binutils: CVE-2017-9752

Source: binutils-gdb.git MR: 73971 Type: Security Fix Disposition: Backport from binutils-2_29 ChangeID: fe0e1d0f234ed157135818c24f4270c34e093828 Description: Fix potential address violations when processing a corrupt Alpha VMA binary. PR binutils/21589 * vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the maximum value for the ascic pointer. Check that name processing does not read beyond this value. (_bfd_vms_slurp_etir): Add checks for attempts to read beyond the end of etir record. Affects: <= 2.28 Author: Nick Clifton <nickc@redhat.com> (From OE-Core rev: ea89dfe868085b463dfc24df78b49d1703989484) Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com> Reviewed-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-05-02 18:32:15 +02:00 · 2017-09-21 19:24:44 +05:30
parent d2b21b2a14
commit 3daf8af948
2 changed files with 205 additions and 0 deletions
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -84,6 +84,7 @@ SRC_URI = "\
     file://CVE-2017-9748.patch \
     file://CVE-2017-9747.patch \
     file://CVE-2017-9750.patch \
+     file://CVE-2017-9752.patch \
 "
 S  = "${WORKDIR}/git"

--- a/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
@@ -0,0 +1,204 @@
+commit c53d2e6d744da000aaafe0237bced090aab62818
+Author: Nick Clifton <nickc@redhat.com>
+Date:   Wed Jun 14 11:27:15 2017 +0100
+
+    Fix potential address violations when processing a corrupt Alpha VMA binary.
+    
+    	PR binutils/21589
+    	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+    	maximum value for the ascic pointer.  Check that name processing
+    	does not read beyond this value.
+    	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+    	end of etir record.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9752
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/bfd/vms-alpha.c
+===================================================================
+--- git.orig/bfd/vms-alpha.c	2017-09-21 15:00:19.117805347 +0530
+++ git/bfd/vms-alpha.c	2017-09-21 15:00:20.673815960 +0530
+@@ -1507,7 +1507,7 @@
+ /* Write multiple bytes to section image.  */
+ 
+ static bfd_boolean
+-image_write (bfd *abfd, unsigned char *ptr, int size)
+image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
+ {
+ #if VMS_DEBUG
+   _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
+@@ -1654,14 +1654,16 @@
+ #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
+ 
+ static void
+-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
+_bfd_vms_get_value (bfd *abfd,
+		    const unsigned char *ascic,
+		    const unsigned char *max_ascic,
+                     struct bfd_link_info *info,
+                     bfd_vma *vma,
+                     struct alpha_vms_link_hash_entry **hp)
+ {
+   char name[257];
+-  int len;
+-  int i;
+  unsigned int len;
+  unsigned int i;
+   struct alpha_vms_link_hash_entry *h;
+ 
+   /* Not linking.  Do not try to resolve the symbol.  */
+@@ -1673,6 +1675,14 @@
+     }
+ 
+   len = *ascic;
+  if (ascic + len >= max_ascic)
+    {
+      _bfd_error_handler (_("Corrupt vms value"));
+      *vma = 0;
+      *hp = NULL;
+      return;
+    }
+
+   for (i = 0; i < len; i++)
+     name[i] = ascic[i + 1];
+   name[i] = 0;
+@@ -1797,6 +1807,15 @@
+       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
+ #endif
+ 
+      /* PR 21589: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4)
+	{
+	corrupt_etir:
+	  _bfd_error_handler (_("Corrupt ETIR record encountered"));
+	  bfd_set_error (bfd_error_bad_value);
+	  return FALSE;
+	}
+
+       switch (cmd)
+         {
+           /* Stack global
+@@ -1804,7 +1823,7 @@
+ 
+              stack 32 bit value of symbol (high bits set to 0).  */
+         case ETIR__C_STA_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
+           break;
+ 
+@@ -1813,6 +1832,8 @@
+ 
+              stack 32 bit value, sign extend to 64 bit.  */
+         case ETIR__C_STA_LW:
+	  if (ptr + 4 >= maxptr)
+	    goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1821,6 +1842,8 @@
+ 
+              stack 64 bit value of symbol.  */
+         case ETIR__C_STA_QW:
+	  if (ptr + 8 >= maxptr)
+	    goto corrupt_etir;
+           _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
+           break;
+ 
+@@ -1834,6 +1857,8 @@
+           {
+             int psect;
+ 
+	    if (ptr + 12 >= maxptr)
+	      goto corrupt_etir;
+             psect = bfd_getl32 (ptr);
+             if ((unsigned int) psect >= PRIV (section_count))
+               {
+@@ -1923,6 +1948,8 @@
+           {
+             int size;
+ 
+	    if (ptr + 4 >= maxptr)
+	      goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             _bfd_vms_pop (abfd, &op1, &rel1);
+             if (rel1 != RELC_NONE)
+@@ -1935,7 +1962,7 @@
+           /* Store global: write symbol value
+              arg: cs	global symbol name.  */
+         case ETIR__C_STO_GBL:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -1957,7 +1984,7 @@
+           /* Store code address: write address of entry point
+              arg: cs	global symbol name (procedure).  */
+         case ETIR__C_STO_CA:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->flags & EGSY__V_NORM)
+@@ -2002,8 +2029,10 @@
+              da	data.  */
+         case ETIR__C_STO_IMM:
+           {
+-            int size;
+            unsigned int size;
+ 
+	    if (ptr + 4 >= maxptr)
+	      goto corrupt_etir;
+             size = bfd_getl32 (ptr);
+             image_write (abfd, ptr + 4, size);
+           }
+@@ -2016,7 +2045,7 @@
+              store global longword: store 32bit value of symbol
+              arg: cs	symbol name.  */
+         case ETIR__C_STO_GBL_LW:
+-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
+ #if 0
+           abort ();
+ #endif
+@@ -2069,7 +2098,7 @@
+              da	signature.  */
+ 
+         case ETIR__C_STC_LP_PSB:
+-          _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
+           if (h && h->sym)
+             {
+               if (h->sym->typ == EGSD__C_SYMG)
+@@ -2165,6 +2194,8 @@
+           /* Augment relocation base: increment image location counter by offset
+              arg: lw	offset value.  */
+         case ETIR__C_CTL_AUGRB:
+	  if (ptr + 4 >= maxptr)
+	    goto corrupt_etir;
+           op1 = bfd_getl32 (ptr);
+           image_inc_ptr (abfd, op1);
+           break;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog	2017-09-21 15:04:44.000000000 +0530
+++ git/bfd/ChangeLog	2017-09-21 15:07:58.268949291 +0530
+@@ -81,6 +81,15 @@
+        PR binutils/21581
+        (ieee_archive_p): Likewise.
+ 
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21589
+	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+	maximum value for the ascic pointer.  Check that name processing
+	does not read beyond this value.
+	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+	end of etir record.
+
+ 2017-04-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 21432