system/binutils: patch CVE-2019-17450 and CVE-2019-17451 (#212)

author: Max Rees <maxcrees@me.com> 2019-10-16 16:29:42 -0500
committer: Max Rees <maxcrees@me.com> 2019-10-16 16:30:19 -0500
commit: 8c4d830f564c6c9a7448556d157d54247618292c (patch)
tree: f99983f7e5d74f2707afb30c87a95f0305ae1aa3
parent: 2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 (diff)
download: packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.gz
packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.bz2
packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.xz
packages-8c4d830f564c6c9a7448556d157d54247618292c.zip
3 files changed, 133 insertions, 1 deletions
diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD
index 682f2e93c..f5defac52 100644
--- a/system/binutils/APKBUILD
+++ b/system/binutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Adelie Platform Group <adelie-devel@lists.adelielinux.org>
 pkgname=binutils
 pkgver=2.32
-pkgrel=4
+pkgrel=5
 pkgdesc="Tools necessary to build programs"
 url="https://www.gnu.org/software/binutils/"
 depends=""
@@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
 	CVE-2019-12972.patch
 	CVE-2019-14250.patch
 	CVE-2019-14444.patch
+	CVE-2019-17450.patch
+	CVE-2019-17451.patch
 	BTS-170.patch
 	BTS-196.patch
 	"
@@ -63,6 +65,9 @@ fi
 #     - CVE-2019-14250
 #   2.32-r3:
 #     - CVE-2019-14444
+#   2.32-r5:
+#     - CVE-2019-17450
+#     - CVE-2019-17451
 
 build() {
 	local _sysroot=/
@@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be
 9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42  CVE-2019-12972.patch
 c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f  CVE-2019-14250.patch
 0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b  CVE-2019-14444.patch
+4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd  CVE-2019-17450.patch
+a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8  CVE-2019-17451.patch
 d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110  BTS-170.patch
 9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac  BTS-196.patch"
diff --git a/system/binutils/CVE-2019-17450.patch b/system/binutils/CVE-2019-17450.patch
new file mode 100644
index 000000000..edc0e94df
--- /dev/null
+++ b/system/binutils/CVE-2019-17450.patch
@@ -0,0 +1,87 @@
+From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+	PR 25078
+	* dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+	recur_count.  Error on recur_count reaching 100 rather than
+	info_ptr matching orig_info_ptr.  Adjust calls.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 575b082..d39f4fd 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *,
+ 						     struct dwarf2_debug *);
+ 
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+-			struct attribute *   attr_ptr,
+-			const char **        pname,
+-			bfd_boolean *        is_linkage,
+-			char **              filename_ptr,
+-			int *                linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++			struct attribute *attr_ptr,
++			unsigned int recur_count,
++			const char **pname,
++			bfd_boolean *is_linkage,
++			char **filename_ptr,
++			int *linenumber_ptr)
+ {
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr;
+@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit *   unit,
+   struct attribute attr;
+   const char *name = NULL;
+ 
++  if (recur_count == 100)
++    {
++      _bfd_error_handler
++	(_("DWARF error: abstract instance recursion detected"));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit *   unit,
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit *   unit,
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
+-- 
+2.9.3
+
diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch
new file mode 100644
index 000000000..f6af71601
--- /dev/null
+++ b/system/binutils/CVE-2019-17451.patch
@@ -0,0 +1,38 @@
+From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 10:47:13 +1030
+Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line
+
+Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1
+and ffffd5555453b140 result in a total size of 1.  Reading the first
+section of course overflows the buffer and tramples on other memory.
+
+	PR 25070
+	* dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of
+	total_size calculation.
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index d39f4fd..88aaa2d 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd,
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
++	{
++	  /* Catch PR25070 testcase overflowing size calculation here.  */
++	  if (total_size + msec->size < total_size
++	      || total_size + msec->size < msec->size)
++	    {
++	      bfd_set_error (bfd_error_no_memory);
++	      return FALSE;
++	    }
++	  total_size += msec->size;
++	}
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
+-- 
+2.9.3
+
author	Max Rees <maxcrees@me.com>	2019-10-16 16:29:42 -0500
committer	Max Rees <maxcrees@me.com>	2019-10-16 16:30:19 -0500
commit	8c4d830f564c6c9a7448556d157d54247618292c (patch)
tree	f99983f7e5d74f2707afb30c87a95f0305ae1aa3
parent	2c0bf1b6c7c02036484a225cb2c4ea0d85205ad5 (diff)
download	packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.gz packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.bz2 packages-8c4d830f564c6c9a7448556d157d54247618292c.tar.xz packages-8c4d830f564c6c9a7448556d157d54247618292c.zip