diff options
author | Armin Kuster <akuster808@gmail.com> | 2017-11-26 12:08:36 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-12-11 22:02:58 +0000 |
commit | 6da272440da118f656f432a800491e0ef3b46466 (patch) | |
tree | 0721b3b5b892d97d6342d95dc9594242ae584858 | |
parent | 34a2b675f4c95c8112cb60cc2c88ca247e03d083 (diff) | |
download | poky-6da272440da118f656f432a800491e0ef3b46466.tar.gz |
binutils: Security fix CVE-2017-8393
Affects: <= 2.28
(From OE-Core rev: e96c9ab000c8693788b7a233bd7061d43cbe24d7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/binutils/binutils-2.28.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch | 205 |
2 files changed, 206 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 6ae091c289..53299fa013 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -45,6 +45,7 @@ SRC_URI = "\ | |||
45 | file://CVE-2017-7210.patch \ | 45 | file://CVE-2017-7210.patch \ |
46 | file://CVE-2017-7223.patch \ | 46 | file://CVE-2017-7223.patch \ |
47 | file://CVE-2017-7614.patch \ | 47 | file://CVE-2017-7614.patch \ |
48 | file://CVE-2017-8393.patch \ | ||
48 | " | 49 | " |
49 | S = "${WORKDIR}/git" | 50 | S = "${WORKDIR}/git" |
50 | 51 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch new file mode 100644 index 0000000000..8500a03b13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-8393.patch | |||
@@ -0,0 +1,205 @@ | |||
1 | From bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Sun, 23 Apr 2017 11:03:34 +0930 | ||
4 | Subject: [PATCH] PR 21412, get_reloc_section assumes .rel/.rela name for | ||
5 | SHT_REL/RELA. | ||
6 | |||
7 | This patch fixes an assumption made by code that runs for objcopy and | ||
8 | strip, that SHT_REL/SHR_RELA sections are always named starting with a | ||
9 | .rel/.rela prefix. I'm also modifying the interface for | ||
10 | elf_backend_get_reloc_section, so any backend function just needs to | ||
11 | handle name mapping. | ||
12 | |||
13 | PR 21412 | ||
14 | * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change | ||
15 | parameters and comment. | ||
16 | (_bfd_elf_get_reloc_section): Delete. | ||
17 | (_bfd_elf_plt_get_reloc_section): Declare. | ||
18 | * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): | ||
19 | New functions. Don't blindly skip over assumed .rel/.rela prefix. | ||
20 | Extracted from.. | ||
21 | (_bfd_elf_get_reloc_section): ..here. Delete. | ||
22 | (assign_section_numbers): Call elf_get_reloc_section. | ||
23 | * elf64-ppc.c (elf_backend_get_reloc_section): Define. | ||
24 | * elfxx-target.h (elf_backend_get_reloc_section): Update. | ||
25 | |||
26 | Upstream-Status: Backport | ||
27 | CVE: CVE-2017-8393 | ||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | bfd/ChangeLog | 15 ++++++++++++++ | ||
32 | bfd/elf-bfd.h | 8 ++++--- | ||
33 | bfd/elf.c | 61 +++++++++++++++++++++++++++++++----------------------- | ||
34 | bfd/elf64-ppc.c | 1 + | ||
35 | bfd/elfxx-target.h | 2 +- | ||
36 | 5 files changed, 57 insertions(+), 30 deletions(-) | ||
37 | |||
38 | Index: git/bfd/elf-bfd.h | ||
39 | =================================================================== | ||
40 | --- git.orig/bfd/elf-bfd.h | ||
41 | +++ git/bfd/elf-bfd.h | ||
42 | @@ -1322,8 +1322,10 @@ struct elf_backend_data | ||
43 | bfd_size_type (*maybe_function_sym) (const asymbol *sym, asection *sec, | ||
44 | bfd_vma *code_off); | ||
45 | |||
46 | - /* Return the section which RELOC_SEC applies to. */ | ||
