Skip to content

Commit

Permalink
Add patches for bintuils CVE-2017-12448 to -12459
Browse files Browse the repository at this point in the history 
Change-Id: Id5437a2991cef8f57c9781b05fcd2e0585dc504b
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3503
Tested-by: gerrit-photon <[email protected]>
Reviewed-by: Sharath George
  • Loading branch information
@suezzelur
suezzelur authored and Sharath George committed Aug 17, 2017
1 parent 9a91484 commit 434f5cc
Show file tree
Hide file tree
Showing 7 changed files with 907 additions and 1 deletion.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@ stage
discus-cache/
output-*/
tools/bin/
common/data/pkg_info.json
20 changes: 20 additions & 0 deletions SPECS/binutils/CVE-2017-12448.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Farchive.c;h=885bf489c024a7a24444bb82740987dd20aff184;hp=f209babe149f3f5b302da64f593e039c9c79ea8c;hb=909e4e716c4d77e33357bbe9bc902bfaf2e1af24;hpb=62a5222fdab2acdc129b7c7d3713e7f349e26029

diff --git a/bfd/archive.c b/bfd/archive.c
index f209bab..885bf48 100644
--- a/bfd/archive.c
+++ b/bfd/archive.c
@@ -834,7 +834,12 @@ bfd_generic_archive_p (bfd *abfd)
if (strncmp (armag, ARMAG, SARMAG) != 0
&& strncmp (armag, ARMAGB, SARMAG) != 0
&& ! bfd_is_thin_archive (abfd))
- return NULL;
+ {
+ bfd_set_error (bfd_error_wrong_format);
+ if (abfd->format == bfd_archive)
+ abfd->format = bfd_unknown;
+ return NULL;
+ }

tdata_hold = bfd_ardata (abfd);

233 changes: 233 additions & 0 deletions SPECS/binutils/CVE-2017-12449_12455_12457_12458_12459.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,233 @@
From 8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc Mon Sep 17 00:00:00 2001
From: Nick Clifton <[email protected]>
Date: Thu, 27 Jul 2017 12:04:50 +0100
Subject: [PATCH 1/1] Fix address violation issues encountered when parsing
corrupt binaries.

PR 21840
* mach-o.c (bfd_mach_o_read_symtab_strtab): Fail if the symtab
size is -1.
* nlmcode.h (nlm_swap_auxiliary_headers_in): Replace assertion
with error return.
* section.c (bfd_make_section_with_flags): Fail if the name or bfd
are NULL.
* vms-alpha.c (bfd_make_section_with_flags): Correct computation
of end pointer.
(evax_bfd_print_emh): Check for invalid string lengths.
---
bfd/mach-o.c | 3 ++
bfd/nlmcode.h | 4 ++-
bfd/section.c | 2 +-
bfd/vms-alpha.c | 91 ++++++++++++++++++++++++++++++++++++---------------------
bfd/vms-misc.c | 8 ++---
6 files changed, 82 insertions(+), 39 deletions(-)

diff --git a/bfd/mach-o.c b/bfd/mach-o.c
index 1807391..9fe6326 100644
--- a/bfd/mach-o.c
+++ b/bfd/mach-o.c
@@ -3749,6 +3749,9 @@ bfd_mach_o_read_symtab_strtab (bfd *abfd)
}
else
{
+ /* See PR 21840 for a reproducer. */
+ if ((sym->strsize + 1) == 0)
+ return FALSE;
sym->strtab = bfd_alloc (abfd, sym->strsize + 1);
if (sym->strtab == NULL)
return FALSE;
diff --git a/bfd/nlmcode.h b/bfd/nlmcode.h
index 6d6aed0..350c83e 100644
--- a/bfd/nlmcode.h
+++ b/bfd/nlmcode.h
@@ -351,7 +351,9 @@ nlm_swap_auxiliary_headers_in (bfd *abfd)
bfd_byte *contents;
bfd_byte *p, *pend;

