diff options
author | Armin Kuster <akuster808@gmail.com> | 2014-12-26 08:51:53 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-01-06 14:13:37 +0000 |
commit | 69df8dc63f927adfd8cdb4ed022a071bb9b89acd (patch) | |
tree | 5a6ef1de8a22fb71a1de851b38d70a7e74d503ed | |
parent | 2658acef69a0665e4d77f1b08cafb032749d9ee6 (diff) | |
download | poky-69df8dc63f927adfd8cdb4ed022a071bb9b89acd.tar.gz |
binutils: several security fixes
CVE-2014-8484
CVE-2014-8485
CVE-2014-8501
CVE-2014-8502
CVE-2014-8503
CVE-2014-8504
CVE-2014-8737
and one supporting patch.
[Yocto # 7084]
(From OE-Core rev: 859fb4d9ec6974be9ce755e4ffefd9b199f3604c)
(From OE-Core rev: d2b2d8c9ce3ef16ab053bd19a5705b01402b76ba)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
9 files changed, 1148 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.24.inc b/meta/recipes-devtools/binutils/binutils-2.24.inc index 8f3216f2bf..63c928712e 100644 --- a/meta/recipes-devtools/binutils/binutils-2.24.inc +++ b/meta/recipes-devtools/binutils/binutils-2.24.inc | |||
@@ -32,6 +32,14 @@ SRC_URI = "\ | |||
32 | file://replace_macros_with_static_inline.patch \ | 32 | file://replace_macros_with_static_inline.patch \ |
33 | file://0001-Fix-MMIX-build-breakage-from-bfd_set_section_vma-cha.patch \ | 33 | file://0001-Fix-MMIX-build-breakage-from-bfd_set_section_vma-cha.patch \ |
34 | file://binutils-uninitialised-warning.patch \ | 34 | file://binutils-uninitialised-warning.patch \ |
35 | file://binutils_CVE-2014-8484.patch \ | ||
36 | file://binutils_CVE-2014-8485.patch \ | ||
37 | file://binutils_CVE-2014-8501.patch \ | ||
38 | file://binutils_CVE-2014-8502_1.patch \ | ||
39 | file://binutils_CVE-2014-8502.patch \ | ||
40 | file://binutils_CVE-2014-8503.patch \ | ||
41 | file://binutils_CVE-2014-8504.patch \ | ||
42 | file://binutils_CVE-2014-8737.patch \ | ||
35 | " | 43 | " |
36 | 44 | ||
37 | SRC_URI[md5sum] = "e0f71a7b2ddab0f8612336ac81d9636b" | 45 | SRC_URI[md5sum] = "e0f71a7b2ddab0f8612336ac81d9636b" |
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch new file mode 100644 index 0000000000..e789499477 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8484.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8484 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From bd25671c6f202c4a5108883caa2adb24ff6f361f Mon Sep 17 00:00:00 2001 | ||
10 | From: Alan Modra <amodra@gmail.com> | ||
11 | Date: Fri, 29 Aug 2014 10:36:29 +0930 | ||
12 | Subject: [PATCH] Report an error for S-records with less than the miniumum | ||
13 | size | ||
14 | |||
15 | * srec.c (srec_scan): Revert last change. Report an error for | ||
16 | S-records with less than the miniumum byte count. | ||
17 | --- | ||
18 | bfd/ChangeLog | 5 +++++ | ||
19 | bfd/srec.c | 18 +++++++++++++++--- | ||
20 | 2 files changed, 20 insertions(+), 3 deletions(-) | ||
21 | |||
22 | Index: binutils-2.24/bfd/srec.c | ||
23 | =================================================================== | ||
24 | --- binutils-2.24.orig/bfd/srec.c | ||
25 | +++ binutils-2.24/bfd/srec.c | ||
26 | @@ -455,7 +455,7 @@ srec_scan (bfd *abfd) | ||
27 | { | ||
28 | file_ptr pos; | ||
29 | char hdr[3]; | ||
30 | - unsigned int bytes; | ||
31 | + unsigned int bytes, min_bytes; | ||
32 | bfd_vma address; | ||
33 | bfd_byte *data; | ||
34 | unsigned char check_sum; | ||
35 | @@ -478,6 +478,19 @@ srec_scan (bfd *abfd) | ||
36 | } | ||
37 | |||
38 | check_sum = bytes = HEX (hdr + 1); | ||
39 | + min_bytes = 3; | ||
40 | + if (hdr[0] == '2' || hdr[0] == '8') | ||
41 | + min_bytes = 4; | ||
42 | + else if (hdr[0] == '3' || hdr[0] == '7') | ||
43 | + min_bytes = 5; | ||
44 | + if (bytes < min_bytes) | ||
45 | + { | ||
46 | + (*_bfd_error_handler) (_("%B:%d: byte count %d too small\n"), | ||
47 | + abfd, lineno, bytes); | ||
48 | + bfd_set_error (bfd_error_bad_value); | ||
49 | + goto error_return; | ||
50 | + } | ||
51 | + | ||
52 | if (bytes * 2 > bufsize) | ||
53 | { | ||
54 | if (buf != NULL) | ||
55 | Index: binutils-2.24/bfd/ChangeLog | ||
56 | =================================================================== | ||
57 | --- binutils-2.24.orig/bfd/ChangeLog | ||
58 | +++ binutils-2.24/bfd/ChangeLog | ||
59 | @@ -1,3 +1,8 @@ | ||
60 | +2014-08-29 Alan Modra <amodra@gmail.com> | ||
61 | + | ||
62 | + * srec.c (srec_scan): Revert last change. Report an error for | ||
63 | + S-records with less than the miniumum byte count. | ||
64 | + | ||
65 | 2013-12-02 Tristan Gingold <gingold@adacore.com> | ||
66 | |||
67 | * configure.in: Bump version to 2.24 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch new file mode 100644 index 0000000000..ec3308b4f4 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8485.patch | |||
@@ -0,0 +1,102 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8485 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 493a33860c71cac998f1a56d6d87d6faa801fbaa Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Mon, 27 Oct 2014 12:43:16 +0000 | ||
12 | Subject: [PATCH] This patch closes a potential security hole in applications | ||
13 | that use the bfd library to parse binaries containing maliciously corrupt | ||
14 | section group headers. | ||
15 | |||
16 | PR binutils/17510 | ||
17 | * elf.c (setup_group): Improve handling of corrupt group | ||
18 | sections. | ||
19 | --- | ||
20 | bfd/ChangeLog | 6 ++++++ | ||
21 | bfd/elf.c | 34 ++++++++++++++++++++++++++++++---- | ||
22 | 2 files changed, 36 insertions(+), 4 deletions(-) | ||
23 | |||
24 | Index: binutils-2.24/bfd/elf.c | ||
25 | =================================================================== | ||
26 | --- binutils-2.24.orig/bfd/elf.c | ||
27 | +++ binutils-2.24/bfd/elf.c | ||
28 | @@ -608,9 +608,10 @@ setup_group (bfd *abfd, Elf_Internal_Shd | ||
29 | if (shdr->contents == NULL) | ||
30 | { | ||
31 | _bfd_error_handler | ||
32 | - (_("%B: Corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); | ||
33 | + (_("%B: corrupt size field in group section header: 0x%lx"), abfd, shdr->sh_size); | ||
