binutils: fix three CVE issues

Backport the CVE patches from the upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git; h=30838132997e6a3cfe3ec11c58b32b22f6f6b102 h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d [BZ 23686] https://sourceware.org/bugzilla/show_bug.cgi?id=23686 [BZ 23685] https://sourceware.org/bugzilla/show_bug.cgi?id=23685 The one is for CVE-2018-17358 and CVE-2018-17359, and the another is for CVE-2018-17360. (From OE-Core rev: 2683d8287d6878868d3aa15ce6e6a80ce28d8737) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Zhixiong Chi <zhixiong.chi@windriver.com> 2018-10-16 00:55:04 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-10-16 20:35:43 +0100
commit: 1c106ae64a1776e9e85724293d6b7c7c03f7249d (patch)
tree: e327c78c6ab9b46c981dc0f709420b932c5ad32b /meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
parent: 4e1c5499fefda0c0814153a4a6cdaa5261a3b517 (diff)
download: poky-1c106ae64a1776e9e85724293d6b7c7c03f7249d.tar.gz
1 files changed, 144 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
new file mode 100644
index 0000000000..813509160f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
@@ -0,0 +1,144 @@
+From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 20 Sep 2018 15:29:17 +0930
+Subject: [PATCH] Bug 23686, two segment faults in nm
+Fixes the bugs exposed by the testcases in the PR, plus two more bugs
+I noticed when looking at _bfd_stab_section_find_nearest_line.
+        PR 23686
+        * dwarf2.c (read_section): Error when attempting to malloc
+        "(bfd_size_type) -1".
+        * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+        function_name.  Bounds check reloc address.  Formatting.  Ensure
+        .stabstr zero terminated.
+CVE: CVE-2018-17358 and CVE-2018-17359
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ bfd/ChangeLog |  9 +++++++++
+ bfd/dwarf2.c  |  9 ++++++++-
+ bfd/syms.c    | 22 ++++++++++++++++------
+ 3 files changed, 33 insertions(+), 7 deletions(-)
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 04c0c2a..fef5479 100644
+--- a/bfd/ChangeLog
+++ b/bfd/ChangeLog
+@@ -1,3 +1,12 @@
+2018-09-20  Alan Modra  <amodra@gmail.com>
+
+       PR 23686
+       * dwarf2.c (read_section): Error when attempting to malloc
+       "(bfd_size_type) -1".
+       * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
+       function_name.  Bounds check reloc address.  Formatting.  Ensure
+       .stabstr zero terminated.
+
+ 2018-08-12  H.J. Lu  <hongjiu.lu@intel.com>
+ 
+        PR ld/23428
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 3b28855..77a7368 100644
+--- a/bfd/dwarf2.c
+++ b/bfd/dwarf2.c
+@@ -527,6 +527,7 @@ read_section (bfd *       abfd,
+   asection *msec;
+   const char *section_name = sec->uncompressed_name;
+   bfd_byte *contents = *section_buffer;
+  bfd_size_type amt;
+ 
+   /* The section may have already been read.  */
+   if (contents == NULL)
+@@ -549,7 +550,13 @@ read_section (bfd *              abfd,
+       *section_size = msec->rawsize ? msec->rawsize : msec->size;
+       /* Paranoia - alloc one extra so that we can make sure a string
+         section is NUL terminated.  */
+-      contents = (bfd_byte *) bfd_malloc (*section_size + 1);
+      amt = *section_size + 1;
+      if (amt == 0)
+       {
+         bfd_set_error (bfd_error_no_memory);
+         return FALSE;
+       }
+      contents = (bfd_byte *) bfd_malloc (amt);
+       if (contents == NULL)
+        return FALSE;
+       if (syms
+diff --git a/bfd/syms.c b/bfd/syms.c
+index 187071f..e09640a 100644
+--- a/bfd/syms.c
+++ b/bfd/syms.c
+@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                                         0, strsize))
+        return FALSE;
+ 
+      /* Stab strings ought to be nul terminated.  Ensure the last one
+        is, to prevent running off the end of the buffer.  */
+      info->strs[strsize - 1] = 0;
+
+       /* If this is a relocatable object file, we have to relocate
+         the entries in .stab.  This should always be simple 32 bit
+         relocations against symbols defined in this object file, so
+@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                  || r->howto->bitsize != 32
+                  || r->howto->pc_relative
+                  || r->howto->bitpos != 0
+-                 || r->howto->dst_mask != 0xffffffff)
+                 || r->howto->dst_mask != 0xffffffff
+                 || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
+                {
