binutils: Fix CVE-2017-6965 and CVE-2017-6966

Backport upstream commit to address vulnerabilities: CVE: CVE-2017-6965 [BZ 21137] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21137 Fix readelf writing to illegal addresses whilst processing corrupt input files containing symbol-difference relocations. PR binutils/21137 * readelf.c (target_specific_reloc_handling): Add end parameter. Check for buffer overflow before writing relocated values. (apply_relocations): Pass end to target_specific_reloc_handling. CVE: CVE-2017-6966 [BZ 21139] -- https://sourceware.org/bugzilla/show_bug.cgi?id=21139 Fix read-after-free error in readelf when processing multiple, relocated sections in an MSP430 binary. PR binutils/21139 * readelf.c (target_specific_reloc_handling): Add num_syms parameter. Check for symbol table overflow before accessing symbol value. If reloc pointer is NULL, discard all saved state. (apply_relocations): Pass num_syms to target_specific_reloc_handling. Call target_specific_reloc_handling with a NULL reloc pointer after processing all of the relocs. (From OE-Core rev: 8c52a530ba2beb438aa47956bcec3777a1eafe5f) Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yuanjie Huang <yuanjie.huang@windriver.com> 2017-04-11 00:00:24 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-04-11 18:10:18 +0100
commit: ca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch)
tree: 09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools/binutils
parent: 40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff)
download: poky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz
3 files changed, 367 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc
index 76b81b04ca..7585da1ca9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.28.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -35,6 +35,8 @@ SRC_URI = "\
     file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
     file://0015-sync-with-OE-libtool-changes.patch \
     file://0016-Detect-64-bit-MIPS-targets.patch \
+     file://CVE-2017-6965.patch \
+     file://CVE-2017-6966.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
new file mode 100644
index 0000000000..1334c9444d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,124 @@
+From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 13:08:32 +0000
+Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
+ processing corrupt input files containing symbol-difference relocations.
+        PR binutils/21137
+        * readelf.c (target_specific_reloc_handling): Add end parameter.
+        Check for buffer overflow before writing relocated values.
+        (apply_relocations): Pass end to target_specific_reloc_handling.
+(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6965
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  7 +++++++
+ binutils/readelf.c | 30 +++++++++++++++++++++++++-----
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index f21867f98c..e789a3b99b 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,3 +1,10 @@
+2017-02-13  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21137
+       * readelf.c (target_specific_reloc_handling): Add end parameter.
+       Check for buffer overflow before writing relocated values.
+       (apply_relocations): Pass end to target_specific_reloc_handling.
+
+ 2017-03-02  Tristan Gingold  <gingold@adacore.com>
+ 
+        * configure: Regenerate.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index b5f577f5a1..8cdaae3b8c 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                                unsigned char *     start,
+                               unsigned char *     end,
+                                Elf_Internal_Sym *  symtab)
+ {
+   unsigned int reloc_type = get_reloc_type (reloc->r_info);
+@@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+          handle_sym_diff:
+            if (saved_sym != NULL)
+              {
+               int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+                value = reloc->r_addend
+                  + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+                     - saved_sym->st_value);
+ 
+-               byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
+               if (start + reloc->r_offset + reloc_size >= end)
+                 /* PR 21137 */
+                 error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+                        start + reloc->r_offset + reloc_size, end);
+               else
+                 byte_put (start + reloc->r_offset, value, reloc_size);
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+          case 2: /* R_MN10300_16 */
+            if (saved_sym != NULL)
+              {
+               int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+                value = reloc->r_addend
+                  + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+                     - saved_sym->st_value);
+ 
+-               byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
+               if (start + reloc->r_offset + reloc_size >= end)
+                 error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+                        start + reloc->r_offset + reloc_size, end);
+               else
+                 byte_put (start + reloc->r_offset, value, reloc_size);
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+            break;
+ 
+          case 0x41: /* R_RL78_ABS32.  */
+-           byte_put (start + reloc->r_offset, value, 4);
+           if (start + reloc->r_offset + 4 >= end)
+             error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
+                    start + reloc->r_offset + 2, end);
+           else
+             byte_put (start + reloc->r_offset, value, 4);
+            value = 0;
+            return TRUE;
+ 
+          case 0x43: /* R_RL78_ABS16.  */
+-           byte_put (start + reloc->r_offset, value, 2);
+           if (start + reloc->r_offset + 2 >= end)
+             error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
+                    start + reloc->r_offset + 2, end);
+           else
+             byte_put (start + reloc->r_offset, value, 2);
+            value = 0;
+            return TRUE;
+ 
+@@ -12325,7 +12345,7 @@ apply_relocations (void *                     file,
+ 
+          reloc_type = get_reloc_type (rp->r_info);
+ 
+-         if (target_specific_reloc_handling (rp, start, symtab))
+         if (target_specific_reloc_handling (rp, start, end, symtab))
+            continue;
+          else if (is_none_reloc (reloc_type))
+            continue;
+-- 
+2.11.0
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
new file mode 100644
index 0000000000..dd58df5fbf
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,241 @@
+From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 13 Feb 2017 14:03:22 +0000
+Subject: [PATCH] Fix read-after-free error in readelf when processing
+ multiple, relocated sections in an MSP430 binary.