34 | bfd_set_error (bfd_error_bad_value); | ||
35 | - return FALSE; | ||
36 | + -- num_group; | ||
37 | + continue; | ||
38 | } | ||
39 | |||
40 | memset (shdr->contents, 0, amt); | ||
41 | @@ -618,7 +619,16 @@ setup_group (bfd *abfd, Elf_Internal_Shd | ||
42 | if (bfd_seek (abfd, shdr->sh_offset, SEEK_SET) != 0 | ||
43 | || (bfd_bread (shdr->contents, shdr->sh_size, abfd) | ||
44 | != shdr->sh_size)) | ||
45 | - return FALSE; | ||
46 | + { | ||
47 | + _bfd_error_handler | ||
48 | + (_("%B: invalid size field in group section header: 0x%lx"), abfd, shdr->sh_size); | ||
49 | + bfd_set_error (bfd_error_bad_value); | ||
50 | + -- num_group; | ||
51 | + /* PR 17510: If the group contents are even partially | ||
52 | + corrupt, do not allow any of the contents to be used. */ | ||
53 | + memset (shdr->contents, 0, amt); | ||
54 | + continue; | ||
55 | + } | ||
56 | |||
57 | /* Translate raw contents, a flag word followed by an | ||
58 | array of elf section indices all in target byte order, | ||
59 | @@ -651,6 +661,21 @@ setup_group (bfd *abfd, Elf_Internal_Shd | ||
60 | } | ||
61 | } | ||
62 | } | ||
63 | + | ||
64 | + /* PR 17510: Corrupt binaries might contain invalid groups. */ | ||
65 | + if (num_group != (unsigned) elf_tdata (abfd)->num_group) | ||
66 | + { | ||
67 | + elf_tdata (abfd)->num_group = num_group; | ||
68 | + | ||
69 | + /* If all groups are invalid then fail. */ | ||
70 | + if (num_group == 0) | ||
71 | + { | ||
72 | + elf_tdata (abfd)->group_sect_ptr = NULL; | ||
73 | + elf_tdata (abfd)->num_group = num_group = -1; | ||
74 | + (*_bfd_error_handler) (_("%B: no valid group sections found"), abfd); | ||
75 | + bfd_set_error (bfd_error_bad_value); | ||
76 | + } | ||
77 | + } | ||
78 | } | ||
79 | } | ||
80 | |||
81 | @@ -716,6 +741,7 @@ setup_group (bfd *abfd, Elf_Internal_Shd | ||
82 | { | ||
83 | (*_bfd_error_handler) (_("%B: no group info for section %A"), | ||
84 | abfd, newsect); | ||
85 | + return FALSE; | ||
86 | } | ||
87 | return TRUE; | ||
88 | } | ||
89 | Index: binutils-2.24/bfd/ChangeLog | ||
90 | =================================================================== | ||
91 | --- binutils-2.24.orig/bfd/ChangeLog | ||
92 | +++ binutils-2.24/bfd/ChangeLog | ||
93 | @@ -1,3 +1,9 @@ | ||
94 | +2014-10-27 Nick Clifton <nickc@redhat.com> | ||
95 | + | ||
96 | + PR binutils/17510 | ||
97 | + * elf.c (setup_group): Improve handling of corrupt group | ||
98 | + sections. | ||
99 | + | ||
100 | 2014-08-29 Alan Modra <amodra@gmail.com> | ||
101 | |||
102 | * srec.c (srec_scan): Revert last change. Report an error for | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch new file mode 100644 index 0000000000..a48fe9b23b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8501.patch | |||
@@ -0,0 +1,60 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8501 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 7e1e19887abd24aeb15066b141cdff5541e0ec8e Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Mon, 27 Oct 2014 14:45:06 +0000 | ||
12 | Subject: [PATCH] Fix a seg-fault in strings and other binutuils when parsing a | ||
13 | corrupt PE executable with an invalid value in the NumberOfRvaAndSizes field | ||
14 | of the AOUT header. | ||
15 | |||
16 | PR binutils/17512 | ||
17 | * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries | ||
18 | with an invalid value for NumberOfRvaAndSizes. | ||
19 | --- | ||
20 | bfd/ChangeLog | 4 ++++ | ||
21 | bfd/peXXigen.c | 12 ++++++++++++ | ||
22 | 2 files changed, 16 insertions(+) | ||
23 | |||
24 | Index: binutils-2.24/bfd/peXXigen.c | ||
25 | =================================================================== | ||
26 | --- binutils-2.24.orig/bfd/peXXigen.c | ||
27 | +++ binutils-2.24/bfd/peXXigen.c | ||
28 | @@ -460,6 +460,18 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, | ||
29 | { | ||
30 | int idx; | ||
31 | |||
32 | + /* PR 17512: Corrupt PE binaries can cause seg-faults. */ | ||
33 | + if (a->NumberOfRvaAndSizes > 16) | ||
34 | + { | ||
35 | + (*_bfd_error_handler) | ||
36 | + (_("%B: aout header specifies an invalid number of data-directory entries: %d"), | ||
37 | + abfd, a->NumberOfRvaAndSizes); | ||
38 | + /* Paranoia: If the number is corrupt, then assume that the | ||
39 | + actual entries themselves might be corrupt as well. */ | ||
40 | + a->NumberOfRvaAndSizes = 0; | ||
41 | + } | ||
42 | + | ||
43 | + | ||
44 | for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) | ||
45 | { | ||
46 | /* If data directory is empty, rva also should be 0. */ | ||
47 | Index: binutils-2.24/bfd/ChangeLog | ||
48 | =================================================================== | ||
49 | --- binutils-2.24.orig/bfd/ChangeLog | ||
50 | +++ binutils-2.24/bfd/ChangeLog | ||
51 | @@ -1,5 +1,9 @@ | ||
52 | 2014-10-27 Nick Clifton <nickc@redhat.com> | ||
53 | |||
54 | + PR binutils/17512 | ||
55 | + * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries | ||
56 | + with an invalid value for NumberOfRvaAndSizes. | ||
57 | + | ||
58 | PR binutils/17510 | ||
59 | * elf.c (setup_group): Improve handling of corrupt group | ||
60 | sections. | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch new file mode 100644 index 0000000000..05af65bad1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8502 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 5a4b0ccc20ba30caef53b01bee2c0aaa5b855339 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Tue, 28 Oct 2014 15:42:56 +0000 | ||
12 | Subject: [PATCH] More fixes for corrupt binaries crashing the binutils. | ||
13 | |||
14 | PR binutils/17512 | ||
15 | * elf.c (bfd_section_from_shdr): Allocate and free the recursion | ||
16 | detection table on a per-bfd basis. | ||
17 | * peXXigen.c (pe_print_edata): Handle binaries with a truncated | ||
18 | export table. | ||
19 | --- | ||
20 | bfd/ChangeLog | 8 ++++++++ | ||
21 | bfd/elf.c | 16 +++++++++++++--- | ||
22 | bfd/peXXigen.c | 9 +++++++++ | ||
23 | 3 files changed, 30 insertions(+), 3 deletions(-) | ||
