poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch - openbmc/openbmc - Gitiles

 From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001
 From: Nick Clifton <nickc@redhat.com>
 Date: Thu, 1 Mar 2018 16:14:08 +0000
 Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow
  when parsing corrupt DWARF information on a 32-bit host.

 	PR 22905
 	* dwarf.c (display_debug_ranges): Check that the offset loaded
 	from the range_entry structure is valid.

 Upstream-Status: Backport
 Affects: Binutils <= 2.30
 CVE: CVE-2018-7643
 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  binutils/ChangeLog |  6 ++++++
  binutils/dwarf.c   | 15 +++++++++++++++
  2 files changed, 21 insertions(+)

 Index: git/binutils/dwarf.c
 ===================================================================
 --- git.orig/binutils/dwarf.c
 +++ git/binutils/dwarf.c
 @@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,
      }								\
    while (0)

 +/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.
 +   Checks to make sure that the read will not reach or pass END
 +   and that VAL is big enough to hold AMOUNT bytes.  */
  #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END)	\
    do						\
      {						\
 @@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,
      }						\
    while (0)

 +/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT.  */
  #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
    do							\
      {							\
 @@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,
      }							\
    while (0)

 +/* Like SAFE_BYTE_GET, but reads a signed value.  */
  #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END)	\
    do							\
      {							\
 @@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,
      }							\
    while (0)

 +/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT.  */
  #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
    do								\
      {								\
 @@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char
  	break;
        SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);

 +
        printf ("    %8.8lx ", offset);

        if (begin == 0 && end == 0)
 @@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_secti
  	  continue;
  	}

 +      if (next < section_begin || next >= finish)
 +	{
 +	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
 +		(unsigned long) offset, i);
 +	  continue;
 +	}
 +
        if (dwarf_check != 0 && i > 0)
  	{
  	  if (start < next)
 @@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_secti
  		    (unsigned long) (next - section_begin), section->name);
  	    }
  	}
 +
        start = next;
        last_start = next;

 Index: git/bfd/ChangeLog
 ===================================================================
 --- git.orig/bfd/ChangeLog
 +++ git/bfd/ChangeLog
 @@ -1,3 +1,9 @@
 +2018-03-01  Nick Clifton  <nickc@redhat.com>
 +
 +       PR 22905
 +       * dwarf.c (display_debug_ranges): Check that the offset loaded
 +       from the range_entry structure is valid.
 +
  2018-05-08  Nick Clifton  <nickc@redhat.com>

         PR 22809
	From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001
	From: Nick Clifton <nickc@redhat.com>
	Date: Thu, 1 Mar 2018 16:14:08 +0000
	Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow
	when parsing corrupt DWARF information on a 32-bit host.

	PR 22905
	* dwarf.c (display_debug_ranges): Check that the offset loaded
	from the range_entry structure is valid.

	Upstream-Status: Backport
	Affects: Binutils <= 2.30
	CVE: CVE-2018-7643
	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	binutils/ChangeLog \| 6 ++++++
	binutils/dwarf.c \| 15 +++++++++++++++
	2 files changed, 21 insertions(+)

	Index: git/binutils/dwarf.c
	===================================================================
	--- git.orig/binutils/dwarf.c
	+++ git/binutils/dwarf.c
	@@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,
	} \
	while (0)

	+/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.
	+ Checks to make sure that the read will not reach or pass END
	+ and that VAL is big enough to hold AMOUNT bytes. */
	#define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END) \
	do \
	{ \
	@@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,
	} \
	while (0)

	+/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT. */
	#define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \
	do \
	{ \
	@@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,
	} \
	while (0)

	+/* Like SAFE_BYTE_GET, but reads a signed value. */
	#define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END) \
	do \
	{ \
	@@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,
	} \
	while (0)

	+/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT. */
	#define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END) \
	do \
	{ \
	@@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char
	break;
	SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);

	+
	printf (" %8.8lx ", offset);

	if (begin == 0 && end == 0)
	@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_secti
	continue;
	}

	+ if (next < section_begin \|\| next >= finish)
	+ {
	+ warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
	+ (unsigned long) offset, i);
	+ continue;
	+ }
	+
	if (dwarf_check != 0 && i > 0)
	{
	if (start < next)
	@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_secti
	(unsigned long) (next - section_begin), section->name);
	}
	}
	+
	start = next;
	last_start = next;

	Index: git/bfd/ChangeLog
	===================================================================
	--- git.orig/bfd/ChangeLog
	+++ git/bfd/ChangeLog
	@@ -1,3 +1,9 @@
	+2018-03-01 Nick Clifton <nickc@redhat.com>
	+
	+ PR 22905
	+ * dwarf.c (display_debug_ranges): Check that the offset loaded
	+ from the range_entry structure is valid.
	+
	2018-05-08 Nick Clifton <nickc@redhat.com>

	PR 22809