From 8c4d830f564c6c9a7448556d157d54247618292c Mon Sep 17 00:00:00 2001 From: Max Rees Date: Wed, 16 Oct 2019 16:29:42 -0500 Subject: system/binutils: patch CVE-2019-17450 and CVE-2019-17451 (#212) --- system/binutils/APKBUILD | 9 +++- system/binutils/CVE-2019-17450.patch | 87 ++++++++++++++++++++++++++++++++++++ system/binutils/CVE-2019-17451.patch | 38 ++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 system/binutils/CVE-2019-17450.patch create mode 100644 system/binutils/CVE-2019-17451.patch (limited to 'system') diff --git a/system/binutils/APKBUILD b/system/binutils/APKBUILD index 682f2e93c..f5defac52 100644 --- a/system/binutils/APKBUILD +++ b/system/binutils/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Adelie Platform Group pkgname=binutils pkgver=2.32 -pkgrel=4 +pkgrel=5 pkgdesc="Tools necessary to build programs" url="https://www.gnu.org/software/binutils/" depends="" @@ -32,6 +32,8 @@ source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz CVE-2019-12972.patch CVE-2019-14250.patch CVE-2019-14444.patch + CVE-2019-17450.patch + CVE-2019-17451.patch BTS-170.patch BTS-196.patch " @@ -63,6 +65,9 @@ fi # - CVE-2019-14250 # 2.32-r3: # - CVE-2019-14444 +# 2.32-r5: +# - CVE-2019-17450 +# - CVE-2019-17451 build() { local _sysroot=/ @@ -158,5 +163,7 @@ c0f50f1a843480f29b3895c8814df9801b9f90260edbaff1831aa5738fedd07a9e6b7a79f5b6f9be 9109a6ff9c55f310f86a1561fe6b404534928d402672490059bbe358f77c0c2a7f73c8b67f0a4450f00ba1776452858b63fa60cf2ec0744104a6b077e8fa3e42 CVE-2019-12972.patch c277202272d9883741c2530a94c6d50d55dd9d0a9efaa43a1f8c9fc7529bd45e635255c0d90035dfc5920d5387010a4259612a4d711260a95d7b3d9fa6500e4f CVE-2019-14250.patch 0942cc1a4c5ec03e931c6ebd15c5d60eae6be48cd0a3d9b7f6356f97361226bb6d53dbdcb01b20efcca0ccaf23764730d9bbad2c1bbe2ea6ca320e43b43b311b CVE-2019-14444.patch +4e8cbe3985ca4a7cb8954e4e03f094687985b3afec6bb14f1599665e0ab13e601b68cefdbb63e88f9dd59852036dcfee05af14014493c16c76dc38d406efc8fd CVE-2019-17450.patch +a71a035db5e14f105b5d58ec01ad250447f6282cae04e8c931fbdbf7adf118a065c6c9be9c72a204e0f8115b19598dc52f3953ae91200d48328b58cc274939d8 CVE-2019-17451.patch d4543d2f77808d317d17a5f0eb9af21540ef8543fceaed4e3524213e31e058333321f3ba3b495199e3b57bfd0c4164929cf679369470389e26871b8895cb0110 BTS-170.patch 9cc17d9fe3fc1351d1f6b4fc1c916254529f3304c95db6f4698b867eeb623210b914dc798fb837eafbad2b287b78b31c4ed5482b3151a2992864da04e1dd5fac BTS-196.patch" diff --git a/system/binutils/CVE-2019-17450.patch b/system/binutils/CVE-2019-17450.patch new file mode 100644 index 000000000..edc0e94df --- /dev/null +++ b/system/binutils/CVE-2019-17450.patch @@ -0,0 +1,87 @@ +From 063c511bd79281f33fd33f0964541a73511b9e2b Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 9 Oct 2019 00:07:29 +1030 +Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance + + PR 25078 + * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add + recur_count. Error on recur_count reaching 100 rather than + info_ptr matching orig_info_ptr. Adjust calls. