bugxml:

Now we can use <pre></pre> to preserve lines where
appropriate.

modified:   bugrecord.py
modified:   readbugs.py

New vulnerabilities added.
modified:   data.txt

bugxml/bugrecord.py

@@ -28,23 +28,53 @@
 
 import sys
 
-def xmlize(s):
-  out = []
-  for c in s:
+# Do to a single text line.
+def xmlize(linea):
+  outi =  []
+  l = linea
+  if l.find("<pre>") != -1:
+     s2 = l + '\n'
+     return s2
+  if l.find("</pre>") != -1:
+     s2 = l + '\n'
+     return s2
+  for c in l:
     if c == '<':
-       out += ["&lt;"]
+       outi += ["&lt;"]
     elif c == '>':
-       out += ["&gt;"]
+       outi += ["&gt;"]
     elif c == "&":
-       out += ["&amp;"]
+       outi += ["&amp;"]
     elif c == "'":
-       out += ["&apos;"]
+       outi += ["&apos;"]
     elif c == '"':
-       out += ["&quot;"]
+       outi += ["&quot;"]
     else:
-       out += [c]
-  s2 = ''.join(out)
-  return s2;
+       outi += [c]
+  outi += ["\n"]
+  s2 = ''.join(outi)
+  return s2
+
+def paraline(name,linea):
+  out = ''
+  if len(linea) <1:
+    out = "<p>" + name + ":"+ "</p>"
+    return out
+  out = "<p>" + name + ": "
+  out +=linea 
+  out += "</p>"
+  return out;
+
+def paralines(name,lines):
+  if len(lines) <1:
+    out = "<p>" + name + ":"+ "</p>"
+    return out
+  out = "<p>" + name + ": "
+  for lin in lines:
+     f = xmlize(lin)
+     out += f
+  out += "</p>"
+  return out;
 
 def para(name,str):
   if str ==  None:
@@ -147,98 +177,110 @@ class bugrecord:
     print "tarrelease:",self._tarrelease
 
   def generate_html(self):
-    t = ''.join(['<h3 id="',self._id,'">',self._id,'</h3>'])
+    s5= ''.join(self._id)
+    t = ''.join(['<h3 id="',s5,'">',self._id,'</h3>'])
     txt = [t]
 
-    t = para("id",xmlize(self._id))
+    t = paraline("id",xmlize(self._id))
     txt += [t]
-    t = para("cve",xmlize(self._cve))
+    t = paraline("cve",xmlize(self._cve))
     txt += [t]
-    t = para("datereported",xmlize(self._datereported))
+    t = paraline("datereported",xmlize(self._datereported))
     txt += [t]
-    t = para("reportedby",xmlize(self._reportedby))
+    t = paraline("reportedby",xmlize(self._reportedby))
     txt += [t]
  
-    v = ''.join(self._vulnerability)    
-    t = para("vulnerability",v)
+    #MULTI
+    t = paralines("vulnerability",self._vulnerability)
     txt += [t]
 
 
-    t = para("product",xmlize(self._product))
+    t = paraline("product",xmlize(self._product))
     txt += [t]
     
-    t = para("product",xmlize(self._product))
-
-
-    p = ''.join(self._description)    
-    t = para("description",p)
+    #MULTI
+    t = paralines("description",self._description)
     txt += [t]
 
-    t = para("datefixed",xmlize(self._datefixed))
+    t = paraline("datefixed",xmlize(self._datefixed))
     txt += [t]
 
-    p = ''.join(self._references)    
-    t = para("references",p)
+    #MULTI
+    t = paralines("references",self._references)
     txt += [t]
 
-    #* references 
-    t = para("gitfixid",xmlize(self._gitfixid))
+    t = paraline("gitfixid",xmlize(self._gitfixid))
     txt += [t]
-    t = para("tarrelease",xmlize(self._tarrelease))
+    t = paraline("tarrelease",xmlize(self._tarrelease))
     txt += [t]
 