24 | |||
25 | Index: binutils-2.24/bfd/peXXigen.c | ||
26 | =================================================================== | ||
27 | --- binutils-2.24.orig/bfd/peXXigen.c | ||
28 | +++ binutils-2.24/bfd/peXXigen.c | ||
29 | @@ -1438,6 +1438,15 @@ pe_print_edata (bfd * abfd, void * vfile | ||
30 | } | ||
31 | } | ||
32 | |||
33 | + /* PR 17512: Handle corrupt PE binaries. */ | ||
34 | + if (datasize < 36) | ||
35 | + { | ||
36 | + fprintf (file, | ||
37 | + _("\nThere is an export table in %s, but it is too small (%d)\n"), | ||
38 | + section->name, (int) datasize); | ||
39 | + return TRUE; | ||
40 | + } | ||
41 | + | ||
42 | fprintf (file, _("\nThere is an export table in %s at 0x%lx\n"), | ||
43 | section->name, (unsigned long) addr); | ||
44 | |||
45 | Index: binutils-2.24/bfd/elf.c | ||
46 | =================================================================== | ||
47 | --- binutils-2.24.orig/bfd/elf.c | ||
48 | +++ binutils-2.24/bfd/elf.c | ||
49 | @@ -1576,6 +1576,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
50 | const char *name; | ||
51 | bfd_boolean ret = TRUE; | ||
52 | static bfd_boolean * sections_being_created = NULL; | ||
53 | + static bfd * sections_being_created_abfd = NULL; | ||
54 | static unsigned int nesting = 0; | ||
55 | |||
56 | if (shindex >= elf_numsections (abfd)) | ||
57 | @@ -1588,13 +1589,20 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
58 | loop. Detect this here, by refusing to load a section that we are | ||
59 | already in the process of loading. We only trigger this test if | ||
60 | we have nested at least three sections deep as normal ELF binaries | ||
61 | - can expect to recurse at least once. */ | ||
62 | + can expect to recurse at least once. | ||
63 | + | ||
64 | + FIXME: It would be better if this array was attached to the bfd, | ||
65 | + rather than being held in a static pointer. */ | ||
66 | + | ||
67 | + if (sections_being_created_abfd != abfd) | ||
68 | + sections_being_created = NULL; | ||
69 | |||
70 | if (sections_being_created == NULL) | ||
71 | { | ||
72 | /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ | ||
73 | sections_being_created = (bfd_boolean *) | ||
74 | bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); | ||
75 | + sections_being_created_abfd = abfd; | ||
76 | } | ||
77 | if (sections_being_created [shindex]) | ||
78 | { | ||
79 | @@ -2098,7 +2106,10 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
80 | if (sections_being_created) | ||
81 | sections_being_created [shindex] = FALSE; | ||
82 | if (-- nesting == 0) | ||
83 | + { | ||
84 | sections_being_created = NULL; | ||
85 | + sections_being_created_abfd = abfd; | ||
86 | + } | ||
87 | return ret; | ||
88 | } | ||
89 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch new file mode 100644 index 0000000000..9e0c9c8b3c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8502_1.patch | |||
@@ -0,0 +1,523 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8502 supporting patch. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From bf67003b4567600ed3022a439207ac8f26454f91 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Mon, 27 Oct 2014 18:05:37 +0000 | ||
12 | Subject: [PATCH] This fixes more seg-faults in tools like "strings" and | ||
13 | "objdump" when presented with corrupt binaries. | ||
14 | |||
15 | PR binutils/17512 | ||
16 | * elf.c (bfd_section_from_shdr): Detect and warn about ELF | ||
17 | binaries with a group of sections linked by the string table | ||
18 | indicies. | ||
19 | * peXXigen.c (pe_print_edata): Detect out of range rvas and | ||
20 | entry counts for the Export Address table, Name Pointer table | ||
21 | and Ordinal table. | ||
22 | --- | ||
23 | bfd/ChangeLog | 5 ++ | ||
24 | bfd/elf.c | 194 ++++++++++++++++++++++++++++++++++++++------------------- | ||
25 | bfd/peXXigen.c | 18 +++++- | ||
26 | 3 files changed, 150 insertions(+), 67 deletions(-) | ||
27 | |||
28 | Index: binutils-2.24/bfd/elf.c | ||
29 | =================================================================== | ||
30 | --- binutils-2.24.orig/bfd/elf.c | ||
31 | +++ binutils-2.24/bfd/elf.c | ||
32 | @@ -1574,38 +1574,67 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
33 | Elf_Internal_Ehdr *ehdr; | ||
34 | const struct elf_backend_data *bed; | ||
35 | const char *name; | ||
36 | + bfd_boolean ret = TRUE; | ||
37 | + static bfd_boolean * sections_being_created = NULL; | ||
38 | + static unsigned int nesting = 0; | ||
39 | |||
40 | if (shindex >= elf_numsections (abfd)) | ||
41 | return FALSE; | ||
42 | |||
43 | + if (++ nesting > 3) | ||
44 | + { | ||
45 | + /* PR17512: A corrupt ELF binary might contain a recursive group of | ||
46 | + sections, each the string indicies pointing to the next in the | ||
47 | + loop. Detect this here, by refusing to load a section that we are | ||
48 | + already in the process of loading. We only trigger this test if | ||
49 | + we have nested at least three sections deep as normal ELF binaries | ||
50 | + can expect to recurse at least once. */ | ||
51 | + | ||
52 | + if (sections_being_created == NULL) | ||
53 | + { | ||
54 | + /* FIXME: It would be more efficient to attach this array to the bfd somehow. */ | ||
55 | + sections_being_created = (bfd_boolean *) | ||
56 | + bfd_zalloc (abfd, elf_numsections (abfd) * sizeof (bfd_boolean)); | ||
57 | + } | ||
58 | + if (sections_being_created [shindex]) | ||
59 | + { | ||
60 | + (*_bfd_error_handler) | ||
61 | + (_("%B: warning: loop in section dependencies detected"), abfd); | ||
62 | + return FALSE; | ||
63 | + } | ||
64 | + sections_being_created [shindex] = TRUE; | ||
65 | + } | ||
66 | + | ||
67 | hdr = elf_elfsections (abfd)[shindex]; | ||
68 | ehdr = elf_elfheader (abfd); | ||
69 | name = bfd_elf_string_from_elf_section (abfd, ehdr->e_shstrndx, | ||
70 | hdr->sh_name); | ||
71 | if (name == NULL) | ||
72 | - return FALSE; | ||
73 | + goto fail; | ||
74 | |||
75 | bed = get_elf_backend_data (abfd); | ||