- BFD_ASSERT (hdrLength == 0 && hdr == NULL);
+ /* See PR 21840 for a reproducer. */
+ if (hdrLength != 0 || hdr != NULL)
+ return FALSE;

pos = bfd_tell (abfd);
if (bfd_seek (abfd, dataOffset, SEEK_SET) != 0)
diff --git a/bfd/section.c b/bfd/section.c
index 28eee7f..811d42a 100644
--- a/bfd/section.c
+++ b/bfd/section.c
@@ -1240,7 +1240,7 @@ bfd_make_section_with_flags (bfd *abfd, const char *name,
struct section_hash_entry *sh;
asection *newsect;

- if (abfd->output_has_begun)
+ if (abfd == NULL || name == NULL || abfd->output_has_begun)
{
bfd_set_error (bfd_error_invalid_operation);
return NULL;
diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index 610b034..5595b61 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -903,7 +903,7 @@ _bfd_vms_slurp_ehdr (bfd *abfd)

vms_rec = PRIV (recrd.rec);
/* PR 17512: file: 62736583. */
- end = vms_rec + PRIV (recrd.buf_size);
+ end = PRIV (recrd.buf) + PRIV (recrd.buf_size);

vms_debug2 ((2, "HDR/EMH\n"));

@@ -5737,8 +5737,9 @@ evax_bfd_print_emh (FILE *file, unsigned char *rec, unsigned int rec_len)
{
struct vms_emh_common *emh = (struct vms_emh_common *)rec;
unsigned int subtype;
+ int extra;

- subtype = (unsigned)bfd_getl16 (emh->subtyp);
+ subtype = (unsigned) bfd_getl16 (emh->subtyp);

/* xgettext:c-format */
fprintf (file, _(" EMH %u (len=%u): "), subtype, rec_len);
@@ -5749,58 +5750,82 @@ evax_bfd_print_emh (FILE *file, unsigned char *rec, unsigned int rec_len)
fprintf (file, _(" Error: The length is less than the length of an EMH record\n"));
return;
}
-
+ extra = rec_len - sizeof (struct vms_emh_common);
+
switch (subtype)
{
case EMH__C_MHD:
{
- struct vms_emh_mhd *mhd = (struct vms_emh_mhd *)rec;
- const char *name;
+ struct vms_emh_mhd *mhd = (struct vms_emh_mhd *) rec;
+ const char * name;
+ const char * nextname;
+ const char * maxname;

