diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2017-05-24 02:55:17 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-25 23:59:32 +0100 |
commit | 204d9a0e011075ca8500ee406e7a7e0942fa9ee8 (patch) | |
tree | b1cc2a9401689fde24a6a96926ce7be7a1bc1eac | |
parent | 8759812810afeef5c296836fe4192fe2bbfe01d9 (diff) | |
download | poky-204d9a0e011075ca8500ee406e7a7e0942fa9ee8.tar.gz |
binutils: fix CVE-2017-6969 in readelf
CVE: CVE-2017-6969
[BZ 21156] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21156
PR binutils/21156: Fix illegal memory accesses in readelf when
ing a corrupt binary.
PR binutils/21156: Fix another memory access error in readelf when
parsing a corrupt binary.
(From OE-Core rev: de04c9811f7ce5179ba261bd8eae921d7873d6cd)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 181 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 54925054d7..75eca32b24 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc | |||
@@ -39,6 +39,8 @@ SRC_URI = "\ | |||
39 | file://CVE-2017-6966.patch \ | 39 | file://CVE-2017-6966.patch \ |
40 | file://0017-bfd-Improve-lookup-of-file-line-information-for-erro.patch \ | 40 | file://0017-bfd-Improve-lookup-of-file-line-information-for-erro.patch \ |
41 | file://0018-PR-21409-segfault-in-_bfd_dwarf2_find_nearest_line.patch \ | 41 | file://0018-PR-21409-segfault-in-_bfd_dwarf2_find_nearest_line.patch \ |
42 | file://CVE-2017-6969.patch \ | ||
43 | file://CVE-2017-6969_2.patch \ | ||
42 | " | 44 | " |
43 | S = "${WORKDIR}/git" | 45 | S = "${WORKDIR}/git" |
44 | 46 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch new file mode 100644 index 0000000000..ed5403430c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 1d9a2696903fc59d6a936f4ab4e4407ef329d066 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Fri, 17 Feb 2017 15:59:45 +0000 | ||
4 | Subject: Fix illegal memory accesses in readelf when parsing | ||
5 | a corrupt binary. | ||
6 | |||
7 | PR binutils/21156 | ||
8 | * readelf.c (find_section_in_set): Test for invalid section | ||
9 | indicies. | ||
10 | |||
11 | CVE: CVE-2017-6969 | ||
12 | Upstream-Status: Backport [master] | ||
13 | |||
14 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
15 | --- | ||
16 | binutils/ChangeLog | 6 ++++++ | ||
17 | binutils/readelf.c | 10 ++++++++-- | ||
18 | 2 files changed, 14 insertions(+), 2 deletions(-) | ||
19 | |||
20 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
21 | index bd63c8a0d8..1d840b42f9 100644 | ||
22 | --- a/binutils/ChangeLog | ||
23 | +++ b/binutils/ChangeLog | ||
24 | @@ -1,3 +1,9 @@ | ||
25 | +2017-02-17 Nick Clifton <nickc@redhat.com> | ||
26 | + | ||
27 | + PR binutils/21156 | ||
28 | + * readelf.c (find_section_in_set): Test for invalid section | ||
29 | + indicies. | ||
30 | + | ||
31 | 2017-02-13 Nick Clifton <nickc@redhat.com> | ||
32 | |||
33 | PR binutils/21139 | ||
34 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
35 | index 7c158c6342..4960491c5c 100644 | ||
36 | --- a/binutils/readelf.c | ||
37 | +++ b/binutils/readelf.c | ||
38 | @@ -675,8 +675,14 @@ find_section_in_set (const char * name, unsigned int * set) | ||
39 | if (set != NULL) | ||
40 | { | ||
41 | while ((i = *set++) > 0) | ||
42 | - if (streq (SECTION_NAME (section_headers + i), name)) | ||
43 | - return section_headers + i; | ||
44 | + { | ||
45 | + /* See PR 21156 for a reproducer. */ | ||
46 | + if (i >= elf_header.e_shnum) | ||
47 | + continue; /* FIXME: Should we issue an error message ? */ | ||
48 | + | ||
49 | + if (streq (SECTION_NAME (section_headers + i), name)) | ||
50 | + return section_headers + i; | ||
51 | + } | ||
52 | } | ||
53 | |||
54 | return find_section (name); | ||
55 | -- | ||
56 | 2.11.0 | ||
57 | |||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch new file mode 100644 index 0000000000..59a5dec675 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6969_2.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From ef81126314f67472a46db9581530fbf5ccb6b3f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 20 Feb 2017 14:40:39 +0000 | ||
4 | Subject: Fix another memory access error in readelf when | ||
5 | parsing a corrupt binary. | ||
6 | |||
7 | PR binutils/21156 | ||
8 | * dwarf.c (cu_tu_indexes_read): Move into... | ||
9 | (load_cu_tu_indexes): ... here. Change the variable into | ||
10 | tri-state. Change the function into boolean, returning | ||
11 | false if the indicies could not be loaded. | ||
12 | (find_cu_tu_set): Return NULL if the indicies could not be | ||
