diff options
author | Zhixiong Chi <zhixiong.chi@windriver.com> | 2018-10-16 00:55:04 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-10-16 20:35:43 +0100 |
commit | 1c106ae64a1776e9e85724293d6b7c7c03f7249d (patch) | |
tree | e327c78c6ab9b46c981dc0f709420b932c5ad32b /meta/recipes-devtools | |
parent | 4e1c5499fefda0c0814153a4a6cdaa5261a3b517 (diff) | |
download | poky-1c106ae64a1776e9e85724293d6b7c7c03f7249d.tar.gz |
binutils: fix three CVE issues
Backport the CVE patches from the upstream:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
h=30838132997e6a3cfe3ec11c58b32b22f6f6b102
h=cf93e9c2cf8f8b2566f8fc86e961592b51b5980d
[BZ 23686] https://sourceware.org/bugzilla/show_bug.cgi?id=23686
[BZ 23685] https://sourceware.org/bugzilla/show_bug.cgi?id=23685
The one is for CVE-2018-17358 and CVE-2018-17359, and the another
is for CVE-2018-17360.
(From OE-Core rev: 2683d8287d6878868d3aa15ce6e6a80ce28d8737)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
3 files changed, 211 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 76add0fe4b..27a643d765 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc | |||
@@ -41,6 +41,8 @@ SRC_URI = "\ | |||
41 | file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \ | 41 | file://0019-Improved-robustness.-Return-FALSE-in-case-of-NULL-po.patch \ |
42 | file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \ | 42 | file://0020-Make-sure-global-symbol-is-not-an-indirect-or-warnin.patch \ |
43 | file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ | 43 | file://0021-PLT-information-was-still-being-generated-when-symbo.patch \ |
44 | file://CVE-2018-17358.patch \ | ||
45 | file://CVE-2018-17360.patch \ | ||
44 | " | 46 | " |
45 | S = "${WORKDIR}/git" | 47 | S = "${WORKDIR}/git" |
46 | 48 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch new file mode 100644 index 0000000000..813509160f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17358.patch | |||
@@ -0,0 +1,144 @@ | |||
1 | From 30838132997e6a3cfe3ec11c58b32b22f6f6b102 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 20 Sep 2018 15:29:17 +0930 | ||
4 | Subject: [PATCH] Bug 23686, two segment faults in nm | ||
5 | |||
6 | Fixes the bugs exposed by the testcases in the PR, plus two more bugs | ||
7 | I noticed when looking at _bfd_stab_section_find_nearest_line. | ||
8 | |||
9 | PR 23686 | ||
10 | * dwarf2.c (read_section): Error when attempting to malloc | ||
11 | "(bfd_size_type) -1". | ||
12 | * syms.c (_bfd_stab_section_find_nearest_line): Bounds check | ||
13 | function_name. Bounds check reloc address. Formatting. Ensure | ||
14 | .stabstr zero terminated. | ||
15 | CVE: CVE-2018-17358 and CVE-2018-17359 | ||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
18 | --- | ||
19 | bfd/ChangeLog | 9 +++++++++ | ||
20 | bfd/dwarf2.c | 9 ++++++++- | ||
21 | bfd/syms.c | 22 ++++++++++++++++------ | ||
22 | 3 files changed, 33 insertions(+), 7 deletions(-) | ||
23 | |||
24 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
25 | index 04c0c2a..fef5479 100644 | ||
26 | --- a/bfd/ChangeLog | ||
27 | +++ b/bfd/ChangeLog | ||
28 | @@ -1,3 +1,12 @@ | ||
29 | +2018-09-20 Alan Modra <amodra@gmail.com> | ||
30 | + | ||
31 | + PR 23686 | ||
32 | + * dwarf2.c (read_section): Error when attempting to malloc | ||
33 | + "(bfd_size_type) -1". | ||
34 | + * syms.c (_bfd_stab_section_find_nearest_line): Bounds check | ||
35 | + function_name. Bounds check reloc address. Formatting. Ensure | ||
36 | + .stabstr zero terminated. | ||
37 | + | ||
38 | 2018-08-12 H.J. Lu <hongjiu.lu@intel.com> | ||
39 | |||
40 | PR ld/23428 | ||
41 | diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c | ||
42 | index 3b28855..77a7368 100644 | ||
