aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/binutils/binutils/CVE-2017-9752.patch
blob: fce5b14b203129ca6abaf98f965226220813740c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
commit c53d2e6d744da000aaafe0237bced090aab62818
Author: Nick Clifton <nickc@redhat.com>
Date:   Wed Jun 14 11:27:15 2017 +0100

    Fix potential address violations when processing a corrupt Alpha VMA binary.
    
    	PR binutils/21589
    	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
    	maximum value for the ascic pointer.  Check that name processing
    	does not read beyond this value.
    	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
    	end of etir record.

Upstream-Status: Backport

CVE: CVE-2017-9752
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>

Index: git/bfd/vms-alpha.c
===================================================================
--- git.orig/bfd/vms-alpha.c	2017-09-21 15:00:19.117805347 +0530
+++ git/bfd/vms-alpha.c	2017-09-21 15:00:20.673815960 +0530
@@ -1507,7 +1507,7 @@
 /* Write multiple bytes to section image.  */
 
 static bfd_boolean
-image_write (bfd *abfd, unsigned char *ptr, int size)
+image_write (bfd *abfd, unsigned char *ptr, unsigned int size)
 {
 #if VMS_DEBUG
   _bfd_vms_debug (8, "image_write from (%p, %d) to (%ld)\n", ptr, size,
@@ -1654,14 +1654,16 @@
 #define HIGHBIT(op) ((op & 0x80000000L) == 0x80000000L)
 
 static void
-_bfd_vms_get_value (bfd *abfd, const unsigned char *ascic,
+_bfd_vms_get_value (bfd *abfd,
+		    const unsigned char *ascic,
+		    const unsigned char *max_ascic,
                     struct bfd_link_info *info,
                     bfd_vma *vma,
                     struct alpha_vms_link_hash_entry **hp)
 {
   char name[257];
-  int len;
-  int i;
+  unsigned int len;
+  unsigned int i;
   struct alpha_vms_link_hash_entry *h;
 
   /* Not linking.  Do not try to resolve the symbol.  */
@@ -1673,6 +1675,14 @@
     }
 
   len = *ascic;
+  if (ascic + len >= max_ascic)
+    {
+      _bfd_error_handler (_("Corrupt vms value"));
+      *vma = 0;
+      *hp = NULL;
+      return;
+    }
+
   for (i = 0; i < len; i++)
     name[i] = ascic[i + 1];
   name[i] = 0;
@@ -1797,6 +1807,15 @@
       _bfd_hexdump (8, ptr, cmd_length - 4, 0);
 #endif
 
+      /* PR 21589: Check for a corrupt ETIR record.  */
+      if (cmd_length < 4)
+	{
+	corrupt_etir:
+	  _bfd_error_handler (_("Corrupt ETIR record encountered"));
+	  bfd_set_error (bfd_error_bad_value);
+	  return FALSE;
+	}
+
       switch (cmd)
         {
           /* Stack global
@@ -1804,7 +1823,7 @@
 
              stack 32 bit value of symbol (high bits set to 0).  */
         case ETIR__C_STA_GBL:
-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
           _bfd_vms_push (abfd, op1, alpha_vms_sym_to_ctxt (h));
           break;
 
@@ -1813,6 +1832,8 @@
 
              stack 32 bit value, sign extend to 64 bit.  */
         case ETIR__C_STA_LW:
+	  if (ptr + 4 >= maxptr)
+	    goto corrupt_etir;
           _bfd_vms_push (abfd, bfd_getl32 (ptr), RELC_NONE);
           break;
 
@@ -1821,6 +1842,8 @@
 
              stack 64 bit value of symbol.  */
         case ETIR__C_STA_QW:
+	  if (ptr + 8 >= maxptr)
+	    goto corrupt_etir;
           _bfd_vms_push (abfd, bfd_getl64 (ptr), RELC_NONE);
           break;
 
@@ -1834,6 +1857,8 @@
           {
             int psect;
 
+	    if (ptr + 12 >= maxptr)
+	      goto corrupt_etir;
             psect = bfd_getl32 (ptr);
             if ((unsigned int) psect >= PRIV (section_count))
               {
@@ -1923,6 +1948,8 @@
           {
             int size;
 
+	    if (ptr + 4 >= maxptr)
+	      goto corrupt_etir;
             size = bfd_getl32 (ptr);
             _bfd_vms_pop (abfd, &op1, &rel1);
             if (rel1 != RELC_NONE)
@@ -1935,7 +1962,7 @@
           /* Store global: write symbol value
              arg: cs	global symbol name.  */
         case ETIR__C_STO_GBL:
-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
           if (h && h->sym)
             {
               if (h->sym->typ == EGSD__C_SYMG)
@@ -1957,7 +1984,7 @@
           /* Store code address: write address of entry point
              arg: cs	global symbol name (procedure).  */
         case ETIR__C_STO_CA:
-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
           if (h && h->sym)
             {
               if (h->sym->flags & EGSY__V_NORM)
@@ -2002,8 +2029,10 @@
              da	data.  */
         case ETIR__C_STO_IMM:
           {
-            int size;
+            unsigned int size;
 
+	    if (ptr + 4 >= maxptr)
+	      goto corrupt_etir;
             size = bfd_getl32 (ptr);
             image_write (abfd, ptr + 4, size);
           }
@@ -2016,7 +2045,7 @@
              store global longword: store 32bit value of symbol
              arg: cs	symbol name.  */
         case ETIR__C_STO_GBL_LW:
-          _bfd_vms_get_value (abfd, ptr, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr, maxptr, info, &op1, &h);
 #if 0
           abort ();
 #endif
@@ -2069,7 +2098,7 @@
              da	signature.  */
 
         case ETIR__C_STC_LP_PSB:
-          _bfd_vms_get_value (abfd, ptr + 4, info, &op1, &h);
+          _bfd_vms_get_value (abfd, ptr + 4, maxptr, info, &op1, &h);
           if (h && h->sym)
             {
               if (h->sym->typ == EGSD__C_SYMG)
@@ -2165,6 +2194,8 @@
           /* Augment relocation base: increment image location counter by offset
              arg: lw	offset value.  */
         case ETIR__C_CTL_AUGRB:
+	  if (ptr + 4 >= maxptr)
+	    goto corrupt_etir;
           op1 = bfd_getl32 (ptr);
           image_inc_ptr (abfd, op1);
           break;
Index: git/bfd/ChangeLog
===================================================================
--- git.orig/bfd/ChangeLog	2017-09-21 15:04:44.000000000 +0530
+++ git/bfd/ChangeLog	2017-09-21 15:07:58.268949291 +0530
@@ -81,6 +81,15 @@
        PR binutils/21581
        (ieee_archive_p): Likewise.
 
+2017-06-14  Nick Clifton  <nickc@redhat.com>
+
+	PR binutils/21589
+	* vms-alpha.c (_bfd_vms_get_value): Add an extra parameter - the
+	maximum value for the ascic pointer.  Check that name processing
+	does not read beyond this value.
+	(_bfd_vms_slurp_etir): Add checks for attempts to read beyond the
+	end of etir record.
+
 2017-04-29  Alan Modra  <amodra@gmail.com>
 
        PR 21432