     t = '<p> <a href="#top">[top]</a> </p>'
     txt += [t]
     return txt
 
+  def paraxml(self,start,main,term):
+    # For single line xml remove the newline from the main text line.
+    out = start
+    l=main.strip()
+    if len(l) > 0:
+      out += l 
+    out += term + "\n" 
+    return out
+  def paraxmlN(self,start,main,term):
+    # For multi line xml leave newlines present.
+    out = start
+    for x in main:
+      l=x.strip()
+      t = xmlize(l);
+      if len(t.strip()) > 0:
+        out += t
+    out += term + "\n"
+    return out
+
+
   def generate_xml(self):
     txt=[]
     t = '<dwbug>'
     txt += [t]
-    t = ''.join(['<dwid>',xmlize(self._id),'</dwid>'])
+     
+    t = self.paraxml('<dwid>',xmlize(self._id),'</dwid>')
     txt += [t]
-    t = ''.join(['<cve>',xmlize(self._cve),'</cve>'])
+    t = self.paraxml('<cve>',xmlize(self._cve),'</cve>')
     txt += [t]
-    t = ''.join(['<datereported>',xmlize(self._datereported),'</datereported>'])
-    txt += [t];
-    t = ''.join(['<reportedby>',xmlize(self._reportedby),'</reportedby>'])
-    txt += [t];
-    #* vulnerability */
 
-
-
-    t = ''.join(['<product>',xmlize(self._product),'</product>'])
+    t = self.paraxml('<datereported>',xmlize(self._datereported),'</datereported>')
     txt += [t];
 
-    if len(self._vulnerability) > 0:
-      p = ''.join(self._vulnerability)    
-    else:
-      p = ""
-    t = ''.join(["<vulnerability>",xmlize(p),"</vulnerability>"])
+    t = self.paraxml('<reportedby>',xmlize(self._reportedby),'</reportedby>')
+    txt += [t];
+
+    t = self.paraxml('<product>',xmlize(self._product),'</product>')
+    txt += [t];
+
+    
+    #MULTI
+    p = self._vulnerability
+    t = self.paraxmlN("<vulnerability>",p,"</vulnerability>")
     txt += [t]
 
 
-    if len(self._description) > 0:
-      p = ''.join(self._description)    
-    else:
-      p=""
-    t = ''.join(["<description>",xmlize(p),"</description>"])
+    #MULTI
+    p = self._description
+    t = self.paraxmlN("<description>",p,"</description>")
     txt += [t]
 
 
-    t = ''.join(['<datefixed>',xmlize(self._datefixed),'</datefixed>'])
+    t = self.paraxml('<datefixed>',xmlize(self._datefixed),'</datefixed>')
     txt += [t];
 
-    if len(self._references) > 0:
-      p = ''.join(self._references)    
-    else:
-      p = ""
-    t = ''.join(["<references>",xmlize(p),"</references>"])
+    #MULTI
+    p = self._references    
+    t = self.paraxmlN("<references>",p,"</references>")
     txt += [t]
 
-    t = ''.join(['<gitfixid>',xmlize(self._gitfixid),'</gitfixid>'])
+    t = self.paraxml('<gitfixid>',xmlize(self._gitfixid),'</gitfixid>')
     txt += [t];
-    t = ''.join(['<tarrelease>',xmlize(self._tarrelease),'</tarrelease>'])
+    t = self.paraxml('<tarrelease>',xmlize(self._tarrelease),'</tarrelease>')
     txt += [t];
 
     t = '</dwbug>'