+        PR binutils/21139
+        * readelf.c (target_specific_reloc_handling): Add num_syms
+        parameter.  Check for symbol table overflow before accessing
+        symbol value.  If reloc pointer is NULL, discard all saved state.
+        (apply_relocations): Pass num_syms to target_specific_reloc_handling.
+        Call target_specific_reloc_handling with a NULL reloc pointer
+        after processing all of the relocs.
+(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
+Upstream-Status: Backport [master]
+CVE: CVE-2017-6966
+Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
+---
+ binutils/ChangeLog |  10 +++++
+ binutils/readelf.c | 109 +++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 94 insertions(+), 25 deletions(-)
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index e789a3b99b..bd63c8a0d8 100644
+--- a/binutils/ChangeLog
+++ b/binutils/ChangeLog
+@@ -1,5 +1,15 @@
+ 2017-02-13  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21139
+       * readelf.c (target_specific_reloc_handling): Add num_syms
+       parameter.  Check for symbol table overflow before accessing
+       symbol value.  If reloc pointer is NULL, discard all saved state.
+       (apply_relocations): Pass num_syms to target_specific_reloc_handling.
+       Call target_specific_reloc_handling with a NULL reloc pointer
+       after processing all of the relocs.
+
+2017-02-13  Nick Clifton  <nickc@redhat.com>
+
+        PR binutils/21137
+        * readelf.c (target_specific_reloc_handling): Add end parameter.
+        Check for buffer overflow before writing relocated values.
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 8cdaae3b8c..7c158c6342 100644
+--- a/binutils/readelf.c
+++ b/binutils/readelf.c
+@@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
+ 
+ /* Check to see if the given reloc needs to be handled in a target specific
+    manner.  If so then process the reloc and return TRUE otherwise return
+-   FALSE.  */
+   FALSE.
+
+   If called with reloc == NULL, then this is a signal that reloc processing
+   for the current section has finished, and any saved state should be
+   discarded.  */
+ 
+ static bfd_boolean
+ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                                unsigned char *     start,
+                                unsigned char *     end,
+-                               Elf_Internal_Sym *  symtab)
+                               Elf_Internal_Sym *  symtab,
+                               unsigned long       num_syms)
+ {
+-  unsigned int reloc_type = get_reloc_type (reloc->r_info);
+  unsigned int reloc_type = 0;
+  unsigned long sym_index = 0;
+
+  if (reloc)
+    {
+      reloc_type = get_reloc_type (reloc->r_info);
+      sym_index = get_reloc_symindex (reloc->r_info);
+    }
+ 
+   switch (elf_header.e_machine)
+     {
+@@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+       {
+        static Elf_Internal_Sym * saved_sym = NULL;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym = NULL;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 10: /* R_MSP430_SYM_DIFF */
+@@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+              break;
+            /* Fall through.  */
+          case 21: /* R_MSP430X_SYM_DIFF */
+-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+           /* PR 21139.  */
+           if (sym_index >= num_syms)
+             error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             saved_sym = symtab + sym_index;
+            return TRUE;
+ 
+          case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
+@@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+-               value = reloc->r_addend
+-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+-                    - saved_sym->st_value);