+                  _bfd_error_handler
+                    (_("unsupported .stab relocation"));
+@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                {
+                  nul_fun = stab;
+                  nul_str = str;
+-                 if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+                 if (file_name >= (char *) info->strs + strsize
+                     || file_name < (char *) str)
+                    file_name = NULL;
+                  if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
+                      && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
+@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+                      directory_name = file_name;
+                      file_name = ((char *) str
+                                   + bfd_get_32 (abfd, stab + STRDXOFF));
+-                     if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+                     if (file_name >= (char *) info->strs + strsize
+                         || file_name < (char *) str)
+                        file_name = NULL;
+                    }
+                }
+@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+              file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+              /* PR 17512: file: 0c680a1f.  */
+              /* PR 17512: file: 5da8aec4.  */
+-             if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+             if (file_name >= (char *) info->strs + strsize
+                 || file_name < (char *) str)
+                file_name = NULL;
+              break;
+ 
+@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+              function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+              if (function_name == (char *) str)
+                continue;
+-             if (function_name >= (char *) info->strs + strsize)
+             if (function_name >= (char *) info->strs + strsize
+                 || function_name < (char *) str)
+                function_name = NULL;
+ 
+              nul_fun = NULL;
+@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
+          if (val <= offset)
+            {
+              file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
+-             if (file_name >= (char *) info->strs + strsize || file_name < (char *) str)
+             if (file_name >= (char *) info->strs + strsize
+                 || file_name < (char *) str)
+                file_name = NULL;
+              *pline = 0;
+            }
+-- 
+2.9.3
author	Zhixiong Chi <zhixiong.chi@windriver.com>	2018-10-16 00:55:04 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-10-16 20:35:43 +0100
commit	1c106ae64a1776e9e85724293d6b7c7c03f7249d (patch)
tree	e327c78c6ab9b46c981dc0f709420b932c5ad32b /meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
parent	4e1c5499fefda0c0814153a4a6cdaa5261a3b517 (diff)
download	poky-1c106ae64a1776e9e85724293d6b7c7c03f7249d.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch new file mode 100644 index 0000000000..813509160f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch
@@ -0,0 +1,144 @@
	1	From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001
	2	From: Alan Modra <amodra@gmail.com>
	3	Date: Thu, 20 Sep 2018 15:29:17 +0930
	4	Subject: [PATCH] Bug 23686, two segment faults in nm
	5
	6	Fixes the bugs exposed by the testcases in the PR, plus two more bugs
	7	I noticed when looking at _bfd_stab_section_find_nearest_line.
	8
	9	PR 23686
	10	* dwarf2.c (read_section): Error when attempting to malloc
	11	"(bfd_size_type) -1".
	12	* syms.c (_bfd_stab_section_find_nearest_line): Bounds check
	13	function_name. Bounds check reloc address. Formatting. Ensure
	14	.stabstr zero terminated.
	15	CVE: CVE-2018-17358 and CVE-2018-17359
	16	Upstream-Status: Backport
	17	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
	18	---
	19	bfd/ChangeLog \| 9 +++++++++
	20	bfd/dwarf2.c \| 9 ++++++++-
	21	bfd/syms.c \| 22 ++++++++++++++++------
	22	3 files changed, 33 insertions(+), 7 deletions(-)
	23
	24	diff --git a/bfd/ChangeLog b/bfd/ChangeLog
	25	index 04c0c2a..fef5479 100644
	26	--- a/bfd/ChangeLog
	27	+++ b/bfd/ChangeLog
	28	@@ -1,3 +1,12 @@
	29	+2018-09-20 Alan Modra <amodra@gmail.com>
	30	+
	31	+ PR 23686
	32	+ * dwarf2.c (read_section): Error when attempting to malloc
	33	+ "(bfd_size_type) -1".
	34	+ * syms.c (_bfd_stab_section_find_nearest_line): Bounds check
	35	+ function_name. Bounds check reloc address. Formatting. Ensure
	36	+ .stabstr zero terminated.