bugxml/data.txt

@@ -1,4 +1,107 @@
 
+id: DW201605-015
+cve:
+datereported: 20160517
+reportedby: Yue Liu
+vulnerability: OOB read bug in print_frame_inst_bytes()
+product: libdwarf
+description: Test object shows
+ an invalid read in  print_frame_inst_bytes().
+ <pre>
+ 1294         for (; len > 0;) {
+ 1295             unsigned char ibyte = *instp;           <- $pc
+ 1296             int top = ibyte & 0xc0;
+
+ #0  print_frame_inst_bytes (dbg=dbg@entry=0x654c80, 
+    cie_init_inst=<optimized out>, len=503715, data_alignment_factor=-4, 
+    code_alignment_factor=1, addr_size=addr_size@entry=4, offset_size=4, 
+    version=3, config_data=config_data@entry=0x63bda0 
+    <g_config_file_data>) at print_frames.c:1295
+ #1  0x000000000041b64c in print_one_cie (dbg=dbg@entry=0x654c80, 
+    cie=<optimized out>, cie_index=cie_index@entry=1, 
+    address_size=<optimized out>, config_data=
+    config_data@entry=0x63bda0 <g_config_file_data>) at print_frames.c:1161
+ #2  0x000000000041ce92 in print_frames (dbg=0x654c80, 
+    print_debug_frame=print_debug_frame@entry=1, print_eh_frame=0, 
+    config_data=config_data@entry=0x63bda0 <g_config_file_data>) 
+    at print_frames.c:2209
+
+ gef> x/10x $r13
+ 0x5e7981:       Cannot access memory at address 0x5e7981
+ gef> p/x $r13
+ $14 = 0x5e7981
+ </pre>
+ 
+
+datefixed:
+references:
+testcase: regressiontests/liu/OOB0517_03.elf
+gitfixid:
+tarrelease:
+endrec:
+
+
+
+
+id: DW201605-014
+cve:
+datereported: 20160517
+reportedby: Yue Liu
+vulnerability: OOB read bug in dwarf_get_xu_hash_entry()
+product: libdwarf
+description: Test object shows
+ an invalid read in dwarf_get _xu_hash_entry, lin 211.
+ <pre>
+ #0  dwarf_get_xu_hash_entry (xuhdr=xuhdr@entry=0x657360, 
+    index=index@entry=2897626028, hash_value=
+    hash_value@entry=0x7fffffffd5b0, 
+    index_to_sections=index_to_sections@entry=0x7fffffffd5a8, 
+    err=err@entry=0x7fffffffdb08) at dwarf_xu_index.c:211
+ #1  0x00002aaaaacfd05e in _dwarf_search_fission_for_key (
+    dbg=0x654a50, error=0x7fffffffdb08, percu_index_out=<synthetic pointer>,
+    key_in=0x7fffffffd670, xuhdr=0x657360) at dwarf_xu_index.c:363
+ #2  dwarf_get_debugfission_for_key (dbg=dbg@entry=0x654a50, 
+    key=key@entry=0x7fffffffd670, key_type=key_type@entry=0x2aaaaad15e2a 
+    "tu", percu_out=percu_out@entry=0x65a830, 
+    error=error@entry=0x7fffffffdb08) at dwarf_xu_index.c:577
+ </pre>
+datefixed:
+references:
+testcase: regressiontests/liu/OOB0517_02.elf
+gitfixid:
+tarrelease:
+endrec:
+
+
+
+
+id: DW201605-013
+cve:
+datereported: 20160517
+reportedby: Yue Liu
+vulnerability: OOB read bug in print_exprloc_content
+product: libdwarf
+description: Test object shows
+ an invalid write in print_exprloc_content.
+ <pre>
+ #0  print_exprloc_content (dbg=dbg@entry=0x654ea0, 
+    die=die@entry=0x65b110, attrib=attrib@entry=0x65b590, 
+    esbp=esbp@entry=0x7fffffffcef0, showhextoo=1) at print_die.c:4182
+ #1  0x0000000000412fb1 in get_attr_value (dbg=dbg@entry=0x654ea0, 
+    tag=<optimized out>, die=die@entry=0x65b110, 
+    dieprint_cu_goffset=dieprint_cu_goffset@entry=11, 
+    attrib=attrib@entry=0x65b590, srcfiles=srcfiles@entry=0x0, 
+    cnt=cnt@entry=0, esbp=esbp@entry=0x7fffffffcef0, show_form=0, 
+    local_verbose=0) at print_die.c:4972
+ </pre>
+datefixed: 
+references:
+testcase: regressiontests/liu/OOB0517_01.elf
+gitfixid: 
+tarrelease:
+endrec:
+
+
 id: DW201605-012
 cve:
 datereported: 20160513
@@ -155,8 +258,10 @@ vulnerability: A specially crafted DWARF section
 product:  libdwarf
 description:
  In file dwarf_elf_access.c:1071
+ <pre>
  WRITE_UNALIGNED(dbg,target_section + offset,
      &outval,sizeof(outval),reloc_size);
+ </pre>
  A crafted ELF file may lead to a large offset value, which
  bigger than the size of target_section heap chunk, then this
  WRITE_UNALIGNED() function will write the value of &outval
@@ -190,7 +295,7 @@ description:
 