+-
+-               if (start + reloc->r_offset + reloc_size >= end)
+-                 /* PR 21137 */
+-                 error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+-                        start + reloc->r_offset + reloc_size, end);
+               if (sym_index >= num_syms)
+                 error (_("MSP430 reloc contains invalid symbol index %lu\n"),
+                        sym_index);
+                else
+-                 byte_put (start + reloc->r_offset, value, reloc_size);
+                 {
+                   value = reloc->r_addend + (symtab[sym_index].st_value
+                                              - saved_sym->st_value);
+
+                   if (start + reloc->r_offset + reloc_size >= end)
+                     /* PR 21137 */
+                     error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
+                            start + reloc->r_offset + reloc_size, end);
+                   else
+                     byte_put (start + reloc->r_offset, value, reloc_size);
+                 }
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+       {
+        static Elf_Internal_Sym * saved_sym = NULL;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym = NULL;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 34: /* R_MN10300_ALIGN */
+            return TRUE;
+          case 33: /* R_MN10300_SYM_DIFF */
+-           saved_sym = symtab + get_reloc_symindex (reloc->r_info);
+           if (sym_index >= num_syms)
+             error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             saved_sym = symtab + sym_index;
+            return TRUE;
+
+          case 1: /* R_MN10300_32 */
+          case 2: /* R_MN10300_16 */
+            if (saved_sym != NULL)
+@@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+                int reloc_size = reloc_type == 1 ? 4 : 2;
+                bfd_vma value;
+ 
+-               value = reloc->r_addend
+-                 + (symtab[get_reloc_symindex (reloc->r_info)].st_value
+-                    - saved_sym->st_value);
+-
+-               if (start + reloc->r_offset + reloc_size >= end)
+-                 error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+-                        start + reloc->r_offset + reloc_size, end);
+               if (sym_index >= num_syms)
+                 error (_("MN10300 reloc contains invalid symbol index %lu\n"),
+                        sym_index);
+                else
+-                 byte_put (start + reloc->r_offset, value, reloc_size);
+                 {
+                   value = reloc->r_addend + (symtab[sym_index].st_value
+                                              - saved_sym->st_value);
+
+                   if (start + reloc->r_offset + reloc_size >= end)
+                     error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
+                            start + reloc->r_offset + reloc_size, end);
+                   else
+                     byte_put (start + reloc->r_offset, value, reloc_size);
+                 }
+ 
+                saved_sym = NULL;
+                return TRUE;
+@@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
+        static bfd_vma saved_sym2 = 0;
+        static bfd_vma value;
+ 
+       if (reloc == NULL)
+         {
+           saved_sym1 = saved_sym2 = 0;
+           return TRUE;
+         }
+
+        switch (reloc_type)
+          {
+          case 0x80: /* R_RL78_SYM.  */
+            saved_sym1 = saved_sym2;
+-           saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
+-           saved_sym2 += reloc->r_addend;
+           if (sym_index >= num_syms)
+             error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
