summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrevor Gamblin <trevor.gamblin@windriver.com>2019-11-18 07:23:31 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-19 00:24:12 +0000
commit8b33aeb4122be31b2aed29e40dcac01ea4643b63 (patch)
tree636711dfc1dd098efb2fe59f66c6b50910463456
parentf47017ff7f1ae1731412524768af372791068689 (diff)
downloadopenembedded-core-8b33aeb4122be31b2aed29e40dcac01ea4643b63.tar.gz
binutils: fix CVE-2019-17450
Backport upstream fix. No upstream release version of binutils it yet, so backport the fix independently. (From OE-Core rev: a4ead72b958ded4941f96741029f4955930ba758) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.32.inc1
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch99
2 files changed, 100 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 19baf8a883..1e96cf494d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
file://CVE-2019-12972.patch \
file://CVE-2019-14250.patch \
file://CVE-2019-14444.patch \
+ file://CVE-2019-17450.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
new file mode 100644
index 0000000000..a6ce0b9a8a
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-17450.patch
@@ -0,0 +1,99 @@
+From 09dd135df9ebc7a4b640537e23e26a03a288a789 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 9 Oct 2019 00:07:29 +1030
+Subject: [PATCH] PR25078, stack overflow in function find_abstract_instance
+
+Selectively backporting fix for bfd/dwarf2.c, but not the ChangeLog
+file. There are newer versions of binutils, but none of them contain the
+commit fixing CVE-2019-17450, so backport it to master and zeus.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79]
+CVE: CVE-2019-17450
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+ PR 25078
+ * dwarf2.c (find_abstract_instance): Delete orig_info_ptr, add
+ recur_count. Error on recur_count reaching 100 rather than
+ info_ptr matching orig_info_ptr. Adjust calls.
+
+---
+ bfd/dwarf2.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 0b4e485582..20ec9e2e56 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2803,13 +2803,13 @@ lookup_symbol_in_variable_table (struct comp_unit *unit,
+ }
+
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit * unit,
+- bfd_byte * orig_info_ptr,
+- struct attribute * attr_ptr,
+- const char ** pname,
+- bfd_boolean * is_linkage,
+- char ** filename_ptr,
+- int * linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++ struct attribute *attr_ptr,
++ unsigned int recur_count,
++ const char **pname,
++ bfd_boolean *is_linkage,
++ char **filename_ptr,
++ int *linenumber_ptr)
+ {
+ bfd *abfd = unit->abfd;
+ bfd_byte *info_ptr;
+@@ -2820,6 +2820,14 @@ find_abstract_instance (struct comp_unit * unit,
+ struct attribute attr;
+ const char *name = NULL;
+
++ if (recur_count == 100)
++ {
++ _bfd_error_handler
++ (_("DWARF error: abstract instance recursion detected"));
++ bfd_set_error (bfd_error_bad_value);
++ return FALSE;
++ }
++
+ /* DW_FORM_ref_addr can reference an entry in a different CU. It
+ is an offset from the .debug_info section, not the current CU. */
+ if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2939,15 +2947,6 @@ find_abstract_instance (struct comp_unit * unit,
+ info_ptr, info_ptr_end);
+ if (info_ptr == NULL)
+ break;
+- /* It doesn't ever make sense for DW_AT_specification to
+- refer to the same DIE. Stop simple recursion. */
+- if (info_ptr == orig_info_ptr)
+- {
+- _bfd_error_handler
+- (_("DWARF error: abstract instance recursion detected"));
+- bfd_set_error (bfd_error_bad_value);
+- return FALSE;
+- }
+ switch (attr.name)
+ {
+ case DW_AT_name:
+@@ -2961,7 +2960,7 @@ find_abstract_instance (struct comp_unit * unit,
+ }
+ break;
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ &name, is_linkage,
+ filename_ptr, linenumber_ptr))
+ return FALSE;
+@@ -3175,7 +3174,7 @@ scan_unit_for_symbols (struct comp_unit *unit)
+
+ case DW_AT_abstract_origin:
+ case DW_AT_specification:
+- if (!find_abstract_instance (unit, info_ptr, &attr,
++ if (!find_abstract_instance (unit, &attr, 0,
+ &func->name,
+ &func->is_linkage,
+ &func->file,
+--
+2.23.0
+