Change-Id: I50d75f0cf99b16bf19a162b9351e24ae6cd2b9ba
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4044
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,139 @@ |
0 |
+From 1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Alan Modra <amodra@gmail.com> |
|
2 |
+Date: Mon, 25 Sep 2017 20:20:38 +0930 |
|
3 |
+Subject: [PATCH] PR22202, buffer overflow in parse_die |
|
4 |
+ |
|
5 |
+There was a complete lack of sanity checking in dwarf1.c |
|
6 |
+ |
|
7 |
+ PR 22202 |
|
8 |
+ * dwarf1.c (parse_die): Sanity check pointer against section limit |
|
9 |
+ before dereferencing. |
|
10 |
+ (parse_line_table): Likewise. |
|
11 |
+--- |
|
12 |
+ bfd/dwarf1.c | 56 ++++++++++++++++++++++++++++++++++++++------------------ |
|
13 |
+ 1 file changed, 38 insertions(+), 18 deletions(-) |
|
14 |
+ |
|
15 |
+diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c |
|
16 |
+index 37d0e82..2d641a7 100644 |
|
17 |
+--- a/bfd/dwarf1.c |
|
18 |
+@@ -189,11 +189,14 @@ parse_die (bfd * abfd, |
|
19 |
+ memset (aDieInfo, 0, sizeof (* aDieInfo)); |
|
20 |
+ |
|
21 |
+ /* First comes the length. */ |
|
22 |
+- aDieInfo->length = bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
23 |
++ if (xptr + 4 > aDiePtrEnd) |
|
24 |
++ return FALSE; |
|
25 |
++ aDieInfo->length = bfd_get_32 (abfd, xptr); |
|
26 |
+ xptr += 4; |
|
27 |
+ if (aDieInfo->length == 0 |
|
28 |
+- || (this_die + aDieInfo->length) >= aDiePtrEnd) |
|
29 |
++ || this_die + aDieInfo->length > aDiePtrEnd) |
|
30 |
+ return FALSE; |
|
31 |
++ aDiePtrEnd = this_die + aDieInfo->length; |
|
32 |
+ if (aDieInfo->length < 6) |
|
33 |
+ { |
|
34 |
+ /* Just padding bytes. */ |
|
35 |
+@@ -202,18 +205,20 @@ parse_die (bfd * abfd, |
|
36 |
+ } |
|
37 |
+ |
|
38 |
+ /* Then the tag. */ |
|
39 |
+- aDieInfo->tag = bfd_get_16 (abfd, (bfd_byte *) xptr); |
|
40 |
++ if (xptr + 2 > aDiePtrEnd) |
|
41 |
++ return FALSE; |
|
42 |
++ aDieInfo->tag = bfd_get_16 (abfd, xptr); |
|
43 |
+ xptr += 2; |
|
44 |
+ |
|
45 |
+ /* Then the attributes. */ |
|
46 |
+- while (xptr < (this_die + aDieInfo->length)) |
|
47 |
++ while (xptr + 2 <= aDiePtrEnd) |
|
48 |
+ { |
|
49 |
+ unsigned short attr; |
|
50 |
+ |
|
51 |
+ /* Parse the attribute based on its form. This section |
|
52 |
+ must handle all dwarf1 forms, but need only handle the |
|
53 |
+ actual attributes that we care about. */ |
|
54 |
+- attr = bfd_get_16 (abfd, (bfd_byte *) xptr); |
|
55 |
++ attr = bfd_get_16 (abfd, xptr); |
|
56 |
+ xptr += 2; |
|
57 |
+ |
|
58 |
+ switch (FORM_FROM_ATTR (attr)) |
|
59 |
+@@ -223,12 +228,15 @@ parse_die (bfd * abfd, |
|
60 |
+ break; |
|
61 |
+ case FORM_DATA4: |
|
62 |
+ case FORM_REF: |
|
63 |
+- if (attr == AT_sibling) |
|
64 |
+- aDieInfo->sibling = bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
65 |
+- else if (attr == AT_stmt_list) |
|
66 |
++ if (xptr + 4 <= aDiePtrEnd) |
|
67 |
+ { |
|
68 |
+- aDieInfo->stmt_list_offset = bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
69 |
+- aDieInfo->has_stmt_list = 1; |
|
70 |
++ if (attr == AT_sibling) |
|
71 |
++ aDieInfo->sibling = bfd_get_32 (abfd, xptr); |
|
72 |
++ else if (attr == AT_stmt_list) |
|
73 |
++ { |
|
74 |
++ aDieInfo->stmt_list_offset = bfd_get_32 (abfd, xptr); |
|
75 |
++ aDieInfo->has_stmt_list = 1; |
|
76 |
++ } |
|
77 |
+ } |
|
78 |
+ xptr += 4; |
|
79 |
+ break; |
|
80 |
+@@ -236,22 +244,29 @@ parse_die (bfd * abfd, |
|
81 |
+ xptr += 8; |
|
82 |
+ break; |
|
83 |
+ case FORM_ADDR: |
|
84 |
+- if (attr == AT_low_pc) |
|
85 |
+- aDieInfo->low_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