76 | switch (hdr->sh_type) | ||
77 | { | ||
78 | case SHT_NULL: | ||
79 | /* Inactive section. Throw it away. */ | ||
80 | - return TRUE; | ||
81 | + goto success; | ||
82 | |||
83 | - case SHT_PROGBITS: /* Normal section with contents. */ | ||
84 | - case SHT_NOBITS: /* .bss section. */ | ||
85 | - case SHT_HASH: /* .hash section. */ | ||
86 | - case SHT_NOTE: /* .note section. */ | ||
87 | + case SHT_PROGBITS: /* Normal section with contents. */ | ||
88 | + case SHT_NOBITS: /* .bss section. */ | ||
89 | + case SHT_HASH: /* .hash section. */ | ||
90 | + case SHT_NOTE: /* .note section. */ | ||
91 | case SHT_INIT_ARRAY: /* .init_array section. */ | ||
92 | case SHT_FINI_ARRAY: /* .fini_array section. */ | ||
93 | case SHT_PREINIT_ARRAY: /* .preinit_array section. */ | ||
94 | case SHT_GNU_LIBLIST: /* .gnu.liblist section. */ | ||
95 | case SHT_GNU_HASH: /* .gnu.hash section. */ | ||
96 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
97 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
98 | + goto success; | ||
99 | |||
100 | case SHT_DYNAMIC: /* Dynamic linking information. */ | ||
101 | if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) | ||
102 | - return FALSE; | ||
103 | + goto fail; | ||
104 | + | ||
105 | if (hdr->sh_link > elf_numsections (abfd)) | ||
106 | { | ||
107 | /* PR 10478: Accept Solaris binaries with a sh_link | ||
108 | @@ -1619,11 +1648,11 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
109 | break; | ||
110 | /* Otherwise fall through. */ | ||
111 | default: | ||
112 | - return FALSE; | ||
113 | + goto fail; | ||
114 | } | ||
115 | } | ||
116 | else if (elf_elfsections (abfd)[hdr->sh_link] == NULL) | ||
117 | - return FALSE; | ||
118 | + goto fail; | ||
119 | else if (elf_elfsections (abfd)[hdr->sh_link]->sh_type != SHT_STRTAB) | ||
120 | { | ||
121 | Elf_Internal_Shdr *dynsymhdr; | ||
122 | @@ -1652,24 +1681,26 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
123 | } | ||
124 | } | ||
125 | } | ||
126 | - break; | ||
127 | + goto success; | ||
128 | |||
129 | - case SHT_SYMTAB: /* A symbol table */ | ||
130 | + case SHT_SYMTAB: /* A symbol table. */ | ||
131 | if (elf_onesymtab (abfd) == shindex) | ||
132 | - return TRUE; | ||
133 | + goto success; | ||
134 | |||
135 | if (hdr->sh_entsize != bed->s->sizeof_sym) | ||
136 | - return FALSE; | ||
137 | + goto fail; | ||
138 | + | ||
139 | if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) | ||
140 | { | ||
141 | if (hdr->sh_size != 0) | ||
142 | - return FALSE; | ||
143 | + goto fail; | ||
144 | /* Some assemblers erroneously set sh_info to one with a | ||
145 | zero sh_size. ld sees this as a global symbol count | ||
146 | of (unsigned) -1. Fix it here. */ | ||
147 | hdr->sh_info = 0; | ||
148 | - return TRUE; | ||
149 | + goto success; | ||
150 | } | ||
151 | + | ||
152 | BFD_ASSERT (elf_onesymtab (abfd) == 0); | ||
153 | elf_onesymtab (abfd) = shindex; | ||
154 | elf_tdata (abfd)->symtab_hdr = *hdr; | ||
155 | @@ -1686,7 +1717,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
156 | && (abfd->flags & DYNAMIC) != 0 | ||
157 | && ! _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
158 | shindex)) | ||
159 | - return FALSE; | ||
160 | + goto fail; | ||
161 | |||
162 | /* Go looking for SHT_SYMTAB_SHNDX too, since if there is one we | ||
163 | can't read symbols without that section loaded as well. It | ||
164 | @@ -1712,26 +1743,29 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
165 | break; | ||
166 | } | ||
167 | if (i != shindex) | ||
168 | - return bfd_section_from_shdr (abfd, i); | ||
169 | + ret = bfd_section_from_shdr (abfd, i); | ||
170 | } | ||
171 | - return TRUE; | ||
172 | + goto success; | ||
173 | |||
174 | - case SHT_DYNSYM: /* A dynamic symbol table */ | ||
175 | + case SHT_DYNSYM: /* A dynamic symbol table. */ | ||
176 | if (elf_dynsymtab (abfd) == shindex) | ||
177 | - return TRUE; | ||
178 | + goto success; | ||
179 | |||
180 | if (hdr->sh_entsize != bed->s->sizeof_sym) | ||
181 | - return FALSE; | ||
182 | + goto fail; | ||
183 | + | ||
184 | if (hdr->sh_info * hdr->sh_entsize > hdr->sh_size) | ||
185 | { | ||
186 | if (hdr->sh_size != 0) | ||
187 | - return FALSE; | ||
188 | + goto fail; | ||
189 | + | ||
190 | /* Some linkers erroneously set sh_info to one with a | ||
191 | zero sh_size. ld sees this as a global symbol count | ||
192 | of (unsigned) -1. Fix it here. */ | ||
193 | hdr->sh_info = 0; | ||
194 | - return TRUE; | ||
195 | + goto success; | ||
196 | } | ||
197 | + | ||
198 | BFD_ASSERT (elf_dynsymtab (abfd) == 0); | ||
199 | elf_dynsymtab (abfd) = shindex; | ||
200 | elf_tdata (abfd)->dynsymtab_hdr = *hdr; | ||
201 | @@ -1740,34 +1774,38 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
202 | |||
203 | /* Besides being a symbol table, we also treat this as a regular | ||
204 | section, so that objcopy can handle it. */ | ||
205 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
206 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
207 | + goto success; | ||
208 | |||
209 | - case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections */ | ||
210 | + case SHT_SYMTAB_SHNDX: /* Symbol section indices when >64k sections. */ | ||
211 | if (elf_symtab_shndx (abfd) == shindex) | ||
212 | - return TRUE; | ||
213 | + goto success; | ||
214 | |||
215 | BFD_ASSERT (elf_symtab_shndx (abfd) == 0); | ||
216 | elf_symtab_shndx (abfd) = shindex; | ||
217 | elf_tdata (abfd)->symtab_shndx_hdr = *hdr; | ||
218 | elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->symtab_shndx_hdr; | ||
219 | - return TRUE; | ||
220 | + goto success; | ||
221 | |||
222 | - case SHT_STRTAB: /* A string table */ | ||
223 | + case SHT_STRTAB: /* A string table. */ | ||
224 | if (hdr->bfd_section != NULL) | ||
225 | - return TRUE; | ||
226 | + goto success; | ||
227 | + | ||
228 | if (ehdr->e_shstrndx == shindex) | ||
229 | { | ||
230 | elf_tdata (abfd)->shstrtab_hdr = *hdr; | ||
231 | elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->shstrtab_hdr; | ||