+ /* PR 21840: Check for invalid lengths. */
+ if (rec_len < sizeof (* mhd))
+ {
+ fprintf (file, _(" Error: The record length is less than the size of an EMH_MHD record\n"));
+ return;
+ }
fprintf (file, _("Module header\n"));
fprintf (file, _(" structure level: %u\n"), mhd->strlvl);
fprintf (file, _(" max record size: %u\n"),
- (unsigned)bfd_getl32 (mhd->recsiz));
+ (unsigned) bfd_getl32 (mhd->recsiz));
name = (char *)(mhd + 1);
+ maxname = (char *) rec + rec_len;
+ if (name > maxname - 2)
+ {
+ fprintf (file, _(" Error: The module name is missing\n"));
+ return;
+ }
+ nextname = name + name[0] + 1;
+ if (nextname >= maxname)
+ {
+ fprintf (file, _(" Error: The module name is too long\n"));
+ return;
+ }
fprintf (file, _(" module name : %.*s\n"), name[0], name + 1);
- name += name[0] + 1;
+ name = nextname;
+ if (name > maxname - 2)
+ {
+ fprintf (file, _(" Error: The module version is missing\n"));
+ return;
+ }
+ nextname = name + name[0] + 1;
+ if (nextname >= maxname)
+ {
+ fprintf (file, _(" Error: The module version is too long\n"));
+ return;
+ }
fprintf (file, _(" module version : %.*s\n"), name[0], name + 1);
- name += name[0] + 1;
- fprintf (file, _(" compile date : %.17s\n"), name);
+ name = nextname;
+ if ((maxname - name) < 17 && maxname[-1] != 0)
+ fprintf (file, _(" Error: The compile date is truncated\n"));
+ else
+ fprintf (file, _(" compile date : %.17s\n"), name);
}
break;
+
case EMH__C_LNM:
- {
- fprintf (file, _("Language Processor Name\n"));
- fprintf (file, _(" language name: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Language Processor Name\n"));
+ fprintf (file, _(" language name: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_SRC:
- {
- fprintf (file, _("Source Files Header\n"));
- fprintf (file, _(" file: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Source Files Header\n"));
+ fprintf (file, _(" file: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_TTL:
- {
- fprintf (file, _("Title Text Header\n"));
- fprintf (file, _(" title: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Title Text Header\n"));
+ fprintf (file, _(" title: %.*s\n"), extra, (char *)(emh + 1));
break;
+
case EMH__C_CPR:
- {
- fprintf (file, _("Copyright Header\n"));
- fprintf (file, _(" copyright: %.*s\n"),
- (int)(rec_len - sizeof (struct vms_emh_common)),
- (char *)rec + sizeof (struct vms_emh_common));
- }
+ fprintf (file, _("Copyright Header\n"));
+ fprintf (file, _(" copyright: %.*s\n"), extra, (char *)(emh + 1));
break;
+
default:
fprintf (file, _("unhandled emh subtype %u\n"), subtype);
break;
diff --git a/bfd/vms-misc.c b/bfd/vms-misc.c
index 7497f02..91e2ec7 100644
--- a/bfd/vms-misc.c
+++ b/bfd/vms-misc.c
@@ -135,8 +135,8 @@ _bfd_hexdump (int level, unsigned char *ptr, int size, int offset)
#endif


-/* Copy sized string (string with fixed size) to new allocated area
- size is string size (size of record) */
+/* Copy sized string (string with fixed size) to new allocated area.
+ Size is string size (size of record). */

char *
_bfd_vms_save_sized_string (unsigned char *str, unsigned int size)
@@ -151,8 +151,8 @@ _bfd_vms_save_sized_string (unsigned char *str, unsigned int size)
return newstr;
}

-/* Copy counted string (string with size at first byte) to new allocated area
- ptr points to size byte on entry */
+/* Copy counted string (string with size at first byte) to new allocated area.
+ PTR points to size byte on entry. */

char *
_bfd_vms_save_counted_string (unsigned char *ptr, unsigned int maxlen)
--
2.9.3

29 changes: 29 additions & 0 deletions SPECS/binutils/CVE-2017-12450.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
From 8a2df5e2df374289e00ecd8f099eb46d76ef982e Mon Sep 17 00:00:00 2001
From: Nick Clifton <[email protected]>
Date: Mon, 24 Jul 2017 14:04:04 +0100
Subject: [PATCH] Fix another memory access error triggered by attempting to
parse a corrupt binary.

PR 21813
(alpha_vms_object_p): Check for a truncated record.
---
bfd/vms-alpha.c | 3 +++
2 files changed, 5 insertions(+)

diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c
index 5e9170d..610b034 100644
--- a/bfd/vms-alpha.c
+++ b/bfd/vms-alpha.c
@@ -2679,6 +2679,9 @@ alpha_vms_object_p (bfd *abfd)
PRIV (recrd.buf_size) = PRIV (recrd.rec_size);
}

+ /* PR 21813: Check for a truncated record. */
+ if (PRIV (recrd.rec_size < test_len))
+ goto error_ret;
/* Read the remaining record. */
remaining = PRIV (recrd.rec_size) - test_len;
to_read = MIN (VMS_BLOCK_SIZE - test_len, remaining);
--
2.9.3

Loading

0 comments on commit 434f5cc

Please sign in to comment.