47 | - asection *(*get_reloc_section) (asection *reloc_sec); | ||
48 | + /* Given NAME, the name of a relocation section stripped of its | ||
49 | + .rel/.rela prefix, return the section in ABFD to which the | ||
50 | + relocations apply. */ | ||
51 | + asection *(*get_reloc_section) (bfd *abfd, const char *name); | ||
52 | |||
53 | /* Called to set the sh_flags, sh_link and sh_info fields of OSECTION which | ||
54 | has a type >= SHT_LOOS. Returns TRUE if the fields were initialised, | ||
55 | @@ -2392,7 +2394,7 @@ extern bfd_boolean _bfd_elf_is_function_ | ||
56 | extern bfd_size_type _bfd_elf_maybe_function_sym (const asymbol *, asection *, | ||
57 | bfd_vma *); | ||
58 | |||
59 | -extern asection *_bfd_elf_get_reloc_section (asection *); | ||
60 | +extern asection *_bfd_elf_plt_get_reloc_section (bfd *, const char *); | ||
61 | |||
62 | extern int bfd_elf_get_default_section_type (flagword); | ||
63 | |||
64 | Index: git/bfd/elf.c | ||
65 | =================================================================== | ||
66 | --- git.orig/bfd/elf.c | ||
67 | +++ git/bfd/elf.c | ||
68 | @@ -3532,17 +3532,39 @@ bfd_elf_set_group_contents (bfd *abfd, a | ||
69 | H_PUT_32 (abfd, sec->flags & SEC_LINK_ONCE ? GRP_COMDAT : 0, loc); | ||
70 | } | ||
71 | |||
72 | -/* Return the section which RELOC_SEC applies to. */ | ||
73 | +/* Given NAME, the name of a relocation section stripped of its | ||
74 | + .rel/.rela prefix, return the section in ABFD to which the | ||
75 | + relocations apply. */ | ||
76 | |||
77 | asection * | ||
78 | -_bfd_elf_get_reloc_section (asection *reloc_sec) | ||
79 | +_bfd_elf_plt_get_reloc_section (bfd *abfd, const char *name) | ||
80 | +{ | ||
81 | + /* If a target needs .got.plt section, relocations in rela.plt/rel.plt | ||
82 | + section likely apply to .got.plt or .got section. */ | ||
83 | + if (get_elf_backend_data (abfd)->want_got_plt | ||
84 | + && strcmp (name, ".plt") == 0) | ||
85 | + { | ||
86 | + asection *sec; | ||
87 | + | ||
88 | + name = ".got.plt"; | ||
89 | + sec = bfd_get_section_by_name (abfd, name); | ||
90 | + if (sec != NULL) | ||
91 | + return sec; | ||
92 | + name = ".got"; | ||
93 | + } | ||
94 | + | ||
95 | + return bfd_get_section_by_name (abfd, name); | ||
96 | +} | ||
97 | + | ||
98 | +/* Return the section to which RELOC_SEC applies. */ | ||
99 | + | ||
100 | +static asection * | ||
101 | +elf_get_reloc_section (asection *reloc_sec) | ||
102 | { | ||
103 | const char *name; | ||
104 | unsigned int type; | ||
105 | bfd *abfd; | ||
106 | - | ||
107 | - if (reloc_sec == NULL) | ||
108 | - return NULL; | ||
109 | + const struct elf_backend_data *bed; | ||
110 | |||
111 | type = elf_section_data (reloc_sec)->this_hdr.sh_type; | ||
112 | if (type != SHT_REL && type != SHT_RELA) | ||
113 | @@ -3550,28 +3572,15 @@ _bfd_elf_get_reloc_section (asection *re | ||
114 | |||
115 | /* We look up the section the relocs apply to by name. */ | ||
116 | name = reloc_sec->name; | ||
117 | - if (type == SHT_REL) | ||
118 | - name += 4; | ||
119 | - else | ||
120 | - name += 5; | ||
121 | + if (strncmp (name, ".rel", 4) != 0) | ||
122 | + return NULL; | ||
123 | + name += 4; | ||
124 | + if (type == SHT_RELA && *name++ != 'a') | ||
125 | + return NULL; | ||
126 | |||
127 | - /* If a target needs .got.plt section, relocations in rela.plt/rel.plt | ||
128 | - section apply to .got.plt section. */ | ||
129 | abfd = reloc_sec->owner; | ||
130 | - if (get_elf_backend_data (abfd)->want_got_plt | ||
131 | - && strcmp (name, ".plt") == 0) | ||
132 | - { | ||
133 | - /* .got.plt is a linker created input section. It may be mapped | ||
134 | - to some other output section. Try two likely sections. */ | ||
135 | - name = ".got.plt"; | ||
136 | - reloc_sec = bfd_get_section_by_name (abfd, name); | ||
137 | - if (reloc_sec != NULL) | ||
138 | - return reloc_sec; | ||
139 | - name = ".got"; | ||
140 | - } | ||
141 | - | ||
142 | - reloc_sec = bfd_get_section_by_name (abfd, name); | ||
143 | - return reloc_sec; | ||
144 | + bed = get_elf_backend_data (abfd); | ||
145 | + return bed->get_reloc_section (abfd, name); | ||
146 | } | ||
147 | |||
148 | /* Assign all ELF section numbers. The dummy first section is handled here | ||
149 | @@ -3833,7 +3842,7 @@ assign_section_numbers (bfd *abfd, struc | ||
150 | if (s != NULL) | ||
151 | d->this_hdr.sh_link = elf_section_data (s)->this_idx; | ||
152 | |||
153 | - s = get_elf_backend_data (abfd)->get_reloc_section (sec); | ||
154 | + s = elf_get_reloc_section (sec); | ||
155 | if (s != NULL) | ||
156 | { | ||
157 | d->this_hdr.sh_info = elf_section_data (s)->this_idx; | ||
158 | Index: git/bfd/elf64-ppc.c | ||
159 | =================================================================== | ||
160 | --- git.orig/bfd/elf64-ppc.c | ||
161 | +++ git/bfd/elf64-ppc.c | ||
162 | @@ -121,6 +121,7 @@ static bfd_vma opd_entry_value | ||
163 | #define elf_backend_special_sections ppc64_elf_special_sections | ||
164 | #define elf_backend_merge_symbol_attribute ppc64_elf_merge_symbol_attribute | ||
165 | #define elf_backend_merge_symbol ppc64_elf_merge_symbol | ||
166 | +#define elf_backend_get_reloc_section bfd_get_section_by_name | ||
167 | |||
168 | /* The name of the dynamic interpreter. This is put in the .interp | ||
169 | section. */ | ||
170 | Index: git/bfd/elfxx-target.h | ||
171 | =================================================================== | ||
172 | --- git.orig/bfd/elfxx-target.h | ||
173 | +++ git/bfd/elfxx-target.h | ||
174 | @@ -706,7 +706,7 @@ | ||
175 | #endif | ||
176 | |||
177 | #ifndef elf_backend_get_reloc_section | ||
178 | -#define elf_backend_get_reloc_section _bfd_elf_get_reloc_section | ||
179 | +#define elf_backend_get_reloc_section _bfd_elf_plt_get_reloc_section | ||
180 | #endif | ||
181 | |||
182 | #ifndef elf_backend_copy_special_section_fields | ||
183 | Index: git/bfd/ChangeLog | ||
184 | =================================================================== | ||
185 | --- git.orig/bfd/ChangeLog | ||
186 | +++ git/bfd/ChangeLog | ||
187 | @@ -1,3 +1,18 @@ | ||
188 | +2017-04-23 Alan Modra <amodra@gmail.com> | ||
189 | + | ||
190 | + PR 21412 | ||
191 | + * elf-bfd.h (struct elf_backend_data <get_reloc_section>): Change | ||
192 | + parameters and comment. | ||
193 | + (_bfd_elf_get_reloc_section): Delete. | ||
194 | + (_bfd_elf_plt_get_reloc_section): Declare. | ||
195 | + * elf.c (_bfd_elf_plt_get_reloc_section, elf_get_reloc_section): | ||
196 | + New functions. Don't blindly skip over assumed .rel/.rela prefix. | ||
197 | + Extracted from.. | ||
198 | + (_bfd_elf_get_reloc_section): ..here. Delete. | ||
199 | + (assign_section_numbers): Call elf_get_reloc_section. | ||
200 | + * elf64-ppc.c (elf_backend_get_reloc_section): Define. | ||
201 | + * elfxx-target.h (elf_backend_get_reloc_section): Update. | ||
202 | + | ||
203 | 2017-04-04 Nick Clifton <nickc@redhat.com> | ||
204 | |||
205 | PR binutils/21342 | ||