232 | - return TRUE; | ||
233 | + goto success; | ||
234 | } | ||
235 | + | ||
236 | if (elf_elfsections (abfd)[elf_onesymtab (abfd)]->sh_link == shindex) | ||
237 | { | ||
238 | symtab_strtab: | ||
239 | elf_tdata (abfd)->strtab_hdr = *hdr; | ||
240 | elf_elfsections (abfd)[shindex] = &elf_tdata (abfd)->strtab_hdr; | ||
241 | - return TRUE; | ||
242 | + goto success; | ||
243 | } | ||
244 | + | ||
245 | if (elf_elfsections (abfd)[elf_dynsymtab (abfd)]->sh_link == shindex) | ||
246 | { | ||
247 | dynsymtab_strtab: | ||
248 | @@ -1776,8 +1814,9 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
249 | elf_elfsections (abfd)[shindex] = hdr; | ||
250 | /* We also treat this as a regular section, so that objcopy | ||
251 | can handle it. */ | ||
252 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
253 | - shindex); | ||
254 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
255 | + shindex); | ||
256 | + goto success; | ||
257 | } | ||
258 | |||
259 | /* If the string table isn't one of the above, then treat it as a | ||
260 | @@ -1795,9 +1834,9 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
261 | { | ||
262 | /* Prevent endless recursion on broken objects. */ | ||
263 | if (i == shindex) | ||
264 | - return FALSE; | ||
265 | + goto fail; | ||
266 | if (! bfd_section_from_shdr (abfd, i)) | ||
267 | - return FALSE; | ||
268 | + goto fail; | ||
269 | if (elf_onesymtab (abfd) == i) | ||
270 | goto symtab_strtab; | ||
271 | if (elf_dynsymtab (abfd) == i) | ||
272 | @@ -1805,7 +1844,8 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
273 | } | ||
274 | } | ||
275 | } | ||
276 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
277 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
278 | + goto success; | ||
279 | |||
280 | case SHT_REL: | ||
281 | case SHT_RELA: | ||
282 | @@ -1820,7 +1860,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
283 | if (hdr->sh_entsize | ||
284 | != (bfd_size_type) (hdr->sh_type == SHT_REL | ||
285 | ? bed->s->sizeof_rel : bed->s->sizeof_rela)) | ||
286 | - return FALSE; | ||
287 | + goto fail; | ||
288 | |||
289 | /* Check for a bogus link to avoid crashing. */ | ||
290 | if (hdr->sh_link >= num_sec) | ||
291 | @@ -1828,8 +1868,9 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
292 | ((*_bfd_error_handler) | ||
293 | (_("%B: invalid link %lu for reloc section %s (index %u)"), | ||
294 | abfd, hdr->sh_link, name, shindex)); | ||
295 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
296 | - shindex); | ||
297 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
298 | + shindex); | ||
299 | + goto success; | ||
300 | } | ||
301 | |||
302 | /* For some incomprehensible reason Oracle distributes | ||
303 | @@ -1870,7 +1911,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
304 | if ((elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_SYMTAB | ||
305 | || elf_elfsections (abfd)[hdr->sh_link]->sh_type == SHT_DYNSYM) | ||
306 | && ! bfd_section_from_shdr (abfd, hdr->sh_link)) | ||
307 | - return FALSE; | ||
308 | + goto fail; | ||
309 | |||
310 | /* If this reloc section does not use the main symbol table we | ||
311 | don't treat it as a reloc section. BFD can't adequately | ||
312 | @@ -1885,14 +1926,18 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
313 | || hdr->sh_info >= num_sec | ||
314 | || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_REL | ||
315 | || elf_elfsections (abfd)[hdr->sh_info]->sh_type == SHT_RELA) | ||
316 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
317 | - shindex); | ||
318 | + { | ||
319 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
320 | + shindex); | ||
321 | + goto success; | ||
322 | + } | ||
323 | |||
324 | if (! bfd_section_from_shdr (abfd, hdr->sh_info)) | ||
325 | - return FALSE; | ||
326 | + goto fail; | ||
327 | + | ||
328 | target_sect = bfd_section_from_elf_index (abfd, hdr->sh_info); | ||
329 | if (target_sect == NULL) | ||
330 | - return FALSE; | ||
331 | + goto fail; | ||
332 | |||
333 | esdt = elf_section_data (target_sect); | ||
334 | if (hdr->sh_type == SHT_RELA) | ||
335 | @@ -1904,7 +1949,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
336 | amt = sizeof (*hdr2); | ||
337 | hdr2 = (Elf_Internal_Shdr *) bfd_alloc (abfd, amt); | ||
338 | if (hdr2 == NULL) | ||
339 | - return FALSE; | ||
340 | + goto fail; | ||
341 | *hdr2 = *hdr; | ||
342 | *p_hdr = hdr2; | ||
343 | elf_elfsections (abfd)[shindex] = hdr2; | ||
344 | @@ -1920,34 +1965,40 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
345 | target_sect->use_rela_p = 1; | ||
346 | } | ||
347 | abfd->flags |= HAS_RELOC; | ||
348 | - return TRUE; | ||
349 | + goto success; | ||
350 | } | ||
351 | |||
352 | case SHT_GNU_verdef: | ||
353 | elf_dynverdef (abfd) = shindex; | ||
354 | elf_tdata (abfd)->dynverdef_hdr = *hdr; | ||
355 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
356 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
357 | + goto success; | ||
358 | |||
359 | case SHT_GNU_versym: | ||
360 | if (hdr->sh_entsize != sizeof (Elf_External_Versym)) | ||
361 | - return FALSE; | ||
362 | + goto fail; | ||
363 | + | ||
364 | elf_dynversym (abfd) = shindex; | ||
365 | elf_tdata (abfd)->dynversym_hdr = *hdr; | ||
366 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
367 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
368 | + goto success; | ||
369 | |||
370 | case SHT_GNU_verneed: | ||
371 | elf_dynverref (abfd) = shindex; | ||
372 | elf_tdata (abfd)->dynverref_hdr = *hdr; | ||
373 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
374 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
375 | + goto success; | ||
376 | |||
377 | case SHT_SHLIB: | ||
378 | - return TRUE; | ||
379 | + goto success; | ||
380 | |||
381 | case SHT_GROUP: | ||
382 | if (! IS_VALID_GROUP_SECTION_HEADER (hdr, GRP_ENTRY_SIZE)) | ||
383 | - return FALSE; | ||
384 | + goto fail; | ||
385 | + | ||
386 | if (!_bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) | ||
