summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-04-29 14:26:35 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-04-30 12:05:23 +0100
commit71a546aaf3a7da8487a90f20ac211dd31d852d85 (patch)
tree52ebc446fec77f9c41a94d8c9dcbfb0ab068776a
parent05d058e64597402fcb81d9789041a8ad4ca28c39 (diff)
downloadpoky-71a546aaf3a7da8487a90f20ac211dd31d852d85.tar.gz
binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077
(From OE-Core rev: 0e366eda53f6f440708531ed8cb2ac4941ca428f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/binutils/binutils-2.32.inc4
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch68
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch119
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch49
-rw-r--r--meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch37
5 files changed, 277 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 5d0c16b13e..49e6827c1f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -44,6 +44,10 @@ SRC_URI = "\
44 file://0013-Detect-64-bit-MIPS-targets.patch \ 44 file://0013-Detect-64-bit-MIPS-targets.patch \
45 file://0014-sync-with-OE-libtool-changes.patch \ 45 file://0014-sync-with-OE-libtool-changes.patch \
46 file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \ 46 file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \
47 file://CVE-2019-9074.patch \
48 file://CVE-2019-9075.patch \
49 file://CVE-2019-9076.patch \
50 file://CVE-2019-9077.patch \
47" 51"
48S = "${WORKDIR}/git" 52S = "${WORKDIR}/git"
49 53
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
new file mode 100644
index 0000000000..a11a51200e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
@@ -0,0 +1,68 @@
1From e2ebb3906432dcca2727186ad79415f920730fb2 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Tue, 19 Feb 2019 22:48:44 +1030
4Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
5
6 PR 24235
7 * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
8 attempting to prevent read past end of section.
9
10Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/179f2db0d9c397d7dd8a59907b84208b79f7f48c]
11CVE: CVE-2019-9074
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13---
14 bfd/ChangeLog | 6 ++++++
15 bfd/pei-x86_64.c | 9 ++++-----
16 2 files changed, 10 insertions(+), 5 deletions(-)
17
18diff --git a/bfd/ChangeLog b/bfd/ChangeLog
19index dd2c741..cbf30de 100644
20--- a/bfd/ChangeLog
21+++ b/bfd/ChangeLog
22@@ -1,3 +1,9 @@
23+2019-02-19 Alan Modra <amodra@gmail.com>
24+
25+ PR 24235
26+ * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
27+ attempting to prevent read past end of section.
28+
29 2019-02-04 Nick Clifton <nickc@redhat.com>
30
31 * development.sh (experimental) Set to false.
32diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
33index ff1093c..7e75104 100644
34--- a/bfd/pei-x86_64.c
35+++ b/bfd/pei-x86_64.c
36@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
37 /* virt_size might be zero for objects. */
38 if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
39 {
40- stop = (datasize / onaline) * onaline;
41+ stop = datasize;
42 virt_size_is_zero = TRUE;
43 }
44 else if (datasize < stop)
45@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
46 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
47 pdata_section->name, (unsigned long) datasize,
48 (unsigned long) stop);
49- /* Be sure not to read passed datasize. */
50- stop = datasize / onaline;
51+ /* Be sure not to read past datasize. */
52+ stop = datasize;
53 }
54
55 /* Display functions table. */
56@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
57 altent += imagebase;
58
59 if (altent >= pdata_vma
60- && (altent + PDATA_ROW_SIZE <= pdata_vma
61- + pei_section_data (abfd, pdata_section)->virt_size))
62+ && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
63 {
64 pex64_get_runtime_function
65 (abfd, &arf, &pdata[altent - pdata_vma]);
66--
672.7.4
68
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
new file mode 100644
index 0000000000..bcb1310f16
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
@@ -0,0 +1,119 @@
1From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 20 Feb 2019 08:21:24 +1030
4Subject: [PATCH] PR24236, Heap buffer overflow in
5 _bfd_archive_64_bit_slurp_armap
6
7 PR 24236
8 * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
9 sentinel NUL to string buffer nearer to loop where it is used.
10 Don't go past sentinel when scanning strings, and don't write
11 NUL again.
12 * archive.c (do_slurp_coff_armap): Simplify string handling to
13 archive64.c style.
14
15Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49]
16CVE: CVE-2019-9075
17Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
18---
19 bfd/ChangeLog | 10 ++++++++++
20 bfd/archive.c | 17 +++++++----------
21 bfd/archive64.c | 10 +++++-----
22 3 files changed, 22 insertions(+), 15 deletions(-)
23
24diff --git a/bfd/ChangeLog b/bfd/ChangeLog
25index 72c87c7..e39bb12 100644
26--- a/bfd/ChangeLog
27+++ b/bfd/ChangeLog
28@@ -1,3 +1,13 @@
29+2019-02-20 Alan Modra <amodra@gmail.com>
30+
31+ PR 24236
32+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
33+ sentinel NUL to string buffer nearer to loop where it is used.
34+ Don't go past sentinel when scanning strings, and don't write
35+ NUL again.
36+ * archive.c (do_slurp_coff_armap): Simplify string handling to
37+ archive64.c style.
