binutils: CVE-2017-9755

Source: binutils-gdb.git
MR: 73932
Type: Security Fix
Disposition: Backport from binutils-2_29
ChangeID: 49ad5f3244cd51ee6714c1b60cc1c3f84d7de7c8
Description:

 i386-dis: Add 2 tests with invalid bnd register

        PR binutils/21594
        * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
        register.
        * testsuite/gas/i386/x86-64-mpx.s: Likewise.
        * testsuite/gas/i386/mpx.d: Updated.
        * testsuite/gas/i386/x86-64-mpx.d: Likewise.

 i386-dis: Check valid bnd register

 Since there are only 4 bnd registers, return "(bad)" for register
 number > 3.

        PR binutils/21594
        * i386-dis.c (OP_E_register): Check valid bnd register.
        (OP_G): Likewise.

Affects: <= 2.28
Author: H.J. Lu <hjl.tools@gmail.com>
Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
Reviewed-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 2b35cb154d59d519899ffeafb8cc992f4efb4636..961364c81ce0790bfbf0fc4c1a3ff65770318241 100644 (file)
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -86,6 +86,8 @@ SRC_URI = "\
      file://CVE-2017-9750.patch \
      file://CVE-2017-9752.patch \
      file://CVE-2017-9753_9754.patch \
+     file://CVE-2017-9755_1.patch \
+     file://CVE-2017-9755_2.patch \
 "
 S  = "${WORKDIR}/git"
 

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
new file mode 100644 (file)
index 0000000..3ad3218
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_1.patch
@@ -0,0 +1,60 @@
+commit 0d96e4df4812c3bad77c229dfef47a9bc115ac12
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 06:40:17 2017 -0700
+
+    i386-dis: Check valid bnd register
+    
+    Since there are only 4 bnd registers, return "(bad)" for register
+    number > 3.
+    
+       PR binutils/21594
+       * i386-dis.c (OP_E_register): Check valid bnd register.
+       (OP_G): Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/opcodes/i386-dis.c
+===================================================================
+--- git.orig/opcodes/i386-dis.c        2017-09-21 15:38:46.907182525 +0530
++++ git/opcodes/i386-dis.c     2017-09-21 15:38:54.703174976 +0530
+@@ -15211,6 +15211,11 @@
+       names = address_mode == mode_64bit ? names64 : names32;
+       break;
+     case bnd_mode:
++      if (reg > 0x3)
++      {
++        oappend ("(bad)");
++        return;
++      }
+       names = names_bnd;
+       break;
+     case indir_v_mode:
+@@ -15751,6 +15756,11 @@
+       oappend (names64[modrm.reg + add]);
+       break;
+     case bnd_mode:
++      if (modrm.reg > 0x3)
++      {
++        oappend ("(bad)");
++        return;
++      }
+       oappend (names_bnd[modrm.reg]);
+       break;
+     case v_mode:
+Index: git/opcodes/ChangeLog
+===================================================================
+--- git.orig/opcodes/ChangeLog 2017-09-21 15:38:54.531175122 +0530
++++ git/opcodes/ChangeLog      2017-09-21 15:45:32.264491166 +0530
+@@ -1,3 +1,9 @@
++2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
++
++      PR binutils/21594
++      * i386-dis.c (OP_E_register): Check valid bnd register.
++      (OP_G): Likewise.
++
+ 2017-06-15  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21586

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
new file mode 100644 (file)
index 0000000..69e1607
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9755_2.patch
@@ -0,0 +1,101 @@
+commit 8cac017d35ef374e65acc98818a17cf8a652cbd0
+Author: H.J. Lu <hjl.tools@gmail.com>
+Date:   Thu Jun 15 08:21:48 2017 -0700
+
+    i386-dis: Add 2 tests with invalid bnd register
+    
+       PR binutils/21594
+       * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
+       register.
+       * testsuite/gas/i386/x86-64-mpx.s: Likewise.
+       * testsuite/gas/i386/mpx.d: Updated.
+       * testsuite/gas/i386/x86-64-mpx.d: Likewise.
+
+Upstream-Status: Backport
+
+CVE: CVE-2017-9755
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+Index: git/gas/testsuite/gas/i386/mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.d      2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/mpx.d   2017-09-21 15:45:57.616640460 +0530
+@@ -130,4 +130,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [     ]*[a-f0-9]+:    f2 c3                   bnd ret 
++
++[a-f0-9]+ <bad>:
++[     ]*[a-f0-9]+:    0f 1a 30                bndldx \(%eax\),\(bad\)
++[     ]*[a-f0-9]+:    66 0f 1a c4             bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/mpx.s      2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/mpx.s   2017-09-21 15:45:57.616640460 +0530
+@@ -157,3 +157,15 @@
+       bnd ret
+ 
+ foo:  bnd ret
++
++bad:
++      # bndldx (%eax),(bad)
++      .byte 0x0f
++      .byte 0x1a
++      .byte 0x30
++
++      # bndmov (bad),%bnd0
++      .byte 0x66
++      .byte 0x0f
++      .byte 0x1a
++      .byte 0xc4
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.d
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.d       2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/x86-64-mpx.d    2017-09-21 15:45:57.616640460 +0530
+@@ -182,4 +182,8 @@
+ 
+ [a-f0-9]+ <foo>:
+ [     ]*[a-f0-9]+:    f2 c3                   bnd retq 
++
++[a-f0-9]+ <bad>:
++[     ]*[a-f0-9]+:    0f 1a 30                bndldx \(%rax\),\(bad\)
++[     ]*[a-f0-9]+:    66 0f 1a c4             bndmov \(bad\),%bnd0
+ #pass
+Index: git/gas/testsuite/gas/i386/x86-64-mpx.s
+===================================================================
+--- git.orig/gas/testsuite/gas/i386/x86-64-mpx.s       2017-09-21 15:45:57.640640603 +0530
++++ git/gas/testsuite/gas/i386/x86-64-mpx.s    2017-09-21 15:45:57.616640460 +0530
+@@ -209,3 +209,15 @@
+       bnd ret
+ 
+ foo:  bnd ret
++
++bad:
++      # bndldx (%eax),(bad)
++      .byte 0x0f
++      .byte 0x1a
++      .byte 0x30
++
++      # bndmov (bad),%bnd0
++      .byte 0x66
++      .byte 0x0f
++      .byte 0x1a
++      .byte 0xc4
+Index: git/gas/ChangeLog
+===================================================================
+--- git.orig/gas/ChangeLog     2017-09-21 15:38:53.143176323 +0530
++++ git/gas/ChangeLog  2017-09-21 15:48:07.134368927 +0530
+@@ -1,3 +1,12 @@
++2017-06-15  H.J. Lu  <hongjiu.lu@intel.com>
++
++      PR binutils/21594
++      * testsuite/gas/i386/mpx.s: Add 2 tests with invalid bnd
++      register.
++      * testsuite/gas/i386/x86-64-mpx.s: Likewise.
++      * testsuite/gas/i386/mpx.d: Updated.
++      * testsuite/gas/i386/x86-64-mpx.d: Likewise.
++
+ 2016-12-01  Nick Clifton  <nickc@redhat.com>
+ 
+       PR gas/20898