binutils: Security Fix CVE-2017-9041

Source: binutils-gdb.git MR: 72791 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=919383ac718c2a3187ee2a9ad659daa22da26258 ChangeID: 7b4588368a367a4d57efbfdcd9c00fcc0875af7b Description: Affects: <= 2.28 (From OE-Core rev: d445a9abe7af0a1a54e466bdae8978f6ffb5f6bc) Signed-off-by: Armin Kuster <akuster@mvista.com> Reviewed-by Jeremy Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2017-06-21 12:01:25 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: 34041f58fd277edf1f2bd2db7f90a238d48275fc (patch)
tree: b5d5b65e2c0c87434366fab84d0f2db0cdfb937a /meta/recipes-devtools
parent: 4bca7db53e6444c7329e55275b7795387d42a234 (diff)
download: poky-34041f58fd277edf1f2bd2db7f90a238d48275fc.tar.gz
3 files changed, 137 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index 53c09e6d0d..3f8a5fe19c 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
     file://CVE-2017-9039.patch \
     file://CVE-2017-9039_1.patch \
     file://CVE-2017-9040_and_9042.patch \
+     file://CVE-2017-9041_1.patch \
+     file://CVE-2017-9041_2.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch
new file mode 100644
index 0000000000..857cd4af91
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch
@@ -0,0 +1,51 @@
+From 919383ac718c2a3187ee2a9ad659daa22da26258 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Wed, 12 Apr 2017 00:02:13 +0100
+Subject: [PATCH] MIPS/readelf: Remove extraneous null GOT data check
+Null data is handled gracefully throughout in MIPS GOT processing, with
+addresses printed normally and unavailable data shown as `<unknown>' by
+`print_mips_got_entry', and special processing code for GOT[1] doing an
+explicit check.  Remove an unwanted null GOT data check then, introduced
+with commit 592458412fb2 in the course of addressing PR binutils/12855.
+        binutils/
+        * readelf.c (process_mips_specific): Remove null GOT data check.
+Upstream-Status: Backport
+CVE: CVE-2017-9041 patch #1
+VER: <= 2.28
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog | 4 ++++
+ binutils/readelf.c | 3 +--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
+@@ -14995,8 +14995,8 @@ process_mips_specific (FILE * file)
+       data = (unsigned char *) get_data (NULL, file, offset,
+                                          global_end - pltgot, 1,
+                                         _("Global Offset Table data"));
+-      if (data == NULL)
+-       return 0;
+
+      /* PR 12855: Null data is handled gracefully throughout.  */
+       data_end = data + (global_end - pltgot);
+ 
+       printf (_("\nPrimary GOT:\n"));
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,7 @@
+2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
+ 
+       * readelf.c (process_mips_specific): Remove null GOT data check.
+
+ 2017-04-13  Nick Clifton  <nickc@redhat.com>
+  
+        PR binutils/21379
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch
new file mode 100644
index 0000000000..9c3cb8ca25
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch
@@ -0,0 +1,84 @@
+From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@imgtec.com>
+Date: Wed, 12 Apr 2017 00:03:41 +0100
+Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check
+Unavailable data is handled gracefully in MIPS GOT processing done by
+`print_mips_got_entry', so all that is needed in special GOT[1] handling
+is to verify whether data can be retrieved for the purpose of the GNU
+marker check done with `byte_get'.  Remove the extra error reporting
+code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault
+in readelf when parsing a corrupt MIPS binary.") in the course of
+addressing PR binutils/21344, and defer the error case to regular local
+GOT entry processing.
+        binutils/
+        * readelf.c (process_mips_specific): Remove error reporting from
+        GOT[1] processing.
+Upstream-Status: Backport
+CVE: CVE-2017-9041
+VER: <= 2.28
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog |  5 +++++
+ binutils/readelf.c | 32 ++++++++++++++------------------
+ 2 files changed, 19 insertions(+), 18 deletions(-)
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
+@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file)
+       if (ent == (bfd_vma) -1)
+        goto got_print_fail;
+ 
+-      if (data)
+      /* Check for the MSB of GOT[1] being set, denoting a GNU object.
+        This entry will be used by some runtime loaders, to store the
+        module pointer.  Otherwise this is an ordinary local entry.