86 |
+- else if (attr == AT_high_pc) |
|
87 |
+- aDieInfo->high_pc = bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
88 |
++ if (xptr + 4 <= aDiePtrEnd) |
|
89 |
++ { |
|
90 |
++ if (attr == AT_low_pc) |
|
91 |
++ aDieInfo->low_pc = bfd_get_32 (abfd, xptr); |
|
92 |
++ else if (attr == AT_high_pc) |
|
93 |
++ aDieInfo->high_pc = bfd_get_32 (abfd, xptr); |
|
94 |
++ } |
|
95 |
+ xptr += 4; |
|
96 |
+ break; |
|
97 |
+ case FORM_BLOCK2: |
|
98 |
+- xptr += 2 + bfd_get_16 (abfd, (bfd_byte *) xptr); |
|
99 |
++ if (xptr + 2 <= aDiePtrEnd) |
|
100 |
++ xptr += bfd_get_16 (abfd, xptr); |
|
101 |
++ xptr += 2; |
|
102 |
+ break; |
|
103 |
+ case FORM_BLOCK4: |
|
104 |
+- xptr += 4 + bfd_get_32 (abfd, (bfd_byte *) xptr); |
|
105 |
++ if (xptr + 4 <= aDiePtrEnd) |
|
106 |
++ xptr += bfd_get_32 (abfd, xptr); |
|
107 |
++ xptr += 4; |
|
108 |
+ break; |
|
109 |
+ case FORM_STRING: |
|
110 |
+ if (attr == AT_name) |
|
111 |
+ aDieInfo->name = (char *) xptr; |
|
112 |
+- xptr += strlen ((char *) xptr) + 1; |
|
113 |
++ xptr += strnlen ((char *) xptr, aDiePtrEnd - xptr) + 1; |
|
114 |
+ break; |
|
115 |
+ } |
|
116 |
+ } |
|
117 |
+@@ -290,7 +305,7 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit) |
|
118 |
+ } |
|
119 |
+ |
|
120 |
+ xptr = stash->line_section + aUnit->stmt_list_offset; |
|
121 |
+- if (xptr < stash->line_section_end) |
|
122 |
++ if (xptr + 8 <= stash->line_section_end) |
|
123 |
+ { |
|
124 |
+ unsigned long eachLine; |
|
125 |
+ bfd_byte *tblend; |
|
126 |
+@@ -318,6 +333,11 @@ parse_line_table (struct dwarf1_debug* stash, struct dwarf1_unit* aUnit) |
|
127 |
+ |
|
128 |
+ for (eachLine = 0; eachLine < aUnit->line_count; eachLine++) |
|
129 |
+ { |
|
130 |
++ if (xptr + 10 > stash->line_section_end) |
|
131 |
++ { |
|
132 |
++ aUnit->line_count = eachLine; |
|
133 |
++ break; |
|
134 |
++ } |
|
135 |
+ /* A line number. */ |
|
136 |
+ aUnit->linenumber_table[eachLine].linenumber |
|
137 |
+ = bfd_get_32 (stash->abfd, (bfd_byte *) xptr); |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: Contains a linker, an assembler, and other tools |
2 | 2 |
Name: binutils |
3 | 3 |
Version: 2.29.1 |
4 |
-Release: 1%{?dist} |
|
4 |
+Release: 2%{?dist} |
|
5 | 5 |
License: GPLv2+ |
6 | 6 |
URL: http://www.gnu.org/software/binutils |
7 | 7 |
Group: System Environment/Base |
... | ... |
@@ -10,6 +10,7 @@ Distribution: Photon |
10 | 10 |
Source0: http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz |
11 | 11 |
%define sha1 binutils=172244a349d07ec205c39c0321cbc354c125e78e |
12 | 12 |
Patch0: binutils-2.29.1-CVE-2017-14729.patch |
13 |
+Patch1: binutils-2.29.1-CVE-2017-15020.patch |
|
13 | 14 |
%description |
14 | 15 |
The Binutils package contains a linker, an assembler, |
15 | 16 |
and other tools for handling object files. |
... | ... |
@@ -22,6 +23,7 @@ for handling compiled objects. |
22 | 22 |
%prep |
23 | 23 |
%setup -q |
24 | 24 |
%patch0 -p1 |
25 |
+%patch1 -p1 |
|
25 | 26 |
%build |
26 | 27 |
install -vdm 755 ../binutils-build |
27 | 28 |
cd ../binutils-build |
... | ... |
@@ -190,6 +192,8 @@ make %{?_smp_mflags} check |
190 | 190 |
%{_libdir}/libopcodes.so |
191 | 191 |
|
192 | 192 |
%changelog |
193 |
+* Thu Oct 12 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-2 |
|
194 |
+- Add patch to fix CVE-2017-15020 |
|
193 | 195 |
* Mon Oct 2 2017 Anish Swaminathan <anishs@vmware.com> 2.29.1-1 |
194 | 196 |
- Version update to 2.29.1, fix CVEs CVE-2017-12799, CVE-2017-14729,CVE-2017-14745 |
195 | 197 |
* Fri Aug 11 2017 Anish Swaminathan <anishs@vmware.com> 2.29-3 |