13 | loaded. | ||
14 | |||
15 | CVE: CVE-2017-6969 | ||
16 | Upstream-Status: Backport [master] | ||
17 | |||
18 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
19 | --- | ||
20 | binutils/ChangeLog | 10 ++++++++++ | ||
21 | binutils/dwarf.c | 34 ++++++++++++++++++++-------------- | ||
22 | 2 files changed, 30 insertions(+), 14 deletions(-) | ||
23 | |||
24 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
25 | index 1d840b42f9..53352c1801 100644 | ||
26 | --- a/binutils/ChangeLog | ||
27 | +++ b/binutils/ChangeLog | ||
28 | @@ -1,3 +1,13 @@ | ||
29 | +2017-02-20 Nick Clifton <nickc@redhat.com> | ||
30 | + | ||
31 | + PR binutils/21156 | ||
32 | + * dwarf.c (cu_tu_indexes_read): Move into... | ||
33 | + (load_cu_tu_indexes): ... here. Change the variable into | ||
34 | + tri-state. Change the function into boolean, returning | ||
35 | + false if the indicies could not be loaded. | ||
36 | + (find_cu_tu_set): Return NULL if the indicies could not be | ||
37 | + loaded. | ||
38 | + | ||
39 | 2017-02-17 Nick Clifton <nickc@redhat.com> | ||
40 | |||
41 | PR binutils/21156 | ||
42 | diff --git a/binutils/dwarf.c b/binutils/dwarf.c | ||
43 | index 0184a7ab2e..6d879c9b61 100644 | ||
44 | --- a/binutils/dwarf.c | ||
45 | +++ b/binutils/dwarf.c | ||
46 | @@ -76,7 +76,6 @@ int dwarf_check = 0; | ||
47 | as a zero-terminated list of section indexes comprising one set of debug | ||
48 | sections from a .dwo file. */ | ||
49 | |||
50 | -static int cu_tu_indexes_read = 0; | ||
51 | static unsigned int *shndx_pool = NULL; | ||
52 | static unsigned int shndx_pool_size = 0; | ||
53 | static unsigned int shndx_pool_used = 0; | ||
54 | @@ -99,7 +98,7 @@ static int tu_count = 0; | ||
55 | static struct cu_tu_set *cu_sets = NULL; | ||
56 | static struct cu_tu_set *tu_sets = NULL; | ||
57 | |||
58 | -static void load_cu_tu_indexes (void *file); | ||
59 | +static bfd_boolean load_cu_tu_indexes (void *); | ||
60 | |||
61 | /* Values for do_debug_lines. */ | ||
62 | #define FLAG_DEBUG_LINES_RAW 1 | ||
63 | @@ -2715,7 +2714,7 @@ load_debug_info (void * file) | ||
64 | return num_debug_info_entries; | ||
65 | |||
66 | /* If this is a DWARF package file, load the CU and TU indexes. */ | ||
67 | - load_cu_tu_indexes (file); | ||
68 | + (void) load_cu_tu_indexes (file); | ||
69 | |||
70 | if (load_debug_section (info, file) | ||
71 | && process_debug_info (&debug_displays [info].section, file, abbrev, 1, 0)) | ||
72 | @@ -7378,21 +7377,27 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) | ||
73 | section sets that we can use to associate a .debug_info.dwo section | ||
74 | with its associated .debug_abbrev.dwo section in a .dwp file. */ | ||
75 | |||
76 | -static void | ||
77 | +static bfd_boolean | ||
78 | load_cu_tu_indexes (void *file) | ||
79 | { | ||
80 | + static int cu_tu_indexes_read = -1; /* Tri-state variable. */ | ||
81 | + | ||
82 | /* If we have already loaded (or tried to load) the CU and TU indexes | ||
83 | then do not bother to repeat the task. */ | ||
84 | - if (cu_tu_indexes_read) | ||
85 | - return; | ||
86 | - | ||
87 | - if (load_debug_section (dwp_cu_index, file)) | ||
88 | - process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0); | ||
89 | - | ||
90 | - if (load_debug_section (dwp_tu_index, file)) | ||
91 | - process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0); | ||
92 | + if (cu_tu_indexes_read == -1) | ||
93 | + { | ||
94 | + cu_tu_indexes_read = TRUE; | ||
95 | + | ||
96 | + if (load_debug_section (dwp_cu_index, file)) | ||
97 | + if (! process_cu_tu_index (&debug_displays [dwp_cu_index].section, 0)) | ||
98 | + cu_tu_indexes_read = FALSE; | ||
99 | + | ||
100 | + if (load_debug_section (dwp_tu_index, file)) | ||
101 | + if (! process_cu_tu_index (&debug_displays [dwp_tu_index].section, 0)) | ||
102 | + cu_tu_indexes_read = FALSE; | ||
103 | + } | ||
104 | |||
105 | - cu_tu_indexes_read = 1; | ||
106 | + return (bfd_boolean) cu_tu_indexes_read; | ||
107 | } | ||
108 | |||
109 | /* Find the set of sections that includes section SHNDX. */ | ||
110 | @@ -7402,7 +7407,8 @@ find_cu_tu_set (void *file, unsigned int shndx) | ||
111 | { | ||
112 | unsigned int i; | ||
113 | |||
114 | - load_cu_tu_indexes (file); | ||
115 | + if (! load_cu_tu_indexes (file)) | ||
116 | + return NULL; | ||
117 | |||
118 | /* Find SHNDX in the shndx pool. */ | ||
119 | for (i = 0; i < shndx_pool_used; i++) | ||
120 | -- | ||
121 | 2.11.0 | ||
122 | |||