+                    sym_index);
+           else
+             {
+               saved_sym2 = symtab[sym_index].st_value;
+               saved_sym2 += reloc->r_addend;
+             }
+            return TRUE;
+ 
+          case 0x83: /* R_RL78_OPsub.  */
+@@ -12345,7 +12401,7 @@ apply_relocations (void *                     file,
+ 
+          reloc_type = get_reloc_type (rp->r_info);
+ 
+-         if (target_specific_reloc_handling (rp, start, end, symtab))
+         if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
+            continue;
+          else if (is_none_reloc (reloc_type))
+            continue;
+@@ -12441,6 +12497,9 @@ apply_relocations (void *                     file,
+        }
+ 
+       free (symtab);
+      /* Let the target specific reloc processing code know that
+        we have finished with these relocs.  */
+      target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
+ 
+       if (relocs_return)
+        {
+-- 
+2.11.0
author	Yuanjie Huang <yuanjie.huang@windriver.com>	2017-04-11 00:00:24 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-04-11 18:10:18 +0100
commit	ca22ef73d03ec5140493f29d1fe0cb6c0400c307 (patch)
tree	09daa69eb2bb69fd5738ccbec10d01769eb1cf8a /meta/recipes-devtools/binutils
parent	40bf913a720f3c0db57d4ab003cbacda40f50c69 (diff)
download	poky-ca22ef73d03ec5140493f29d1fe0cb6c0400c307.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.28.inc b/meta/recipes-devtools/binutils/binutils-2.28.inc index 76b81b04ca..7585da1ca9 100644 --- a/meta/recipes-devtools/binutils/binutils-2.28.inc +++ b/meta/recipes-devtools/binutils/binutils-2.28.inc
@@ -35,6 +35,8 @@ SRC_URI = "\
35	file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \	35	file://0014-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
36	file://0015-sync-with-OE-libtool-changes.patch \	36	file://0015-sync-with-OE-libtool-changes.patch \
37	file://0016-Detect-64-bit-MIPS-targets.patch \	37	file://0016-Detect-64-bit-MIPS-targets.patch \
		38	file://CVE-2017-6965.patch \
		39	file://CVE-2017-6966.patch \
38	"	40	"
39	S = "${WORKDIR}/git"	41	S = "${WORKDIR}/git"
40		42


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch new file mode 100644 index 0000000000..1334c9444d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6965.patch
@@ -0,0 +1,124 @@
		1	From bdc5166c274b842f83f8328e7cfaaf80fd29934e Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 13 Feb 2017 13:08:32 +0000
		4	Subject: [PATCH 1/2] Fix readelf writing to illegal addresses whilst
		5	processing corrupt input files containing symbol-difference relocations.
		6
		7	PR binutils/21137
		8	* readelf.c (target_specific_reloc_handling): Add end parameter.
		9	Check for buffer overflow before writing relocated values.
		10	(apply_relocations): Pass end to target_specific_reloc_handling.
		11
		12	(cherry pick from commit 03f7786e2f440b9892b1c34a58fb26222ce1b493)
		13	Upstream-Status: Backport [master]
		14	CVE: CVE-2017-6965
		15
		16	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		17	---
		18	binutils/ChangeLog \| 7 +++++++
		19	binutils/readelf.c \| 30 +++++++++++++++++++++++++-----
		20	2 files changed, 32 insertions(+), 5 deletions(-)
		21
		22	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		23	index f21867f98c..e789a3b99b 100644
		24	--- a/binutils/ChangeLog
		25	+++ b/binutils/ChangeLog
		26	@@ -1,3 +1,10 @@
		27	+2017-02-13 Nick Clifton <nickc@redhat.com>
		28	+
		29	+ PR binutils/21137
		30	+ * readelf.c (target_specific_reloc_handling): Add end parameter.
		31	+ Check for buffer overflow before writing relocated values.
		32	+ (apply_relocations): Pass end to target_specific_reloc_handling.
		33	+
		34	2017-03-02 Tristan Gingold <gingold@adacore.com>
		35
		36	* configure: Regenerate.
