Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame^] | 1 | From cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nick Clifton <nickc@redhat.com> |
| 3 | Date: Thu, 15 Jun 2017 13:26:54 +0100 |
| 4 | Subject: [PATCH] Prevent address violation problem when disassembling corrupt |
| 5 | aarch64 binary. |
| 6 | |
| 7 | PR binutils/21595 |
| 8 | * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of |
| 9 | range value. |
| 10 | |
| 11 | Upstream-Status: Backport |
| 12 | CVE: CVE-2017-9756 |
| 13 | Signed-off-by: Armin Kuster <akuster@mvista.com> |
| 14 | |
| 15 | --- |
| 16 | opcodes/ChangeLog | 6 ++++++ |
| 17 | opcodes/aarch64-dis.c | 3 +++ |
| 18 | 2 files changed, 9 insertions(+) |
| 19 | |
| 20 | Index: git/opcodes/ChangeLog |
| 21 | =================================================================== |
| 22 | --- git.orig/opcodes/ChangeLog |
| 23 | +++ git/opcodes/ChangeLog |
| 24 | @@ -6,6 +6,12 @@ |
| 25 | |
| 26 | 2017-06-15 Nick Clifton <nickc@redhat.com> |
| 27 | |
| 28 | + PR binutils/21595 |
| 29 | + * aarch64-dis.c (aarch64_ext_ldst_reglist): Check for an out of |
| 30 | + range value. |
| 31 | + |
| 32 | +2017-06-15 Nick Clifton <nickc@redhat.com> |
| 33 | + |
| 34 | PR binutils/21588 |
| 35 | * rl78-decode.opc (OP_BUF_LEN): Define. |
| 36 | (GETBYTE): Check for the index exceeding OP_BUF_LEN. |
| 37 | Index: git/opcodes/aarch64-dis.c |
| 38 | =================================================================== |
| 39 | --- git.orig/opcodes/aarch64-dis.c |
| 40 | +++ git/opcodes/aarch64-dis.c |
| 41 | @@ -409,6 +409,9 @@ aarch64_ext_ldst_reglist (const aarch64_ |
| 42 | info->reglist.first_regno = extract_field (FLD_Rt, code, 0); |
| 43 | /* opcode */ |
| 44 | value = extract_field (FLD_opcode, code, 0); |
| 45 | + /* PR 21595: Check for a bogus value. */ |
| 46 | + if (value >= ARRAY_SIZE (data)) |
| 47 | + return 0; |
| 48 | if (expected_num != data[value].num_elements || data[value].is_reserved) |
| 49 | return 0; |
| 50 | info->reglist.num_regs = data[value].num_regs; |