387 | - return FALSE; | ||
388 | + goto fail; | ||
389 | + | ||
390 | if (hdr->contents != NULL) | ||
391 | { | ||
392 | Elf_Internal_Group *idx = (Elf_Internal_Group *) hdr->contents; | ||
393 | @@ -1973,7 +2024,7 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
394 | } | ||
395 | } | ||
396 | } | ||
397 | - break; | ||
398 | + goto success; | ||
399 | |||
400 | default: | ||
401 | /* Possibly an attributes section. */ | ||
402 | @@ -1981,14 +2032,14 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
403 | || hdr->sh_type == bed->obj_attrs_section_type) | ||
404 | { | ||
405 | if (! _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex)) | ||
406 | - return FALSE; | ||
407 | + goto fail; | ||
408 | _bfd_elf_parse_attributes (abfd, hdr); | ||
409 | - return TRUE; | ||
410 | + goto success; | ||
411 | } | ||
412 | |||
413 | /* Check for any processor-specific section types. */ | ||
414 | if (bed->elf_backend_section_from_shdr (abfd, hdr, name, shindex)) | ||
415 | - return TRUE; | ||
416 | + goto success; | ||
417 | |||
418 | if (hdr->sh_type >= SHT_LOUSER && hdr->sh_type <= SHT_HIUSER) | ||
419 | { | ||
420 | @@ -2000,9 +2051,12 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
421 | "specific section `%s' [0x%8x]"), | ||
422 | abfd, name, hdr->sh_type); | ||
423 | else | ||
424 | - /* Allow sections reserved for applications. */ | ||
425 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
426 | - shindex); | ||
427 | + { | ||
428 | + /* Allow sections reserved for applications. */ | ||
429 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, | ||
430 | + shindex); | ||
431 | + goto success; | ||
432 | + } | ||
433 | } | ||
434 | else if (hdr->sh_type >= SHT_LOPROC | ||
435 | && hdr->sh_type <= SHT_HIPROC) | ||
436 | @@ -2023,8 +2077,11 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
437 | "`%s' [0x%8x]"), | ||
438 | abfd, name, hdr->sh_type); | ||
439 | else | ||
440 | - /* Otherwise it should be processed. */ | ||
441 | - return _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
442 | + { | ||
443 | + /* Otherwise it should be processed. */ | ||
444 | + ret = _bfd_elf_make_section_from_shdr (abfd, hdr, name, shindex); | ||
445 | + goto success; | ||
446 | + } | ||
447 | } | ||
448 | else | ||
449 | /* FIXME: We should handle this section. */ | ||
450 | @@ -2032,10 +2089,17 @@ bfd_section_from_shdr (bfd *abfd, unsign | ||
451 | (_("%B: don't know how to handle section `%s' [0x%8x]"), | ||
452 | abfd, name, hdr->sh_type); | ||
453 | |||
454 | - return FALSE; | ||
455 | + goto fail; | ||
456 | } | ||
457 | |||
458 | - return TRUE; | ||
459 | + fail: | ||
460 | + ret = FALSE; | ||
461 | + success: | ||
462 | + if (sections_being_created) | ||
463 | + sections_being_created [shindex] = FALSE; | ||
464 | + if (-- nesting == 0) | ||
465 | + sections_being_created = NULL; | ||
466 | + return ret; | ||
467 | } | ||
468 | |||
469 | /* Return the local symbol specified by ABFD, R_SYMNDX. */ | ||
470 | Index: binutils-2.24/bfd/peXXigen.c | ||
471 | =================================================================== | ||
472 | --- binutils-2.24.orig/bfd/peXXigen.c | ||
473 | +++ binutils-2.24/bfd/peXXigen.c | ||
474 | @@ -1528,7 +1528,12 @@ pe_print_edata (bfd * abfd, void * vfile | ||
475 | _("\nExport Address Table -- Ordinal Base %ld\n"), | ||
476 | edt.base); | ||
477 | |||
478 | - for (i = 0; i < edt.num_functions; ++i) | ||
479 | + /* PR 17512: Handle corrupt PE binaries. */ | ||
480 | + if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize) | ||
481 | + fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), | ||
482 | + (long) edt.eat_addr, | ||
483 | + (long) edt.num_functions); | ||
484 | + else for (i = 0; i < edt.num_functions; ++i) | ||
485 | { | ||
486 | bfd_vma eat_member = bfd_get_32 (abfd, | ||
487 | data + edt.eat_addr + (i * 4) - adj); | ||
488 | @@ -1564,7 +1569,16 @@ pe_print_edata (bfd * abfd, void * vfile | ||
489 | fprintf (file, | ||
490 | _("\n[Ordinal/Name Pointer] Table\n")); | ||
491 | |||
492 | - for (i = 0; i < edt.num_names; ++i) | ||
493 | + /* PR 17512: Handle corrupt PE binaries. */ | ||
494 | + if (edt.npt_addr + (edt.num_names * 4) - adj >= datasize) | ||
495 | + fprintf (file, _("\tInvalid Name Pointer Table rva (0x%lx) or entry count (0x%lx)\n"), | ||
496 | + (long) edt.npt_addr, | ||
497 | + (long) edt.num_names); | ||
498 | + else if (edt.ot_addr + (edt.num_names * 2) - adj >= datasize) | ||
499 | + fprintf (file, _("\tInvalid Ordinal Table rva (0x%lx) or entry count (0x%lx)\n"), | ||
500 | + (long) edt.ot_addr, | ||
501 | + (long) edt.num_names); | ||
502 | + else for (i = 0; i < edt.num_names; ++i) | ||
503 | { | ||
504 | bfd_vma name_ptr = bfd_get_32 (abfd, | ||
505 | data + | ||
506 | Index: binutils-2.24/bfd/ChangeLog | ||
507 | =================================================================== | ||
508 | --- binutils-2.24.orig/bfd/ChangeLog | ||
509 | +++ binutils-2.24/bfd/ChangeLog | ||
510 | @@ -1,8 +1,13 @@ | ||
511 | 2014-10-27 Nick Clifton <nickc@redhat.com> | ||
512 | |||
513 | PR binutils/17512 | ||
514 | + * elf.c (bfd_section_from_shdr): Detect and warn about ELF | ||
515 | + binaries with a group of sections linked by the string table | ||
516 | + indicies. | ||
517 | * peXXigen.c (_bfd_XXi_swap_aouthdr_in): Handle corrupt binaries | ||
518 | with an invalid value for NumberOfRvaAndSizes. | ||
519 | + (pe_print_edata): Detect out of range rvas and entry counts for | ||
520 | + the Export Address table, Name Pointer table and Ordinal table. | ||
521 | |||
522 | PR binutils/17510 | ||
523 | * elf.c (setup_group): Improve handling of corrupt group | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch new file mode 100644 index 0000000000..2dd3354fc1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8503.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8503 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 0102ea8cec5fc509bba6c91df61b7ce23a799d32 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Thu, 30 Oct 2014 17:16:17 +0000 | ||