		37	diff --git a/binutils/readelf.c b/binutils/readelf.c
		38	index b5f577f5a1..8cdaae3b8c 100644
		39	--- a/binutils/readelf.c
		40	+++ b/binutils/readelf.c
		41	@@ -11585,6 +11585,7 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
		42	static bfd_boolean
		43	target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		44	unsigned char * start,
		45	+ unsigned char * end,
		46	Elf_Internal_Sym * symtab)
		47	{
		48	unsigned int reloc_type = get_reloc_type (reloc->r_info);
		49	@@ -11625,13 +11626,19 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		50	handle_sym_diff:
		51	if (saved_sym != NULL)
		52	{
		53	+ int reloc_size = reloc_type == 1 ? 4 : 2;
		54	bfd_vma value;
		55
		56	value = reloc->r_addend
		57	+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
		58	- saved_sym->st_value);
		59
		60	- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
		61	+ if (start + reloc->r_offset + reloc_size >= end)
		62	+ /* PR 21137 */
		63	+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		64	+ start + reloc->r_offset + reloc_size, end);
		65	+ else
		66	+ byte_put (start + reloc->r_offset, value, reloc_size);
		67
		68	saved_sym = NULL;
		69	return TRUE;
		70	@@ -11662,13 +11669,18 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		71	case 2: /* R_MN10300_16 */
		72	if (saved_sym != NULL)
		73	{
		74	+ int reloc_size = reloc_type == 1 ? 4 : 2;
		75	bfd_vma value;
		76
		77	value = reloc->r_addend
		78	+ (symtab[get_reloc_symindex (reloc->r_info)].st_value
		79	- saved_sym->st_value);
		80
		81	- byte_put (start + reloc->r_offset, value, reloc_type == 1 ? 4 : 2);
		82	+ if (start + reloc->r_offset + reloc_size >= end)
		83	+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		84	+ start + reloc->r_offset + reloc_size, end);
		85	+ else
		86	+ byte_put (start + reloc->r_offset, value, reloc_size);
		87
		88	saved_sym = NULL;
		89	return TRUE;
		90	@@ -11703,12 +11715,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		91	break;
		92
		93	case 0x41: /* R_RL78_ABS32. */
		94	- byte_put (start + reloc->r_offset, value, 4);
		95	+ if (start + reloc->r_offset + 4 >= end)
		96	+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
		97	+ start + reloc->r_offset + 2, end);
		98	+ else
		99	+ byte_put (start + reloc->r_offset, value, 4);
		100	value = 0;
		101	return TRUE;
		102
		103	case 0x43: /* R_RL78_ABS16. */
		104	- byte_put (start + reloc->r_offset, value, 2);
		105	+ if (start + reloc->r_offset + 2 >= end)
		106	+ error (_("RL78 sym diff reloc writes past end of section (%p vs %p)\n"),
		107	+ start + reloc->r_offset + 2, end);
		108	+ else
		109	+ byte_put (start + reloc->r_offset, value, 2);
		110	value = 0;
		111	return TRUE;
		112
		113	@@ -12325,7 +12345,7 @@ apply_relocations (void * file,
		114
		115	reloc_type = get_reloc_type (rp->r_info);
		116
		117	- if (target_specific_reloc_handling (rp, start, symtab))
		118	+ if (target_specific_reloc_handling (rp, start, end, symtab))
		119	continue;
		120	else if (is_none_reloc (reloc_type))
		121	continue;
		122	--
		123	2.11.0
		124


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch new file mode 100644 index 0000000000..dd58df5fbf --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-6966.patch
@@ -0,0 +1,241 @@
		1	From 383ec757d27652448d1511169e1133f486abf54f Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Mon, 13 Feb 2017 14:03:22 +0000
		4	Subject: [PATCH] Fix read-after-free error in readelf when processing
		5	multiple, relocated sections in an MSP430 binary.
		6
		7	PR binutils/21139
		8	* readelf.c (target_specific_reloc_handling): Add num_syms
		9	parameter. Check for symbol table overflow before accessing
		10	symbol value. If reloc pointer is NULL, discard all saved state.
		11	(apply_relocations): Pass num_syms to target_specific_reloc_handling.
		12	Call target_specific_reloc_handling with a NULL reloc pointer
		13	after processing all of the relocs.
		14
		15	(cherry pick from commit f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9)
		16	Upstream-Status: Backport [master]
		17	CVE: CVE-2017-6966
		18
		19	Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
		20	---
		21	binutils/ChangeLog \| 10 +++++
		22	binutils/readelf.c \| 109 +++++++++++++++++++++++++++++++++++++++++------------
		23	2 files changed, 94 insertions(+), 25 deletions(-)
		24
		25	diff --git a/binutils/ChangeLog b/binutils/ChangeLog
		26	index e789a3b99b..bd63c8a0d8 100644
		27	--- a/binutils/ChangeLog
		28	+++ b/binutils/ChangeLog
		29	@@ -1,5 +1,15 @@
		30	2017-02-13 Nick Clifton <nickc@redhat.com>
		31
		32	+ PR binutils/21139
		33	+ * readelf.c (target_specific_reloc_handling): Add num_syms
		34	+ parameter. Check for symbol table overflow before accessing
		35	+ symbol value. If reloc pointer is NULL, discard all saved state.
		36	+ (apply_relocations): Pass num_syms to target_specific_reloc_handling.