+        PR 21344: Check for the entry being fully available before
+        fetching it.  */
+      if (data
+         && data + ent - pltgot + addr_size <= data_end
+         && (byte_get (data + ent - pltgot, addr_size)
+             >> (addr_size * 8 - 1)) != 0)
+        {
+-         /* PR 21344 */
+-         if (data + ent - pltgot > data_end - addr_size)
+-           {
+-             error (_("Invalid got entry - %#lx - overflows GOT table\n"),
+-                    (long) ent);
+-             goto got_print_fail;
+-           }
+-         
+-         if (byte_get (data + ent - pltgot, addr_size)
+-             >> (addr_size * 8 - 1) != 0)
+-           {
+-             ent = print_mips_got_entry (data, pltgot, ent, data_end);
+-             printf (_(" Module pointer (GNU extension)\n"));
+-             if (ent == (bfd_vma) -1)
+-               goto got_print_fail;
+-           }
+         ent = print_mips_got_entry (data, pltgot, ent, data_end);
+         printf (_(" Module pointer (GNU extension)\n"));
+         if (ent == (bfd_vma) -1)
+           goto got_print_fail;
+        }
+       printf ("\n");
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,4 +1,9 @@
+ 2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
+
+       * readelf.c (process_mips_specific): Remove error reporting from
+       GOT[1] processing.
+
+2017-04-25  Maciej W. Rozycki  <macro@imgtec.com>
+  
+        * readelf.c (process_mips_specific): Remove null GOT data check.
+
author	Armin Kuster <akuster@mvista.com>	2017-06-21 12:01:25 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	34041f58fd277edf1f2bd2db7f90a238d48275fc (patch)
tree	b5d5b65e2c0c87434366fab84d0f2db0cdfb937a /meta/recipes-devtools
parent	4bca7db53e6444c7329e55275b7795387d42a234 (diff)
download	poky-34041f58fd277edf1f2bd2db7f90a238d48275fc.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index 53c09e6d0d..3f8a5fe19c 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -50,6 +50,8 @@ SRC_URI = "\
50	file://CVE-2017-9039.patch \	50	file://CVE-2017-9039.patch \
51	file://CVE-2017-9039_1.patch \	51	file://CVE-2017-9039_1.patch \
52	file://CVE-2017-9040_and_9042.patch \	52	file://CVE-2017-9040_and_9042.patch \
		53	file://CVE-2017-9041_1.patch \
		54	file://CVE-2017-9041_2.patch \
53	"	55	"
54	S = "${WORKDIR}/git"	56	S = "${WORKDIR}/git"
55		57


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch new file mode 100644 index 0000000000..857cd4af91 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_1.patch
@@ -0,0 +1,51 @@
		1	From 919383ac718c2a3187ee2a9ad659daa22da26258 Mon Sep 17 00:00:00 2001
		2	From: "Maciej W. Rozycki" <macro@imgtec.com>
		3	Date: Wed, 12 Apr 2017 00:02:13 +0100
		4	Subject: [PATCH] MIPS/readelf: Remove extraneous null GOT data check
		5
		6	Null data is handled gracefully throughout in MIPS GOT processing, with
		7	addresses printed normally and unavailable data shown as `<unknown>' by
		8	`print_mips_got_entry', and special processing code for GOT[1] doing an
		9	explicit check. Remove an unwanted null GOT data check then, introduced
		10	with commit 592458412fb2 in the course of addressing PR binutils/12855.
		11
		12	binutils/
		13	* readelf.c (process_mips_specific): Remove null GOT data check.
		14
		15	Upstream-Status: Backport
		16	CVE: CVE-2017-9041 patch #1
		17	VER: <= 2.28
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	binutils/ChangeLog \| 4 ++++
		22	binutils/readelf.c \| 3 +--
		23	2 files changed, 5 insertions(+), 2 deletions(-)
		24
		25	Index: git/binutils/readelf.c
		26	===================================================================
		27	--- git.orig/binutils/readelf.c
		28	+++ git/binutils/readelf.c
		29	@@ -14995,8 +14995,8 @@ process_mips_specific (FILE * file)
		30	data = (unsigned char *) get_data (NULL, file, offset,
		31	global_end - pltgot, 1,
		32	_("Global Offset Table data"));
		33	- if (data == NULL)
		34	- return 0;
		35	+
		36	+ /* PR 12855: Null data is handled gracefully throughout. */
		37	data_end = data + (global_end - pltgot);
		38
		39	printf (_("\nPrimary GOT:\n"));
		40	Index: git/bfd/ChangeLog
		41	===================================================================
		42	--- git.orig/bfd/ChangeLog
		43	+++ git/bfd/ChangeLog
		44	@@ -1,3 +1,7 @@
		45	+2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
		46	+
		47	+ * readelf.c (process_mips_specific): Remove null GOT data check.
