package/binutils: fix crash caused by buggy xtensa overlay

Message ID	1501699220-3055-1-git-send-email-jcmvbkbc@gmail.com
State	Accepted
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Max Filippov <jcmvbkbc@gmail.com> To: buildroot@uclibc.org Date: Wed, 2 Aug 2017 11:40:20 -0700 Message-Id: <1501699220-3055-1-git-send-email-jcmvbkbc@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Subject: [Buildroot] [PATCH] package/binutils: fix crash caused by buggy xtensa overlay Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>

Message ID

1501699220-3055-1-git-send-email-jcmvbkbc@gmail.com

State

Accepted

Headers

From: Max Filippov <jcmvbkbc@gmail.com>
To: buildroot@uclibc.org
Date: Wed,  2 Aug 2017 11:40:20 -0700
Message-Id: <1501699220-3055-1-git-send-email-jcmvbkbc@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Subject: [Buildroot] [PATCH] package/binutils: fix crash caused by buggy
	xtensa overlay
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Commit Message

Max Filippov Aug. 2, 2017, 6:40 p.m. UTC

In some xtensa configurations there may be system/user registers in
xtensa-modules with negative index. ISA initialization for such config
may clobber heap and result in program termination.
Don't update lookup table entries for register with negative indices.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
---
 ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
 ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
 ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
 3 files changed, 126 insertions(+)
 create mode 100644 package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
 create mode 100644 package/binutils/2.28.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
 create mode 100644 package/binutils/2.29/0008-xtensa-fix-memory-corruption-by-broken-sysregs.patch

Comments

Thomas Petazzoni Aug. 2, 2017, 7:42 p.m. UTC | #1

Hello,

On Wed,  2 Aug 2017 11:40:20 -0700, Max Filippov wrote:
> In some xtensa configurations there may be system/user registers in
> xtensa-modules with negative index. ISA initialization for such config
> may clobber heap and result in program termination.
> Don't update lookup table entries for register with negative indices.
> 
> Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
> ---
>  ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
>  ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
>  ...a-fix-memory-corruption-by-broken-sysregs.patch | 42 ++++++++++++++++++++++
>  3 files changed, 126 insertions(+)
>  create mode 100644 package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
>  create mode 100644 package/binutils/2.28.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
>  create mode 100644 package/binutils/2.29/0008-xtensa-fix-memory-corruption-by-broken-sysregs.patch

Applied to master, thanks.

Thomas

Peter Korsgaard Sept. 5, 2017, 9:04 p.m. UTC | #2

>>>>> "Max" == Max Filippov <jcmvbkbc@gmail.com> writes:

 > In some xtensa configurations there may be system/user registers in
 > xtensa-modules with negative index. ISA initialization for such config
 > may clobber heap and result in program termination.
 > Don't update lookup table entries for register with negative indices.

 > Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>

Committed to 2017.02.x after dropping the 2.28.1/2.29 patches, thanks.

Is this patch also needed for the older 2.25.1 / 2.26.1 variants we have
in 2027.02.x? If so, could you send a patch?

diff --git a/package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch b/package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
new file mode 100644
index 000000000000..30103ee05eca
--- /dev/null
+++ b/package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
@@ -0,0 +1,42 @@ 
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+
diff --git a/package/binutils/2.28.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch b/package/binutils/2.28.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
new file mode 100644
index 000000000000..30103ee05eca
--- /dev/null
+++ b/package/binutils/2.28.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch
@@ -0,0 +1,42 @@ 
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+
diff --git a/package/binutils/2.29/0008-xtensa-fix-memory-corruption-by-broken-sysregs.patch b/package/binutils/2.29/0008-xtensa-fix-memory-corruption-by-broken-sysregs.patch
new file mode 100644
index 000000000000..30103ee05eca
--- /dev/null
+++ b/package/binutils/2.29/0008-xtensa-fix-memory-corruption-by-broken-sysregs.patch
@@ -0,0 +1,42 @@ 
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+

package/binutils: fix crash caused by buggy xtensa overlay

Commit Message

Comments

Patch