) -- 2.17.0 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