38+
39 2019-02-19 Alan Modra <amodra@gmail.com>
40
41 PR 24235
42diff --git a/bfd/archive.c b/bfd/archive.c
43index d2d9b72..68a92a3 100644
44--- a/bfd/archive.c
45+++ b/bfd/archive.c
46@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
47 int *raw_armap, *rawptr;
48 struct artdata *ardata = bfd_ardata (abfd);
49 char *stringbase;
50+ char *stringend;
51 bfd_size_type stringsize;
52 bfd_size_type parsed_size;
53 carsym *carsyms;
54@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
55 }
56
57 /* OK, build the carsyms. */
58- for (i = 0; i < nsymz && stringsize > 0; i++)
59+ stringend = stringbase + stringsize;
60+ *stringend = 0;
61+ for (i = 0; i < nsymz; i++)
62 {
63- bfd_size_type len;
64-
65 rawptr = raw_armap + i;
66 carsyms->file_offset = swap ((bfd_byte *) rawptr);
67 carsyms->name = stringbase;
68- /* PR 17512: file: 4a1d50c1. */
69- len = strnlen (stringbase, stringsize);
70- if (len < stringsize)
71- len ++;
72- stringbase += len;
73- stringsize -= len;
74+ stringbase += strlen (stringbase);
75+ if (stringbase != stringend)
76+ ++stringbase;
77 carsyms++;
78 }
79- *stringbase = 0;
80
81 ardata->symdef_count = nsymz;
82 ardata->first_file_filepos = bfd_tell (abfd);
83diff --git a/bfd/archive64.c b/bfd/archive64.c
84index 312bf82..42f6ed9 100644
85--- a/bfd/archive64.c
86+++ b/bfd/archive64.c
87@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
88 return FALSE;
89 carsyms = ardata->symdefs;
90 stringbase = ((char *) ardata->symdefs) + carsym_size;
91- stringbase[stringsize] = 0;
92- stringend = stringbase + stringsize;
93
94 raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
95 if (raw_armap == NULL)
96@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
97 goto release_raw_armap;
98 }
99
100+ stringend = stringbase + stringsize;
101+ *stringend = 0;
102 for (i = 0; i < nsymz; i++)
103 {
104 carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
105 carsyms->name = stringbase;
106- if (stringbase < stringend)
107- stringbase += strlen (stringbase) + 1;
108+ stringbase += strlen (stringbase);
109+ if (stringbase != stringend)
110+ ++stringbase;
111 ++carsyms;
112 }
113- *stringbase = '\0';
114
115 ardata->symdef_count = nsymz;
116 ardata->first_file_filepos = bfd_tell (abfd);
117--
1182.7.4
119
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
new file mode 100644
index 0000000000..ec8cde2503
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
@@ -0,0 +1,49 @@
1From 9f841c583880eb6d0194455c1583a766f853e628 Mon Sep 17 00:00:00 2001
2From: Alan Modra <amodra@gmail.com>
3Date: Wed, 20 Feb 2019 12:06:31 +1030
4Subject: [PATCH] PR24233, Out of memory
5
6 PR 24233
7 * objdump.c (dump_bfd_private_header): Print warning if
8 bfd_print_private_bfd_data returns false.
9
10Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7d272a55caebfc26ab2e15d1e9439bac978b9bb7]
11CVE: CVE-2019-9076
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13---
14 binutils/ChangeLog | 6 ++++++
15 binutils/objdump.c | 4 +++-
16 2 files changed, 9 insertions(+), 1 deletion(-)
17
18diff --git a/binutils/ChangeLog b/binutils/ChangeLog
19index f837c37..d5dd7cb 100644
20--- a/binutils/ChangeLog
21+++ b/binutils/ChangeLog
22@@ -1,3 +1,9 @@
23+2019-02-20 Alan Modra <amodra@gmail.com>
24+
25+ PR 24233
26+ * objdump.c (dump_bfd_private_header): Print warning if
27+ bfd_print_private_bfd_data returns false.
28+
29 2019-02-02 Nick Clifton <nickc@redhat.com>
30
31 * configure: Regenerate.
32diff --git a/binutils/objdump.c b/binutils/objdump.c
33index 8725390..7d0c6a4 100644
34--- a/binutils/objdump.c
35+++ b/binutils/objdump.c
36@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
37 static void
38 dump_bfd_private_header (bfd *abfd)
39 {
40- bfd_print_private_bfd_data (abfd, stdout);
41+ if (!bfd_print_private_bfd_data (abfd, stdout))
42+ non_fatal (_("warning: private headers incomplete: %s"),
43+ bfd_errmsg (bfd_get_error ()));
44 }
45
46 static void
47--
482.7.4
49
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
new file mode 100644
index 0000000000..11ecb71b2e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
@@ -0,0 +1,37 @@
1From f7bbc8890de45df6eda0ddef5dd04f835f54eecf Mon Sep 17 00:00:00 2001
2From: Nick Clifton <nickc@redhat.com>
3Date: Wed, 20 Feb 2019 17:03:47 +0000
4Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
5 option section using readelf.
6
7 PR 24243
8 * readelf.c (process_mips_specific): Check for an options section
9 that is too small to even contain a single option.
10
11Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7fc0c668f2aceb8582d74db1ad2528e2bba8a921]
12CVE: CVE-2019-9077
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 binutils/readelf.c | 6 ++++++
16 1 file changed, 6 insertions(+)
17
18diff --git a/binutils/readelf.c b/binutils/readelf.c
19index 9df3742..18ab806 100644
20--- a/binutils/readelf.c
21+++ b/binutils/readelf.c
22@@ -16179,6 +16179,12 @@ process_mips_specific (Filedata * filedata)
23 error (_("No MIPS_OPTIONS header found\n"));
24 return FALSE;
25 }
26+ /* PR 24243 */
27+ if (sect->sh_size < sizeof (* eopt))
28+ {
29+ error (_("The MIPS options section is too small.\n"));
30+ return FALSE;
31+ }
32
33 eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
34 sect->sh_size, _("options"));
35--
362.7.4
37