		48	+
		49	2017-04-13 Nick Clifton <nickc@redhat.com>
		50
		51	PR binutils/21379


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch new file mode 100644 index 0000000000..9c3cb8ca25 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9041_2.patch
@@ -0,0 +1,84 @@
		1	From c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 Mon Sep 17 00:00:00 2001
		2	From: "Maciej W. Rozycki" <macro@imgtec.com>
		3	Date: Wed, 12 Apr 2017 00:03:41 +0100
		4	Subject: [PATCH] MIPS/readelf: Simplify GOT[1] data availability check
		5
		6	Unavailable data is handled gracefully in MIPS GOT processing done by
		7	`print_mips_got_entry', so all that is needed in special GOT[1] handling
		8	is to verify whether data can be retrieved for the purpose of the GNU
		9	marker check done with `byte_get'. Remove the extra error reporting
		10	code then, introduced with commit 75ec1fdbb797 ("Fix runtime seg-fault
		11	in readelf when parsing a corrupt MIPS binary.") in the course of
		12	addressing PR binutils/21344, and defer the error case to regular local
		13	GOT entry processing.
		14
		15	binutils/
		16	* readelf.c (process_mips_specific): Remove error reporting from
		17	GOT[1] processing.
		18
		19	Upstream-Status: Backport
		20	CVE: CVE-2017-9041
		21	VER: <= 2.28
		22	Signed-off-by: Armin Kuster <akuster@mvista.com>
		23
		24	---
		25	binutils/ChangeLog \| 5 +++++
		26	binutils/readelf.c \| 32 ++++++++++++++------------------
		27	2 files changed, 19 insertions(+), 18 deletions(-)
		28
		29	Index: git/binutils/readelf.c
		30	===================================================================
		31	--- git.orig/binutils/readelf.c
		32	+++ git/binutils/readelf.c
		33	@@ -15013,24 +15013,20 @@ process_mips_specific (FILE * file)
		34	if (ent == (bfd_vma) -1)
		35	goto got_print_fail;
		36
		37	- if (data)
		38	+ /* Check for the MSB of GOT[1] being set, denoting a GNU object.
		39	+ This entry will be used by some runtime loaders, to store the
		40	+ module pointer. Otherwise this is an ordinary local entry.
		41	+ PR 21344: Check for the entry being fully available before
		42	+ fetching it. */
		43	+ if (data
		44	+ && data + ent - pltgot + addr_size <= data_end
		45	+ && (byte_get (data + ent - pltgot, addr_size)
		46	+ >> (addr_size * 8 - 1)) != 0)
		47	{
		48	- /* PR 21344 */
		49	- if (data + ent - pltgot > data_end - addr_size)
		50	- {
		51	- error (_("Invalid got entry - %#lx - overflows GOT table\n"),
		52	- (long) ent);
		53	- goto got_print_fail;
		54	- }
		55	-
		56	- if (byte_get (data + ent - pltgot, addr_size)
		57	- >> (addr_size * 8 - 1) != 0)
		58	- {
		59	- ent = print_mips_got_entry (data, pltgot, ent, data_end);
		60	- printf (_(" Module pointer (GNU extension)\n"));
		61	- if (ent == (bfd_vma) -1)
		62	- goto got_print_fail;
		63	- }
		64	+ ent = print_mips_got_entry (data, pltgot, ent, data_end);
		65	+ printf (_(" Module pointer (GNU extension)\n"));
		66	+ if (ent == (bfd_vma) -1)
		67	+ goto got_print_fail;
		68	}
		69	printf ("\n");
		70
		71	Index: git/bfd/ChangeLog
		72	===================================================================
		73	--- git.orig/bfd/ChangeLog
		74	+++ git/bfd/ChangeLog
		75	@@ -1,4 +1,9 @@
		76	2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
		77	+
		78	+ * readelf.c (process_mips_specific): Remove error reporting from
		79	+ GOT[1] processing.
		80	+
		81	+2017-04-25 Maciej W. Rozycki <macro@imgtec.com>
		82
		83	* readelf.c (process_mips_specific): Remove null GOT data check.
		84