  dwarf_dealloc() did not check the Dwarf_Ptr space argument
  before using it. This will lead to a out-of-bound read bug.
-
+ <pre>
  backtrace:
  #0  dwarf_dealloc (dbg=dbg@entry=0x655f30, space=0xa0,
  alloc_type=alloc_type@entry=1) at dwarf_alloc.c:477
@@ -202,7 +307,7 @@ description:
 
  gef> p &r->rd_dbg
  $14 = (void **) 0x90
-
+ </pre>
 datefixed: 20160504
 references:
 testcase:

bugxml/readbugs.py

@@ -85,18 +85,19 @@ def readbugs(iname):
     if ignore_this_line(rec,inrecord) == "y":
       continue
     rec = rec.rstrip()
-    low = rec.find(":")
-    if low == -1 :
-      if inrecord == "n":
-        if len(rec) == 0:
-          continue
+    if inrecord == "n":
+      if len(rec) == 0:
+        continue
+      if  rec.find(":") == -1:
         print "bogus non-blank line at line ",linecount
         sys.exit(1)
-      if intext == '':
-        print "bogus non-blank line. At line ",linecount
-        sys.exit(1)
-      text += [rec]
-      continue
+    if inrecord == "y" and len(rec) > 0:
+      # A multi line entry may have ":" in it.
+      if intext != "" and rec[0] == ' ':
+        s3 = ''.join(rec)
+        text += [s3]
+        continue
+    low = rec.find(":")
     fldname = rec[0:low+1]
     fldval = rec[low+1:]
     if fldname == "id:": 
@@ -109,63 +110,74 @@ def readbugs(iname):
         print "Duplicate Key:",f,"Giving up." 
         sys.exit(1)
       usedid[f] = 1
-      bugrec = bugrecord.bugrecord(f)
+      s4= ''.join(fldval)
+      bugrec = bugrecord.bugrecord(s4)
     elif fldname == "cve:":
       closeouttext(bugrec,intext,text,linecount),
       intext = ""
       text = []
-      bugrec.setcve(fldval)
+      s4= ''.join(fldval)
+      bugrec.setcve(s4)
     elif fldname == "datereported:":
       closeouttext(bugrec,intext,text,linecount),
       intext = ""
       text = []
-      bugrec.setdatereported(fldval)
+      s4= ''.join(fldval)
+      bugrec.setdatereported(s4)
     elif fldname == "reportedby:":
       closeouttext(bugrec,intext,text,linecount),
       intext = ""
       text = []
-      bugrec.setreportedby(fldval)
+      s4= ''.join(fldval)
+      bugrec.setreportedby(s4)
     elif fldname == "vulnerability:":
       closeouttext(bugrec,intext,text,linecount),
       intext = 'v'
       text = []
       if len(fldval) > 0:
-        text = [fldval]
+        s4= ''.join(fldval)
+        text = [s4]
 
     elif fldname == "product:":
       closeouttext(bugrec,intext,text,linecount),
       intext = ""
       text = []
-      bugrec.setproduct(fldval)
+      s4= ''.join(fldval)
+      bugrec.setproduct(s4)
     elif fldname == "description:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
       intext = 'd'
       if len(fldval) > 0:
-        text = [fldval]
+        s4= ''.join(fldval)
+        text = [s4]
 
     elif fldname == "datefixed:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
       intext = ""
-      bugrec.setdatefixed(fldval)
+      s4= ''.join(fldval)
+      bugrec.setdatefixed(s4)
     elif fldname == "references:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
       intext = 'r'
       if len(fldval) > 0:
-        text = [fldval]
+        s4= ''.join(fldval)
+        text = [s4]
 
     elif fldname == "gitfixid:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
       intext = ""
-      bugrec.setgitfixid(fldval)
+      s4= ''.join(fldval)
+      bugrec.setgitfixid(s4)
     elif fldname == "tarrelease:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
       intext = ""
-      bugrec.settarrelease(fldval)
+      s4= ''.join(fldval)
+      bugrec.settarrelease(s4)
     elif fldname == "endrec:":
       closeouttext(bugrec,intext,text,linecount),
       text = []
@@ -176,6 +188,7 @@ def readbugs(iname):
       inrecord = "n"
       text = []
       intext = ""
+      inrecord = "n"
   file.close()
   return buglist