Verified Commit 8c4d830f authored by Max Rees's avatar Max Rees

system/binutils: patch CVE-2019-17450 and CVE-2019-17451 (#212)

parent 2c0bf1b6
# Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
pkgname=binutils
pkgver=2.32
pkgrel=4
pkgrel=5
pkgdesc="Tools necessary to build programs"
url="https://www.gnu.org/software/binutils/"
depends=""
......@@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
CVE-2019-12972.patch
CVE-2019-14250.patch
CVE-2019-14444.patch
CVE-2019-17450.patch
CVE-2019-17451.patch
BTS-170.patch
BTS-196.patch
"
......@@ -63,6 +65,9 @@ fi
# - CVE-2019-14250
# 2.32-r3:
# - CVE-2019-14444
# 2.32-r5:
# - CVE-2019-17450
# - CVE-2019-17451
build() {
local _sysroot=/
......@@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be
9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch
c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch
0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch
4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd CVE-2019-17450.patch
a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8 CVE-2019-17451.patch
d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch
9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch"
From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 00:07:29 +1030
Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
PR 25078
* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
recur_count. Error on recur_count reaching 100 rather than
info_ptr matching orig_info_ptr. Adjust calls.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index 575b082..d39f4fd 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *,
struct dwarf2_debug *);
static bfd_boolean
-find_abstract_instance (struct comp_unit * unit,
- bfd_byte * orig_info_ptr,
- struct attribute * attr_ptr,
- const char ** pname,
- bfd_boolean * is_linkage,
- char ** filename_ptr,
- int * linenumber_ptr)
+find_abstract_instance (struct comp_unit *unit,
+ struct attribute *attr_ptr,
+ unsigned int recur_count,
+ const char **pname,
+ bfd_boolean *is_linkage,
+ char **filename_ptr,
+ int *linenumber_ptr)
{
bfd *abfd = unit->abfd;
bfd_byte *info_ptr;
@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit * unit,
struct attribute attr;
const char *name = NULL;
+ if (recur_count == 100)
+ {
+ _bfd_error_handler
+ (_("DWARF error: abstract instance recursion detected"));
+ bfd_set_error (bfd_error_bad_value);
+ return FALSE;
+ }
+
/* DW_FORM_ref_addr can reference an entry in a different CU. It
is an offset from the .debug_info section, not the current CU. */
if (attr_ptr->form == DW_FORM_ref_addr)
@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit * unit,
info_ptr, info_ptr_end);
if (info_ptr == NULL)
break;
- /* It doesn't ever make sense for DW_AT_specification to
- refer to the same DIE. Stop simple recursion. */
- if (info_ptr == orig_info_ptr)
- {
- _bfd_error_handler
- (_("DWARF error: abstract instance recursion detected"));
- bfd_set_error (bfd_error_bad_value);
- return FALSE;
- }
switch (attr.name)
{
case DW_AT_name:
@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit * unit,
}
break;
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, recur_count + 1,
&name, is_linkage,
filename_ptr, linenumber_ptr))
return FALSE;
@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
case DW_AT_abstract_origin:
case DW_AT_specification:
- if (!find_abstract_instance (unit, info_ptr, &attr,
+ if (!find_abstract_instance (unit, &attr, 0,
&func->name,
&func->is_linkage,
&func->file,
--
2.9.3
From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
From: Alan Modra <amodra@gmail.com>
Date: Wed, 9 Oct 2019 10:47:13 +1030
Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
and ffffd5555453b140 result in a total size of 1. Reading the first
section of course overflows the buffer and tramples on other memory.
PR 25070
* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
total_size calculation.
diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
index d39f4fd..88aaa2d 100644
--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
for (total_size = 0;
msec;
msec = find_debug_info (debug_bfd, debug_sections, msec))
- total_size += msec->size;
+ {
+ /* Catch PR25070 testcase overflowing size calculation here. */
+ if (total_size + msec->size < total_size
+ || total_size + msec->size < msec->size)
+ {
+ bfd_set_error (bfd_error_no_memory);
+ return FALSE;
+ }
+ total_size += msec->size;
+ }
stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
if (stash->info_ptr_memory == NULL)
--
2.9.3
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment