summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYuanjie Huang <yuanjie.huang@windriver.com>2017-05-24 09:55:17 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-06-05 22:30:21 (GMT)
commit829e2027b6c7f4f2d6fa03e158bfe371b7848919 (patch)
tree38aad6ecf17dcfcaca7bd92a7283710682eb0104
parentc2c48f26455fda4baa98a8685e990aed9368813b (diff)
downloadpoky-829e2027b6c7f4f2d6fa03e158bfe371b7848919.tar.gz
binutils: fix CVE-2017-6969 in readelf
CVE: CVE-2017-6969 [BZ 21156] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21156 PR binutils/21156: Fix illegal memory accesses in readelf when ing a corrupt binary. PR binutils/21156: Fix another memory access error in readelf when parsing a corrupt binary. (From OE-Core rev: de04c9811f7ce5179ba261bd8eae921d7873d6cd) (From OE-Core rev: ae0e01474623969dc193687d59fb5a65ab4d42bc) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.28.inc2
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch57
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch122
3 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 5492505..75eca32 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -39,6 +39,8 @@ SRC_URI = "\
39 file://CVE-2017-6966.patch \ 39 file://CVE-2017-6966.patch \
40 file://0017-bfd-Improve-lookup-of-file-line-information-for-erro.patch \ 40 file://0017-bfd-Improve-lookup-of-file-line-information-for-erro.patch \
41 file://0018-PR-21409-segfault-in-_bfd_dwarf2_find_nearest_line.patch \ 41 file://0018-PR-21409-segfault-in-_bfd_dwarf2_find_nearest_line.patch \
42 file://CVE-2017-6969.patch \
43 file://CVE-2017-6969_2.patch \
42" 44"
43S = "${WORKDIR}/git" 45S = "${WORKDIR}/git"
44 46
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
new file mode 100644
index 0000000..ed54034
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch
@@ -0,0 +1,57 @@
1From 1d9a2696903fc59d6a936f4ab4e4407ef329d066 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Fri, 17 Feb 2017 15:59:45 +0000
4Subject: Fix illegal memory accesses in readelf when parsing
5 a corrupt binary.
6
7 PR binutils/21156
8 * readelf.c (find_section_in_set): Test for invalid section
9 indicies.
10
11CVE: CVE-2017-6969
12Upstream-Status: Backport [master]
13
14Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
15---
16 binutils/ChangeLog | 6 ++++++
17 binutils/readelf.c | 10 ++++++++--
18 2 files changed, 14 insertions(+), 2 deletions(-)
19
20diff --git a/binutils/ChangeLog b/binutils/ChangeLog
21index bd63c8a0d8..1d840b42f9 100644
22--- a/binutils/ChangeLog
23+++ b/binutils/ChangeLog
24@@ -1,3 +1,9 @@
25+2017-02-17 Nick Clifton <nickc@redhat.com>
26+
27+ PR binutils/21156
28+ * readelf.c (find_section_in_set): Test for invalid section
29+ indicies.
30+
31 2017-02-13 Nick Clifton <nickc@redhat.com>
32
33 PR binutils/21139
34diff --git a/binutils/readelf.c b/binutils/readelf.c
35index 7c158c6342..4960491c5c 100644
36--- a/binutils/readelf.c
37+++ b/binutils/readelf.c
38@@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set)
39 if (set != NULL)
40 {
41 while ((i = *set++) > 0)
42- if (streq (SECTION_NAME (section_headers + i), name))
43- return section_headers + i;
44+ {
45+ /* See PR 21156 for a reproducer. */
46+ if (i >= elf_header.e_shnum)
47+ continue; /* FIXME: Should we issue an error message ? */
48+
49+ if (streq (SECTION_NAME (section_headers + i), name))
50+ return section_headers + i;
51+ }
52 }
53
54 return find_section (name);
55--
562.11.0
57
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
new file mode 100644
index 0000000..59a5dec
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch
@@ -0,0 +1,122 @@
1From ef81126314f67472a46db9581530fbf5ccb6b3f2 Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Mon, 20 Feb 2017 14:40:39 +0000
4Subject: Fix another memory access error in readelf when
5 parsing a corrupt binary.
6
7 PR binutils/21156
8 * dwarf.c (cu_tu_indexes_read): Move into...
9 (load_cu_tu_indexes): ... here. Change the variable into
10 tri-state. Change the function into boolean, returning
11 false if the indicies could not be loaded.
12 (find_cu_tu_set): Return NULL if the indicies could not be
13 loaded.
14
15CVE: CVE-2017-6969
16Upstream-Status: Backport [master]
17
18Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
19---
20 binutils/ChangeLog | 10 ++++++++++
21 binutils/dwarf.c | 34 ++++++++++++++++++++--------------
22 2 files changed, 30 insertions(+), 14 deletions(-)
23
24diff --git a/binutils/ChangeLog b/binutils/ChangeLog
25index 1d840b42f9..53352c1801 100644
26--- a/binutils/ChangeLog
27+++ b/binutils/ChangeLog
28@@ -1,3 +1,13 @@
29+2017-02-20 Nick Clifton <nickc@redhat.com>
30+
31+ PR binutils/21156
32+ * dwarf.c (cu_tu_indexes_read): Move into...
33+ (load_cu_tu_indexes): ... here. Change the variable into
34+ tri-state. Change the function into boolean, returning
35+ false if the indicies could not be loaded.
36+ (find_cu_tu_set): Return NULL if the indicies could not be
37+ loaded.
38+
39 2017-02-17 Nick Clifton <nickc@redhat.com>
40
41 PR binutils/21156
42diff --git a/binutils/dwarf.c b/binutils/dwarf.c
43index 0184a7ab2e..6d879c9b61 100644
44--- a/binutils/dwarf.c
45+++ b/binutils/dwarf.c
46@@ -76,7 +76,6 @@ int dwarf_check = 0;
47 as a zero-terminated list of section indexes comprising one set of debug
48 sections from a .dwo file. */
49
50-static int cu_tu_indexes_read = 0;
51 static unsigned int *shndx_pool = NULL;
52 static unsigned int shndx_pool_size = 0;
53 static unsigned int shndx_pool_used = 0;
54@@ -99,7 +98,7 @@ static int tu_count = 0;
55 static struct cu_tu_set *cu_sets = NULL;
56 static struct cu_tu_set *tu_sets = NULL;
57
58-static void load_cu_tu_indexes (void *file);
59+static bfd_boolean load_cu_tu_indexes (void *);
60
61 /* Values for do_debug_lines. */
62 #define FLAG_DEBUG_LINES_RAW 1
63@@ -2715,7 +2714,7 @@ load_debug_info (void * file)
64 return num_debug_info_entries;
65
66 /* If this is a DWARF package file, load the CU and TU indexes. */
67- load_cu_tu_indexes (file);
68+ (void) load_cu_tu_indexes (file);
69
70 if (load_debug_section (info, file)
71 && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0))
72@@ -7378,21 +7377,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display)
73 section sets that we can use to associate a .debug_info.dwo section
74 with its associated .debug_abbrev.dwo section in a .dwp file. */
75
76-static void
77+static bfd_boolean
78 load_cu_tu_indexes (void *file)
79 {
80+ static int cu_tu_indexes_read = -1; /* Tri-state variable. */
81+
82 /* If we have already loaded (or tried to load) the CU and TU indexes
83 then do not bother to repeat the task. */
84- if (cu_tu_indexes_read)
85- return;
86-
87- if (load_debug_section (dwp_cu_index, file))
88- process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0);
89-
90- if (load_debug_section (dwp_tu_index, file))
91- process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0);
92+ if (cu_tu_indexes_read == -1)
93+ {
94+ cu_tu_indexes_read = TRUE;
95+
96+ if (load_debug_section (dwp_cu_index, file))
97+ if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0))
98+ cu_tu_indexes_read = FALSE;
99+
100+ if (load_debug_section (dwp_tu_index, file))
101+ if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0))
102+ cu_tu_indexes_read = FALSE;
103+ }
104
105- cu_tu_indexes_read = 1;
106+ return (bfd_boolean) cu_tu_indexes_read;
107 }
108
109 /* Find the set of sections that includes section SHNDX. */
110@@ -7402,7 +7407,8 @@ find_cu_tu_set (void *file, unsigned int shndx)
111 {
112 unsigned int i;
113
114- load_cu_tu_indexes (file);
115+ if (! load_cu_tu_indexes (file))
116+ return NULL;
117
118 /* Find SHNDX in the shndx pool. */
119 for (i = 0; i < shndx_pool_used; i++)
120--
1212.11.0
122