		37	+ Call target_specific_reloc_handling with a NULL reloc pointer
		38	+ after processing all of the relocs.
		39	+
		40	+2017-02-13 Nick Clifton <nickc@redhat.com>
		41	+
		42	PR binutils/21137
		43	* readelf.c (target_specific_reloc_handling): Add end parameter.
		44	Check for buffer overflow before writing relocated values.
		45	diff --git a/binutils/readelf.c b/binutils/readelf.c
		46	index 8cdaae3b8c..7c158c6342 100644
		47	--- a/binutils/readelf.c
		48	+++ b/binutils/readelf.c
		49	@@ -11580,15 +11580,27 @@ process_syminfo (FILE * file ATTRIBUTE_UNUSED)
		50
		51	/* Check to see if the given reloc needs to be handled in a target specific
		52	manner. If so then process the reloc and return TRUE otherwise return
		53	- FALSE. */
		54	+ FALSE.
		55	+
		56	+ If called with reloc == NULL, then this is a signal that reloc processing
		57	+ for the current section has finished, and any saved state should be
		58	+ discarded. */
		59
		60	static bfd_boolean
		61	target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		62	unsigned char * start,
		63	unsigned char * end,
		64	- Elf_Internal_Sym * symtab)
		65	+ Elf_Internal_Sym * symtab,
		66	+ unsigned long num_syms)
		67	{
		68	- unsigned int reloc_type = get_reloc_type (reloc->r_info);
		69	+ unsigned int reloc_type = 0;
		70	+ unsigned long sym_index = 0;
		71	+
		72	+ if (reloc)
		73	+ {
		74	+ reloc_type = get_reloc_type (reloc->r_info);
		75	+ sym_index = get_reloc_symindex (reloc->r_info);
		76	+ }
		77
		78	switch (elf_header.e_machine)
		79	{
		80	@@ -11597,6 +11609,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		81	{
		82	static Elf_Internal_Sym * saved_sym = NULL;
		83
		84	+ if (reloc == NULL)
		85	+ {
		86	+ saved_sym = NULL;
		87	+ return TRUE;
		88	+ }
		89	+
		90	switch (reloc_type)
		91	{
		92	case 10: /* R_MSP430_SYM_DIFF */
		93	@@ -11604,7 +11622,12 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		94	break;
		95	/* Fall through. */
		96	case 21: /* R_MSP430X_SYM_DIFF */
		97	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
		98	+ /* PR 21139. */
		99	+ if (sym_index >= num_syms)
		100	+ error (_("MSP430 SYM_DIFF reloc contains invalid symbol index %lu\n"),
		101	+ sym_index);
		102	+ else
		103	+ saved_sym = symtab + sym_index;
		104	return TRUE;
		105
		106	case 1: /* R_MSP430_32 or R_MSP430_ABS32 */
		107	@@ -11629,16 +11652,21 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		108	int reloc_size = reloc_type == 1 ? 4 : 2;
		109	bfd_vma value;
		110
		111	- value = reloc->r_addend
		112	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
		113	- - saved_sym->st_value);
		114	-
		115	- if (start + reloc->r_offset + reloc_size >= end)
		116	- /* PR 21137 */
		117	- error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		118	- start + reloc->r_offset + reloc_size, end);
		119	+ if (sym_index >= num_syms)
		120	+ error (_("MSP430 reloc contains invalid symbol index %lu\n"),
		121	+ sym_index);
		122	else
		123	- byte_put (start + reloc->r_offset, value, reloc_size);
		124	+ {
		125	+ value = reloc->r_addend + (symtab[sym_index].st_value
		126	+ - saved_sym->st_value);
		127	+
		128	+ if (start + reloc->r_offset + reloc_size >= end)
		129	+ /* PR 21137 */
		130	+ error (_("MSP430 sym diff reloc writes past end of section (%p vs %p)\n"),
		131	+ start + reloc->r_offset + reloc_size, end);
		132	+ else
		133	+ byte_put (start + reloc->r_offset, value, reloc_size);