12 | Subject: [PATCH] Fixes a seg-fault in the ihex parser when it encounters a | ||
13 | malformed ihex file. | ||
14 | |||
15 | PR binutils/17512 | ||
16 | * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte. | ||
17 | --- | ||
18 | bfd/ChangeLog | 1 + | ||
19 | bfd/ihex.c | 2 +- | ||
20 | 2 files changed, 2 insertions(+), 1 deletion(-) | ||
21 | |||
22 | Index: binutils-2.24/bfd/ihex.c | ||
23 | =================================================================== | ||
24 | --- binutils-2.24.orig/bfd/ihex.c | ||
25 | +++ binutils-2.24/bfd/ihex.c | ||
26 | @@ -322,7 +322,7 @@ ihex_scan (bfd *abfd) | ||
27 | { | ||
28 | if (! ISHEX (buf[i])) | ||
29 | { | ||
30 | - ihex_bad_byte (abfd, lineno, hdr[i], error); | ||
31 | + ihex_bad_byte (abfd, lineno, buf[i], error); | ||
32 | goto error_return; | ||
33 | } | ||
34 | } | ||
35 | Index: binutils-2.24/bfd/ChangeLog | ||
36 | =================================================================== | ||
37 | --- binutils-2.24.orig/bfd/ChangeLog | ||
38 | +++ binutils-2.24/bfd/ChangeLog | ||
39 | @@ -1,3 +1,8 @@ | ||
40 | +2014-10-30 Nick Clifton <nickc@redhat.com> | ||
41 | + | ||
42 | + PR binutils/17512 | ||
43 | + * ihex.c (ihex_scan): Fix typo in invocation of ihex_bad_byte. | ||
44 | + | ||
45 | 2014-10-27 Nick Clifton <nickc@redhat.com> | ||
46 | |||
47 | PR binutils/17512 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch new file mode 100644 index 0000000000..b4d1d1ff61 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8504.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8504 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From 708d7d0d11f0f2d776171979aa3479e8e12a38a0 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Tue, 28 Oct 2014 10:48:14 +0000 | ||
12 | Subject: [PATCH] This patch fixes a flaw in the SREC parser which could cause | ||
13 | a stack overflow and potential secuiryt breach. | ||
14 | |||
15 | PR binutils/17510 | ||
16 | * srec.c (srec_bad_byte): Increase size of buf to allow for | ||
17 | negative values. | ||
18 | (srec_scan): Use an unsigned char buffer to hold header bytes. | ||
19 | --- | ||
20 | bfd/ChangeLog | 8 ++++++++ | ||
21 | bfd/elf.c | 2 +- | ||
22 | bfd/peXXigen.c | 1 - | ||
23 | bfd/srec.c | 4 ++-- | ||
24 | 4 files changed, 11 insertions(+), 4 deletions(-) | ||
25 | |||
26 | Index: binutils-2.24/bfd/ChangeLog | ||
27 | =================================================================== | ||
28 | --- binutils-2.24.orig/bfd/ChangeLog | ||
29 | +++ binutils-2.24/bfd/ChangeLog | ||
30 | @@ -1,3 +1,11 @@ | ||
31 | +2014-10-28 Andreas Schwab <schwab@suse.de> | ||
32 | + Nick Clifton <nickc@redhat.com> | ||
33 | + | ||
34 | + PR binutils/17510 | ||
35 | + * srec.c (srec_bad_byte): Increase size of buf to allow for | ||
36 | + negative values. | ||
37 | + (srec_scan): Use an unsigned char buffer to hold header bytes. | ||
38 | + | ||
39 | 2014-10-30 Nick Clifton <nickc@redhat.com> | ||
40 | |||
41 | PR binutils/17512 | ||
42 | Index: binutils-2.24/bfd/peXXigen.c | ||
43 | =================================================================== | ||
44 | --- binutils-2.24.orig/bfd/peXXigen.c | ||
45 | +++ binutils-2.24/bfd/peXXigen.c | ||
46 | @@ -471,7 +471,6 @@ _bfd_XXi_swap_aouthdr_in (bfd * abfd, | ||
47 | a->NumberOfRvaAndSizes = 0; | ||
48 | } | ||
49 | |||
50 | - | ||
51 | for (idx = 0; idx < a->NumberOfRvaAndSizes; idx++) | ||
52 | { | ||
53 | /* If data directory is empty, rva also should be 0. */ | ||
54 | Index: binutils-2.24/bfd/srec.c | ||
55 | =================================================================== | ||
56 | --- binutils-2.24.orig/bfd/srec.c | ||
57 | +++ binutils-2.24/bfd/srec.c | ||
58 | @@ -248,7 +248,7 @@ srec_bad_byte (bfd *abfd, | ||
59 | } | ||
60 | else | ||
61 | { | ||
62 | - char buf[10]; | ||
63 | + char buf[40]; | ||
64 | |||
65 | if (! ISPRINT (c)) | ||
66 | sprintf (buf, "\\%03o", (unsigned int) c); | ||
67 | @@ -454,7 +454,7 @@ srec_scan (bfd *abfd) | ||
68 | case 'S': | ||
69 | { | ||
70 | file_ptr pos; | ||
71 | - char hdr[3]; | ||
72 | + unsigned char hdr[3]; | ||
73 | unsigned int bytes, min_bytes; | ||
74 | bfd_vma address; | ||
75 | bfd_byte *data; | ||
diff --git a/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch new file mode 100644 index 0000000000..4a84562201 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/binutils_CVE-2014-8737.patch | |||
@@ -0,0 +1,177 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | CVE-2014-8737 fix. | ||
4 | |||
5 | [YOCTO #7084] | ||
6 | |||
7 | Signed-off-by: Armin Kuster <akuster808@gmail.com> | ||
8 | |||
9 | From dd9b91de2149ee81d47f708e7b0bbf57da10ad42 Mon Sep 17 00:00:00 2001 | ||
10 | From: Nick Clifton <nickc@redhat.com> | ||
11 | Date: Thu, 6 Nov 2014 14:49:10 +0000 | ||
12 | Subject: [PATCH] Prevent archive memebers with illegal pathnames from being | ||
13 | extracted from an archive. | ||
14 | |||
15 | PR binutils/17552, binutils/17533 | ||
16 | * bucomm.c (is_valid_archive_path): New function. Returns false | ||
17 | for absolute pathnames and pathnames that include /../. | ||
18 | * bucomm.h (is_valid_archive_path): Add prototype. | ||
19 | * ar.c (extract_file): Use new function to check for valid | ||
20 | pathnames when extracting files from an archive. | ||
21 | * objcopy.c (copy_archive): Likewise. | ||
22 | * doc/binutils.texi: Update documentation to mention the | ||
23 | limitation on pathname of archive members. | ||
24 | --- | ||
25 | binutils/ChangeLog | 16 ++++++++++++++-- | ||
26 | binutils/ar.c | 9 +++++++++ | ||
27 | binutils/bucomm.c | 26 ++++++++++++++++++++++++++ | ||
28 | binutils/bucomm.h | 12 ++++++++---- | ||
29 | binutils/doc/binutils.texi | 3 ++- | ||
30 | binutils/objcopy.c | 6 ++++++ | ||
31 | 6 files changed, 65 insertions(+), 7 deletions(-) | ||
32 | |||
33 | Index: binutils-2.24/binutils/ar.c | ||
