diff options
author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2017-04-11 00:00:24 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-11 18:10:18 +0100 |
commit | ca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch) | |
tree | 09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |
parent | 40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff) | |
download | poky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz |
binutils: Fix CVE-2017-6965 and CVE-2017-6966
Backport upstream commit to address vulnerabilities:
CVE: CVE-2017-6965
[BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137
Fix readelf writing to illegal addresses whilst processing corrupt input
files containing symbol-difference relocations.
PR binutils/21137
* readelf.c (target_specific_reloc_handling): Add end parameter.
Check for buffer overflow before writing relocated values.
(apply_relocations): Pass end to target_specific_reloc_handling.
CVE: CVE-2017-6966
[BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139
Fix read-after-free error in readelf when processing multiple, relocated
sections in an MSP430 binary.
PR binutils/21139
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
(From OE-Core rev: 8c52a530ba2beb438aa47956bcec3777a1eafe5f)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch')
-rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..1334c9444d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |||
@@ -0,0 +1,124 @@ | |||
1 | From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001 | ||
2 | From: Nick Clifton <nickc@redhat.com> | ||
3 | Date: Mon, 13 Feb 2017 13:08:32 +0000 | ||
4 | Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst | ||
5 | processing corrupt input files containing symbol-difference relocations. | ||
6 | |||
7 | PR binutils/21137 | ||
8 | * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
9 | Check for buffer overflow before writing relocated values. | ||
10 | (apply_relocations): Pass end to target_specific_reloc_handling. | ||
11 | |||
12 | (cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) | ||
13 | Upstream-Status: Backport [master] | ||
14 | CVE: CVE-2017-6965 | ||
15 | |||
16 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
17 | --- | ||
18 | binutils/ChangeLog | 7 +++++++ | ||
19 | binutils/readelf.c | 30 +++++++++++++++++++++++++----- | ||
20 | 2 files changed, 32 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
23 | index f21867f98c..e789a3b99b 100644 | ||
24 | --- a/binutils/ChangeLog | ||
25 | +++ b/binutils/ChangeLog | ||
26 | @@ -1,3 +1,10 @@ | ||
27 | +2017-02-13 Nick Clifton <nickc@redhat.com> | ||
28 | + | ||
29 | + PR binutils/21137 | ||
30 | + * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
31 | + Check for buffer overflow before writing relocated values. | ||
32 | + (apply_relocations): Pass end to target_specific_reloc_handling. | ||
33 | + | ||
34 | 2017-03-02 Tristan Gingold <gingold@adacore.com> | ||
35 | |||
36 | * configure: Regenerate. | ||
37 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
38 | index b5f577f5a1..8cdaae3b8c 100644 | ||
39 | --- a/binutils/readelf.c | ||
40 | +++ b/binutils/readelf.c | ||
41 | @@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) | ||
42 | static bfd_boolean | ||
43 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
44 | unsigned char * start, | ||
45 | + unsigned char * end, | ||
46 | Elf_Internal_Sym * symtab) | ||
47 | { | ||
48 | unsigned int reloc_type = get_reloc_type (reloc->r_info); | ||
49 | @@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
50 | handle_sym_diff: | ||
51 | if (saved_sym != NULL) | ||
52 | { | ||
53 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
54 | bfd_vma value; | ||
55 | |||
56 | value = reloc->r_addend | ||
57 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
58 | - saved_sym->st_value); | ||
59 | |||
60 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
61 | + if (start + reloc->r_offset + reloc_size >= end) | ||
62 | + /* PR 21137 */ | ||
63 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
64 | + start + reloc->r_offset + reloc_size, end); | ||
65 | + else | ||
66 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
67 | |||
68 | saved_sym = NULL; | ||
69 | return TRUE; | ||
70 | @@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
71 | case 2: /* R_MN10300_16 */ | ||
72 | if (saved_sym != NULL) | ||
73 | { | ||
74 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
75 | bfd_vma value; | ||
76 | |||
77 | value = reloc->r_addend | ||
78 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
79 | - saved_sym->st_value); | ||
80 | |||
81 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
82 | + if (start + reloc->r_offset + reloc_size >= end) | ||
83 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
84 | + start + reloc->r_offset + reloc_size, end); | ||
85 | + else | ||
86 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
87 | |||
88 | saved_sym = NULL; | ||
89 | return TRUE; | ||
90 | @@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
91 | break; | ||
92 | |||
93 | case 0x41: /* R_RL78_ABS32. */ | ||
94 | - byte_put (start + reloc->r_offset, value, 4); | ||
95 | + if (start + reloc->r_offset + 4 >= end) | ||
96 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
97 | + start + reloc->r_offset + 2, end); | ||
98 | + else | ||
99 | + byte_put (start + reloc->r_offset, value, 4); | ||
100 | value = 0; | ||
101 | return TRUE; | ||
102 | |||
103 | case 0x43: /* R_RL78_ABS16. */ | ||
104 | - byte_put (start + reloc->r_offset, value, 2); | ||
105 | + if (start + reloc->r_offset + 2 >= end) | ||
106 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
107 | + start + reloc->r_offset + 2, end); | ||
108 | + else | ||
109 | + byte_put (start + reloc->r_offset, value, 2); | ||
110 | value = 0; | ||
111 | return TRUE; | ||
112 | |||
113 | @@ -12325,7 +12345,7 @@ apply_relocations (void * file, | ||
114 | |||
115 | reloc_type = get_reloc_type (rp->r_info); | ||
116 | |||
117 | - if (target_specific_reloc_handling (rp, start, symtab)) | ||
118 | + if (target_specific_reloc_handling (rp, start, end, symtab)) | ||
119 | continue; | ||
120 | else if (is_none_reloc (reloc_type)) | ||
121 | continue; | ||
122 | -- | ||
123 | 2.11.0 | ||
124 | |||