		134	+ }
		135
		136	saved_sym = NULL;
		137	return TRUE;
		138	@@ -11658,13 +11686,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		139	{
		140	static Elf_Internal_Sym * saved_sym = NULL;
		141
		142	+ if (reloc == NULL)
		143	+ {
		144	+ saved_sym = NULL;
		145	+ return TRUE;
		146	+ }
		147	+
		148	switch (reloc_type)
		149	{
		150	case 34: /* R_MN10300_ALIGN */
		151	return TRUE;
		152	case 33: /* R_MN10300_SYM_DIFF */
		153	- saved_sym = symtab + get_reloc_symindex (reloc->r_info);
		154	+ if (sym_index >= num_syms)
		155	+ error (_("MN10300_SYM_DIFF reloc contains invalid symbol index %lu\n"),
		156	+ sym_index);
		157	+ else
		158	+ saved_sym = symtab + sym_index;
		159	return TRUE;
		160	+
		161	case 1: /* R_MN10300_32 */
		162	case 2: /* R_MN10300_16 */
		163	if (saved_sym != NULL)
		164	@@ -11672,15 +11711,20 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		165	int reloc_size = reloc_type == 1 ? 4 : 2;
		166	bfd_vma value;
		167
		168	- value = reloc->r_addend
		169	- + (symtab[get_reloc_symindex (reloc->r_info)].st_value
		170	- - saved_sym->st_value);
		171	-
		172	- if (start + reloc->r_offset + reloc_size >= end)
		173	- error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		174	- start + reloc->r_offset + reloc_size, end);
		175	+ if (sym_index >= num_syms)
		176	+ error (_("MN10300 reloc contains invalid symbol index %lu\n"),
		177	+ sym_index);
		178	else
		179	- byte_put (start + reloc->r_offset, value, reloc_size);
		180	+ {
		181	+ value = reloc->r_addend + (symtab[sym_index].st_value
		182	+ - saved_sym->st_value);
		183	+
		184	+ if (start + reloc->r_offset + reloc_size >= end)
		185	+ error (_("MN10300 sym diff reloc writes past end of section (%p vs %p)\n"),
		186	+ start + reloc->r_offset + reloc_size, end);
		187	+ else
		188	+ byte_put (start + reloc->r_offset, value, reloc_size);
		189	+ }
		190
		191	saved_sym = NULL;
		192	return TRUE;
		193	@@ -11700,12 +11744,24 @@ target_specific_reloc_handling (Elf_Internal_Rela * reloc,
		194	static bfd_vma saved_sym2 = 0;
		195	static bfd_vma value;
		196
		197	+ if (reloc == NULL)
		198	+ {
		199	+ saved_sym1 = saved_sym2 = 0;
		200	+ return TRUE;
		201	+ }
		202	+
		203	switch (reloc_type)
		204	{
		205	case 0x80: /* R_RL78_SYM. */
		206	saved_sym1 = saved_sym2;
		207	- saved_sym2 = symtab[get_reloc_symindex (reloc->r_info)].st_value;
		208	- saved_sym2 += reloc->r_addend;
		209	+ if (sym_index >= num_syms)
		210	+ error (_("RL78_SYM reloc contains invalid symbol index %lu\n"),
		211	+ sym_index);
		212	+ else
		213	+ {
		214	+ saved_sym2 = symtab[sym_index].st_value;
		215	+ saved_sym2 += reloc->r_addend;
		216	+ }
		217	return TRUE;
		218
		219	case 0x83: /* R_RL78_OPsub. */
		220	@@ -12345,7 +12401,7 @@ apply_relocations (void * file,
		221
		222	reloc_type = get_reloc_type (rp->r_info);
		223
		224	- if (target_specific_reloc_handling (rp, start, end, symtab))
		225	+ if (target_specific_reloc_handling (rp, start, end, symtab, num_syms))
		226	continue;
		227	else if (is_none_reloc (reloc_type))
		228	continue;
		229	@@ -12441,6 +12497,9 @@ apply_relocations (void * file,
		230	}
		231
		232	free (symtab);
		233	+ /* Let the target specific reloc processing code know that
		234	+ we have finished with these relocs. */
		235	+ target_specific_reloc_handling (NULL, NULL, NULL, NULL, 0);
		236
		237	if (relocs_return)
		238	{
		239	--
		240	2.11.0
		241