34 | =================================================================== | ||
35 | --- binutils-2.24.orig/binutils/ar.c | ||
36 | +++ binutils-2.24/binutils/ar.c | ||
37 | @@ -1031,6 +1031,15 @@ extract_file (bfd *abfd) | ||
38 | bfd_size_type size; | ||
39 | struct stat buf; | ||
40 | |||
41 | + /* PR binutils/17533: Do not allow directory traversal | ||
42 | + outside of the current directory tree. */ | ||
43 | + if (! is_valid_archive_path (bfd_get_filename (abfd))) | ||
44 | + { | ||
45 | + non_fatal (_("illegal pathname found in archive member: %s"), | ||
46 | + bfd_get_filename (abfd)); | ||
47 | + return; | ||
48 | + } | ||
49 | + | ||
50 | if (bfd_stat_arch_elt (abfd, &buf) != 0) | ||
51 | /* xgettext:c-format */ | ||
52 | fatal (_("internal stat error on %s"), bfd_get_filename (abfd)); | ||
53 | Index: binutils-2.24/binutils/bucomm.c | ||
54 | =================================================================== | ||
55 | --- binutils-2.24.orig/binutils/bucomm.c | ||
56 | +++ binutils-2.24/binutils/bucomm.c | ||
57 | @@ -624,3 +624,29 @@ bfd_get_archive_filename (const bfd *abf | ||
58 | bfd_get_filename (abfd)); | ||
59 | return buf; | ||
60 | } | ||
61 | + | ||
62 | +/* Returns TRUE iff PATHNAME, a filename of an archive member, | ||
63 | + is valid for writing. For security reasons absolute paths | ||
64 | + and paths containing /../ are not allowed. See PR 17533. */ | ||
65 | + | ||
66 | +bfd_boolean | ||
67 | +is_valid_archive_path (char const * pathname) | ||
68 | +{ | ||
69 | + const char * n = pathname; | ||
70 | + | ||
71 | + if (IS_ABSOLUTE_PATH (n)) | ||
72 | + return FALSE; | ||
73 | + | ||
74 | + while (*n) | ||
75 | + { | ||
76 | + if (*n == '.' && *++n == '.' && ( ! *++n || IS_DIR_SEPARATOR (*n))) | ||
77 | + return FALSE; | ||
78 | + | ||
79 | + while (*n && ! IS_DIR_SEPARATOR (*n)) | ||
80 | + n++; | ||
81 | + while (IS_DIR_SEPARATOR (*n)) | ||
82 | + n++; | ||
83 | + } | ||
84 | + | ||
85 | + return TRUE; | ||
86 | +} | ||
87 | Index: binutils-2.24/binutils/bucomm.h | ||
88 | =================================================================== | ||
89 | --- binutils-2.24.orig/binutils/bucomm.h | ||
90 | +++ binutils-2.24/binutils/bucomm.h | ||
91 | @@ -23,6 +23,8 @@ | ||
92 | #ifndef _BUCOMM_H | ||
93 | #define _BUCOMM_H | ||
94 | |||
95 | +/* In bucomm.c. */ | ||
96 | + | ||
97 | /* Return the filename in a static buffer. */ | ||
98 | const char *bfd_get_archive_filename (const bfd *); | ||
99 | |||
100 | @@ -58,20 +60,22 @@ bfd_vma parse_vma (const char *, const c | ||
101 | |||
102 | off_t get_file_size (const char *); | ||
103 | |||
104 | +bfd_boolean is_valid_archive_path (char const *); | ||
105 | + | ||
106 | extern char *program_name; | ||
107 | |||
108 | -/* filemode.c */ | ||
109 | +/* In filemode.c. */ | ||
110 | void mode_string (unsigned long, char *); | ||
111 | |||
112 | -/* version.c */ | ||
113 | +/* In version.c. */ | ||
114 | extern void print_version (const char *); | ||
115 | |||
116 | -/* rename.c */ | ||
117 | +/* In rename.c. */ | ||
118 | extern void set_times (const char *, const struct stat *); | ||
119 | |||
120 | extern int smart_rename (const char *, const char *, int); | ||
121 | |||
122 | -/* libiberty. */ | ||
123 | +/* In libiberty. */ | ||
124 | void *xmalloc (size_t); | ||
125 | |||
126 | void *xrealloc (void *, size_t); | ||
127 | Index: binutils-2.24/binutils/doc/binutils.texi | ||
128 | =================================================================== | ||
129 | --- binutils-2.24.orig/binutils/doc/binutils.texi | ||
130 | +++ binutils-2.24/binutils/doc/binutils.texi | ||
131 | @@ -234,7 +234,8 @@ a normal archive. Instead the elements | ||
132 | individually to the second archive. | ||
133 | |||
134 | The paths to the elements of the archive are stored relative to the | ||
135 | -archive itself. | ||
136 | +archive itself. For security reasons absolute paths and paths with a | ||
137 | +@code{/../} component are not allowed. | ||
138 | |||
139 | @cindex compatibility, @command{ar} | ||
140 | @cindex @command{ar} compatibility | ||
141 | Index: binutils-2.24/binutils/objcopy.c | ||
142 | =================================================================== | ||
143 | --- binutils-2.24.orig/binutils/objcopy.c | ||
144 | +++ binutils-2.24/binutils/objcopy.c | ||
145 | @@ -2206,6 +2206,12 @@ copy_archive (bfd *ibfd, bfd *obfd, cons | ||
146 | bfd_boolean del = TRUE; | ||
147 | bfd_boolean ok_object; | ||
148 | |||
149 | + /* PR binutils/17533: Do not allow directory traversal | ||
150 | + outside of the current directory tree by archive members. */ | ||
151 | + if (! is_valid_archive_path (bfd_get_filename (this_element))) | ||
152 | + fatal (_("illegal pathname found in archive member: %s"), | ||
153 | + bfd_get_filename (this_element)); | ||
154 | + | ||
155 | /* Create an output file for this member. */ | ||
156 | output_name = concat (dir, "/", | ||
157 | bfd_get_filename (this_element), (char *) 0); | ||
158 | Index: binutils-2.24/binutils/ChangeLog | ||
159 | =================================================================== | ||
160 | --- binutils-2.24.orig/binutils/ChangeLog | ||
161 | +++ binutils-2.24/binutils/ChangeLog | ||
162 | @@ -1,3 +1,15 @@ | ||
163 | +2014-11-06 Nick Clifton <nickc@redhat.com> | ||
164 | + | ||
165 | + PR binutils/17552, binutils/17533 | ||
166 | + * bucomm.c (is_valid_archive_path): New function. Returns false | ||
167 | + for absolute pathnames and pathnames that include /../. | ||
168 | + * bucomm.h (is_valid_archive_path): Add prototype. | ||
169 | + * ar.c (extract_file): Use new function to check for valid | ||
170 | + pathnames when extracting files from an archive. | ||
171 | + * objcopy.c (copy_archive): Likewise. | ||
172 | + * doc/binutils.texi: Update documentation to mention the | ||
173 | + limitation on pathname of archive members. | ||
174 | + | ||
175 | 2013-11-22 Cory Fields <cory@coryfields.com> | ||
176 | |||
177 | * windres.c (define_resource): Use zero for timestamp, making | ||