diff options
| author | Yuanjie Huang <yuanjie.huang@windriver.com> | 2017-04-11 00:00:24 -0700 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-04-11 18:10:18 +0100 |
| commit | ca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch) | |
| tree | 09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |
| parent | 40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff) | |
| download | poky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz | |
binutils: Fix CVE-2017-6965 and CVE-2017-6966
Backport upstream commit to address vulnerabilities:
CVE: CVE-2017-6965
[BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137
Fix readelf writing to illegal addresses whilst processing corrupt input
files containing symbol-difference relocations.
PR binutils/21137
* readelf.c (target_specific_reloc_handling): Add end parameter.
Check for buffer overflow before writing relocated values.
(apply_relocations): Pass end to target_specific_reloc_handling.
CVE: CVE-2017-6966
[BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139
Fix read-after-free error in readelf when processing multiple, relocated
sections in an MSP430 binary.
PR binutils/21139
* readelf.c (target_specific_reloc_handling): Add num_syms
parameter. Check for symbol table overflow before accessing
symbol value. If reloc pointer is NULL, discard all saved state.
(apply_relocations): Pass num_syms to target_specific_reloc_handling.
Call target_specific_reloc_handling with a NULL reloc pointer
after processing all of the relocs.
(From OE-Core rev: 8c52a530ba2beb438aa47956bcec3777a1eafe5f)
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch')
| -rw-r--r-- | meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..1334c9444d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch | |||
| @@ -0,0 +1,124 @@ | |||
| 1 | From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nick Clifton <nickc@redhat.com> | ||
| 3 | Date: Mon, 13 Feb 2017 13:08:32 +0000 | ||
| 4 | Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst | ||
| 5 | processing corrupt input files containing symbol-difference relocations. | ||
| 6 | |||
| 7 | PR binutils/21137 | ||
| 8 | * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
| 9 | Check for buffer overflow before writing relocated values. | ||
| 10 | (apply_relocations): Pass end to target_specific_reloc_handling. | ||
| 11 | |||
| 12 | (cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493) | ||
| 13 | Upstream-Status: Backport [master] | ||
| 14 | CVE: CVE-2017-6965 | ||
| 15 | |||
| 16 | Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> | ||
| 17 | --- | ||
| 18 | binutils/ChangeLog | 7 +++++++ | ||
| 19 | binutils/readelf.c | 30 +++++++++++++++++++++++++----- | ||
| 20 | 2 files changed, 32 insertions(+), 5 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/binutils/ChangeLog b/binutils/ChangeLog | ||
| 23 | index f21867f98c..e789a3b99b 100644 | ||
| 24 | --- a/binutils/ChangeLog | ||
| 25 | +++ b/binutils/ChangeLog | ||
| 26 | @@ -1,3 +1,10 @@ | ||
| 27 | +2017-02-13 Nick Clifton <nickc@redhat.com> | ||
| 28 | + | ||
| 29 | + PR binutils/21137 | ||
| 30 | + * readelf.c (target_specific_reloc_handling): Add end parameter. | ||
| 31 | + Check for buffer overflow before writing relocated values. | ||
| 32 | + (apply_relocations): Pass end to target_specific_reloc_handling. | ||
| 33 | + | ||
| 34 | 2017-03-02 Tristan Gingold <gingold@adacore.com> | ||
| 35 | |||
| 36 | * configure: Regenerate. | ||
| 37 | diff --git a/binutils/readelf.c b/binutils/readelf.c | ||
| 38 | index b5f577f5a1..8cdaae3b8c 100644 | ||
| 39 | --- a/binutils/readelf.c | ||
| 40 | +++ b/binutils/readelf.c | ||
| 41 | @@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED) | ||
| 42 | static bfd_boolean | ||
| 43 | target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
| 44 | unsigned char * start, | ||
| 45 | + unsigned char * end, | ||
| 46 | Elf_Internal_Sym * symtab) | ||
| 47 | { | ||
| 48 | unsigned int reloc_type = get_reloc_type (reloc->r_info); | ||
| 49 | @@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
| 50 | handle_sym_diff: | ||
| 51 | if (saved_sym != NULL) | ||
| 52 | { | ||
| 53 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
| 54 | bfd_vma value; | ||
| 55 | |||
| 56 | value = reloc->r_addend | ||
| 57 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
| 58 | - saved_sym->st_value); | ||
| 59 | |||
| 60 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
| 61 | + if (start + reloc->r_offset + reloc_size >= end) | ||
| 62 | + /* PR 21137 */ | ||
| 63 | + error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
| 64 | + start + reloc->r_offset + reloc_size, end); | ||
| 65 | + else | ||
| 66 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
| 67 | |||
| 68 | saved_sym = NULL; | ||
| 69 | return TRUE; | ||
| 70 | @@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
| 71 | case 2: /* R_MN10300_16 */ | ||
| 72 | if (saved_sym != NULL) | ||
| 73 | { | ||
| 74 | + int reloc_size = reloc_type == 1 ? 4 : 2; | ||
| 75 | bfd_vma value; | ||
| 76 | |||
| 77 | value = reloc->r_addend | ||
| 78 | + (symtab[get_reloc_symindex (reloc->r_info)].st_value | ||
| 79 | - saved_sym->st_value); | ||
| 80 | |||
| 81 | - byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2); | ||
| 82 | + if (start + reloc->r_offset + reloc_size >= end) | ||
| 83 | + error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
| 84 | + start + reloc->r_offset + reloc_size, end); | ||
| 85 | + else | ||
| 86 | + byte_put (start + reloc->r_offset, value, reloc_size); | ||
| 87 | |||
| 88 | saved_sym = NULL; | ||
| 89 | return TRUE; | ||
| 90 | @@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc, | ||
| 91 | break; | ||
| 92 | |||
| 93 | case 0x41: /* R_RL78_ABS32. */ | ||
| 94 | - byte_put (start + reloc->r_offset, value, 4); | ||
| 95 | + if (start + reloc->r_offset + 4 >= end) | ||
| 96 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
| 97 | + start + reloc->r_offset + 2, end); | ||
| 98 | + else | ||
| 99 | + byte_put (start + reloc->r_offset, value, 4); | ||
| 100 | value = 0; | ||
| 101 | return TRUE; | ||
| 102 | |||
| 103 | case 0x43: /* R_RL78_ABS16. */ | ||
| 104 | - byte_put (start + reloc->r_offset, value, 2); | ||
| 105 | + if (start + reloc->r_offset + 2 >= end) | ||
| 106 | + error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"), | ||
| 107 | + start + reloc->r_offset + 2, end); | ||
| 108 | + else | ||
| 109 | + byte_put (start + reloc->r_offset, value, 2); | ||
| 110 | value = 0; | ||
| 111 | return TRUE; | ||
| 112 | |||
| 113 | @@ -12325,7 +12345,7 @@ apply_relocations (void * file, | ||
| 114 | |||
| 115 | reloc_type = get_reloc_type (rp->r_info); | ||
| 116 | |||
| 117 | - if (target_specific_reloc_handling (rp, start, symtab)) | ||
| 118 | + if (target_specific_reloc_handling (rp, start, end, symtab)) | ||
| 119 | continue; | ||
| 120 | else if (is_none_reloc (reloc_type)) | ||
| 121 | continue; | ||
| 122 | -- | ||
| 123 | 2.11.0 | ||
| 124 | |||