43 | --- a/bfd/dwarf2.c | ||
44 | +++ b/bfd/dwarf2.c | ||
45 | @@ -527,6 +527,7 @@ read_section (bfd * abfd, | ||
46 | asection *msec; | ||
47 | const char *section_name = sec->uncompressed_name; | ||
48 | bfd_byte *contents = *section_buffer; | ||
49 | + bfd_size_type amt; | ||
50 | |||
51 | /* The section may have already been read. */ | ||
52 | if (contents == NULL) | ||
53 | @@ -549,7 +550,13 @@ read_section (bfd * abfd, | ||
54 | *section_size = msec->rawsize ? msec->rawsize : msec->size; | ||
55 | /* Paranoia - alloc one extra so that we can make sure a string | ||
56 | section is NUL terminated. */ | ||
57 | - contents = (bfd_byte *) bfd_malloc (*section_size + 1); | ||
58 | + amt = *section_size + 1; | ||
59 | + if (amt == 0) | ||
60 | + { | ||
61 | + bfd_set_error (bfd_error_no_memory); | ||
62 | + return FALSE; | ||
63 | + } | ||
64 | + contents = (bfd_byte *) bfd_malloc (amt); | ||
65 | if (contents == NULL) | ||
66 | return FALSE; | ||
67 | if (syms | ||
68 | diff --git a/bfd/syms.c b/bfd/syms.c | ||
69 | index 187071f..e09640a 100644 | ||
70 | --- a/bfd/syms.c | ||
71 | +++ b/bfd/syms.c | ||
72 | @@ -1035,6 +1035,10 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
73 | 0, strsize)) | ||
74 | return FALSE; | ||
75 | |||
76 | + /* Stab strings ought to be nul terminated. Ensure the last one | ||
77 | + is, to prevent running off the end of the buffer. */ | ||
78 | + info->strs[strsize - 1] = 0; | ||
79 | + | ||
80 | /* If this is a relocatable object file, we have to relocate | ||
81 | the entries in .stab. This should always be simple 32 bit | ||
82 | relocations against symbols defined in this object file, so | ||
83 | @@ -1073,7 +1077,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
84 | || r->howto->bitsize != 32 | ||
85 | || r->howto->pc_relative | ||
86 | || r->howto->bitpos != 0 | ||
87 | - || r->howto->dst_mask != 0xffffffff) | ||
88 | + || r->howto->dst_mask != 0xffffffff | ||
89 | + || r->address * bfd_octets_per_byte (abfd) + 4 > stabsize) | ||
90 | { | ||
91 | _bfd_error_handler | ||
92 | (_("unsupported .stab relocation")); | ||
93 | @@ -1195,7 +1200,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
94 | { | ||
95 | nul_fun = stab; | ||
96 | nul_str = str; | ||
97 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) | ||
98 | + if (file_name >= (char *) info->strs + strsize | ||
99 | + || file_name < (char *) str) | ||
100 | file_name = NULL; | ||
101 | if (stab + STABSIZE + TYPEOFF < info->stabs + stabsize | ||
102 | && *(stab + STABSIZE + TYPEOFF) == (bfd_byte) N_SO) | ||
103 | @@ -1206,7 +1212,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
104 | directory_name = file_name; | ||
105 | file_name = ((char *) str | ||
106 | + bfd_get_32 (abfd, stab + STRDXOFF)); | ||
107 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) | ||
108 | + if (file_name >= (char *) info->strs + strsize | ||
109 | + || file_name < (char *) str) | ||
110 | file_name = NULL; | ||
111 | } | ||
112 | } | ||
113 | @@ -1217,7 +1224,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
114 | file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); | ||
115 | /* PR 17512: file: 0c680a1f. */ | ||
116 | /* PR 17512: file: 5da8aec4. */ | ||
117 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) | ||
118 | + if (file_name >= (char *) info->strs + strsize | ||
119 | + || file_name < (char *) str) | ||
120 | file_name = NULL; | ||
121 | break; | ||
122 | |||
123 | @@ -1226,7 +1234,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
124 | function_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); | ||
125 | if (function_name == (char *) str) | ||
126 | continue; | ||