	37	+
	38	2018-08-12 H.J. Lu <hongjiu.lu@intel.com>
	39
	40	PR ld/23428
	41	diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
	42	index 3b28855..77a7368 100644
	43	--- a/bfd/dwarf2.c
	44	+++ b/bfd/dwarf2.c
	45	@@ -527,6 +527,7 @@ read_section (bfd * abfd,
	46	asection *msec;
	47	const char *section_name = sec->uncompressed_name;
	48	bfd_byte contents = section_buffer;
	49	+ bfd_size_type amt;
	50
	51	/* The section may have already been read. */
	52	if (contents == NULL)
	53	@@ -549,7 +550,13 @@ read_section (bfd * abfd,
	54	*section_size = msec->rawsize ? msec->rawsize : msec->size;
	55	/* Paranoia - alloc one extra so that we can make sure a string
	56	section is NUL terminated. */
	57	- contents = (bfd_byte ) bfd_malloc (section_size + 1);
	58	+ amt = *section_size + 1;
	59	+ if (amt == 0)
	60	+ {
	61	+ bfd_set_error (bfd_error_no_memory);
	62	+ return FALSE;
	63	+ }
	64	+ contents = (bfd_byte *) bfd_malloc (amt);
	65	if (contents == NULL)
	66	return FALSE;
	67	if (syms
	68	diff --git a/bfd/syms.c b/bfd/syms.c
	69	index 187071f..e09640a 100644
	70	--- a/bfd/syms.c
	71	+++ b/bfd/syms.c
	72	@@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	73	0, strsize))
	74	return FALSE;
	75
	76	+ /* Stab strings ought to be nul terminated. Ensure the last one
	77	+ is, to prevent running off the end of the buffer. */
	78	+ info->strs[strsize - 1] = 0;
	79	+
	80	/* If this is a relocatable object file, we have to relocate
	81	the entries in .stab. This should always be simple 32 bit
	82	relocations against symbols defined in this object file, so
	83	@@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	84	\|\| r->howto->bitsize != 32
	85	\|\| r->howto->pc_relative
	86	\|\| r->howto->bitpos != 0
	87	- \|\| r->howto->dst_mask != 0xffffffff)
	88	+ \|\| r->howto->dst_mask != 0xffffffff
	89	+ \|\| r->address * bfd_octets_per_byte (abfd) + 4 > stabsize)
	90	{
	91	_bfd_error_handler
	92	(_("unsupported .stab relocation"));
	93	@@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	94	{
	95	nul_fun = stab;
	96	nul_str = str;
	97	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
	98	+ if (file_name >= (char *) info->strs + strsize
	99	+ \|\| file_name < (char *) str)
	100	file_name = NULL;
	101	if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize
	102	&& *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO)
	103	@@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	104	directory_name = file_name;
	105	file_name = ((char *) str
	106	+ bfd_get_32 (abfd, stab + STRDXOFF));
	107	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
	108	+ if (file_name >= (char *) info->strs + strsize
	109	+ \|\| file_name < (char *) str)
	110	file_name = NULL;
	111	}
	112	}
	113	@@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	114	file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
	115	/* PR 17512: file: 0c680a1f. */
	116	/* PR 17512: file: 5da8aec4. */
	117	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
	118	+ if (file_name >= (char *) info->strs + strsize
	119	+ \|\| file_name < (char *) str)
	120	file_name = NULL;
	121	break;
	122
	123	@@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	124	function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
	125	if (function_name == (char *) str)
	126	continue;
	127	- if (function_name >= (char *) info->strs + strsize)
	128	+ if (function_name >= (char *) info->strs + strsize
	129	+ \|\| function_name < (char *) str)
	130	function_name = NULL;
	131
	132	nul_fun = NULL;
	133	@@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd,
	134	if (val <= offset)
	135	{
	136	file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF);
	137	- if (file_name >= (char ) info->strs + strsize \|\| file_name < (char ) str)
	138	+ if (file_name >= (char *) info->strs + strsize
	139	+ \|\| file_name < (char *) str)
	140	file_name = NULL;
	141	*pline = 0;
	142	}
	143	--
	144	2.9.3