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 575b082..d39f4fd 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -2812,13 +2812,13 @@ static bfd_boolean comp_unit_maybe_decode_line_info (struct comp_unit *, + struct dwarf2_debug *); + + static bfd_boolean +-find_abstract_instance (struct comp_unit * unit, +- bfd_byte * orig_info_ptr, +- struct attribute * attr_ptr, +- const char ** pname, +- bfd_boolean * is_linkage, +- char ** filename_ptr, +- int * linenumber_ptr) ++find_abstract_instance (struct comp_unit *unit, ++ struct attribute *attr_ptr, ++ unsigned int recur_count, ++ const char **pname, ++ bfd_boolean *is_linkage, ++ char **filename_ptr, ++ int *linenumber_ptr) + { + bfd *abfd = unit->abfd; + bfd_byte *info_ptr; +@@ -2829,6 +2829,14 @@ find_abstract_instance (struct comp_unit * unit, + struct attribute attr; + const char *name = NULL; + ++ if (recur_count == 100) ++ { ++ _bfd_error_handler ++ (_("DWARF error: abstract instance recursion detected")); ++ bfd_set_error (bfd_error_bad_value); ++ return FALSE; ++ } ++ + /* DW_FORM_ref_addr can reference an entry in a different CU. It + is an offset from the .debug_info section, not the current CU. */ + if (attr_ptr->form == DW_FORM_ref_addr) +@@ -2962,15 +2970,6 @@ find_abstract_instance (struct comp_unit * unit, + info_ptr, info_ptr_end); + if (info_ptr == NULL) + break; +- /* It doesn't ever make sense for DW_AT_specification to +- refer to the same DIE. Stop simple recursion. */ +- if (info_ptr == orig_info_ptr) +- { +- _bfd_error_handler +- (_("DWARF error: abstract instance recursion detected")); +- bfd_set_error (bfd_error_bad_value); +- return FALSE; +- } + switch (attr.name) + { + case DW_AT_name: +@@ -2984,7 +2983,7 @@ find_abstract_instance (struct comp_unit * unit, + } + break; + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, recur_count + 1, + &name, is_linkage, + filename_ptr, linenumber_ptr)) + return FALSE; +@@ -3200,7 +3199,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_abstract_origin: + case DW_AT_specification: +- if (!find_abstract_instance (unit, info_ptr, &attr, ++ if (!find_abstract_instance (unit, &attr, 0, + &func->name, + &func->is_linkage, + &func->file, +-- +2.9.3 + diff --git a/system/binutils/CVE-2019-17451.patch b/system/binutils/CVE-2019-17451.patch new file mode 100644 index 000000000..f6af71601 --- /dev/null +++ b/system/binutils/CVE-2019-17451.patch @@ -0,0 +1,38 @@ +From 336bfbeb1848f4b9558456fdcf283ee8a32d7fd1 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Wed, 9 Oct 2019 10:47:13 +1030 +Subject: [PATCH] PR25070, SEGV in function _bfd_dwarf2_find_nearest_line + +Evil testcase with two debug info sections, with sizes of 2aaaabac4ec1 +and ffffd5555453b140 result in a total size of 1. Reading the first +section of course overflows the buffer and tramples on other memory. + + PR 25070 + * dwarf2.c (_bfd_dwarf2_slurp_debug_info): Catch overflow of + total_size calculation. + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index d39f4fd..88aaa2d 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4439,7 +4439,16 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + for (total_size = 0; + msec; + msec = find_debug_info (debug_bfd, debug_sections, msec)) +- total_size += msec->size; ++ { ++ /* Catch PR25070 testcase overflowing size calculation here. */ ++ if (total_size + msec->size < total_size ++ || total_size + msec->size < msec->size) ++ { ++ bfd_set_error (bfd_error_no_memory); ++ return FALSE; ++ } ++ total_size += msec->size; ++ } + + stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size); + if (stash->info_ptr_memory == NULL) +-- +2.9.3 + -- cgit v1.2.3-70-g09d2