127 | - if (function_name >= (char *) info->strs + strsize) | ||
128 | + if (function_name >= (char *) info->strs + strsize | ||
129 | + || function_name < (char *) str) | ||
130 | function_name = NULL; | ||
131 | |||
132 | nul_fun = NULL; | ||
133 | @@ -1335,7 +1344,8 @@ _bfd_stab_section_find_nearest_line (bfd *abfd, | ||
134 | if (val <= offset) | ||
135 | { | ||
136 | file_name = (char *) str + bfd_get_32 (abfd, stab + STRDXOFF); | ||
137 | - if (file_name >= (char *) info->strs + strsize || file_name < (char *) str) | ||
138 | + if (file_name >= (char *) info->strs + strsize | ||
139 | + || file_name < (char *) str) | ||
140 | file_name = NULL; | ||
141 | *pline = 0; | ||
142 | } | ||
143 | -- | ||
144 | 2.9.3 | ||
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch new file mode 100644 index 0000000000..cef10a7546 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-17360.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From cf93e9c2cf8f8b2566f8fc86e961592b51b5980d Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Modra <amodra@gmail.com> | ||
3 | Date: Thu, 20 Sep 2018 18:23:17 +0930 | ||
4 | Subject: [PATCH] PR23685, buffer overflow | ||
5 | |||
6 | PR 23685 | ||
7 | * peXXigen.c (pe_print_edata): Correct export address table | ||
8 | overflow checks. Check dataoff against section size too. | ||
9 | |||
10 | CVE: CVE-2018-17360 | ||
11 | Upstream-Status: Backport | ||
12 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> | ||
13 | --- | ||
14 | bfd/ChangeLog | 6 ++++++ | ||
15 | bfd/peXXigen.c | 11 ++++++----- | ||
16 | 2 files changed, 12 insertions(+), 5 deletions(-) | ||
17 | |||
18 | diff --git a/bfd/ChangeLog b/bfd/ChangeLog | ||
19 | index fef5479..81b9e56 100644 | ||
20 | --- a/bfd/ChangeLog | ||
21 | +++ b/bfd/ChangeLog | ||
22 | @@ -1,5 +1,11 @@ | ||
23 | 2018-09-20 Alan Modra <amodra@gmail.com> | ||
24 | |||
25 | + PR 23685 | ||
26 | + * peXXigen.c (pe_print_edata): Correct export address table | ||
27 | + overflow checks. Check dataoff against section size too. | ||
28 | + | ||
29 | +2018-09-20 Alan Modra <amodra@gmail.com> | ||
30 | + | ||
31 | PR 23686 | ||
32 | * dwarf2.c (read_section): Error when attempting to malloc | ||
33 | "(bfd_size_type) -1". | ||
34 | diff --git a/bfd/peXXigen.c b/bfd/peXXigen.c | ||
35 | index 598f2ca..1645ef4 100644 | ||
36 | --- a/bfd/peXXigen.c | ||
37 | +++ b/bfd/peXXigen.c | ||
38 | @@ -1661,7 +1661,8 @@ pe_print_edata (bfd * abfd, void * vfile) | ||
39 | |||
40 | dataoff = addr - section->vma; | ||
41 | datasize = extra->DataDirectory[PE_EXPORT_TABLE].Size; | ||
42 | - if (datasize > section->size - dataoff) | ||
43 | + if (dataoff > section->size | ||
44 | + || datasize > section->size - dataoff) | ||
45 | { | ||
46 | fprintf (file, | ||
47 | _("\nThere is an export table in %s, but it does not fit into that section\n"), | ||
48 | @@ -1778,11 +1779,11 @@ pe_print_edata (bfd * abfd, void * vfile) | ||
49 | edt.base); | ||
50 | |||
51 | /* PR 17512: Handle corrupt PE binaries. */ | ||
52 | - if (edt.eat_addr + (edt.num_functions * 4) - adj >= datasize | ||
53 | + /* PR 17512 file: 140-165018-0.004. */ | ||
54 | + if (edt.eat_addr - adj >= datasize | ||
55 | /* PR 17512: file: 092b1829 */ | ||
56 | - || (edt.num_functions * 4) < edt.num_functions | ||
57 | - /* PR 17512 file: 140-165018-0.004. */ | ||
58 | - || data + edt.eat_addr - adj < data) | ||
59 | + || (edt.num_functions + 1) * 4 < edt.num_functions | ||
60 | + || edt.eat_addr - adj + (edt.num_functions + 1) * 4 > datasize) | ||
61 | fprintf (file, _("\tInvalid Export Address Table rva (0x%lx) or entry count (0x%lx)\n"), | ||
62 | (long) edt.eat_addr, | ||
63 | (long) edt.num_functions); | ||
64 | -- | ||
65 | 2.9.3 | ||