binutils: Security fix for CVE-2017-9040 and 2017-9042

Source: binutils-gdb.git MR: 72756, 72805 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf ChangeID: af83ec9e8322e0e051bb684bd2fee5fe8a506fbc Description: excluded some changes as the code does not exist in our version. Does not affect fix. Affects: <= Binutils 2017-04-12 (From OE-Core rev: 2dfdc0ceac466a4b80ece01a970cb5cfdc08d7ab) Signed-off-by: Armin Kuster <akuster@mvista.com> Reviewed-by Jeremy Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2017-06-21 11:22:35 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-07 17:10:07 +0000
commit: 4bca7db53e6444c7329e55275b7795387d42a234 (patch)
tree: f4f639bc1477f2ea3b0d7f2f0f59f411baaa32a7 /meta/recipes-devtools
parent: 4be76c16e36950498a475fc8b99f35c3346bbd3b (diff)
download: poky-4bca7db53e6444c7329e55275b7795387d42a234.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc
index eefb2e7031..53c09e6d0d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.27.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
     file://CVE-2017-9038.patch \
     file://CVE-2017-9039.patch \
     file://CVE-2017-9039_1.patch \
+     file://CVE-2017-9040_and_9042.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch
new file mode 100644
index 0000000000..d5089035e1
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch
@@ -0,0 +1,83 @@
+From 7296a62a2a237f6b1ad8db8c38b090e9f592c8cf Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 13 Apr 2017 16:06:30 +0100
+Subject: [PATCH] readelf: fix out of range subtraction, seg fault from a NULL
+ pointer and memory exhaustion, all from parsing corrupt binaries.
+        PR binutils/21379
+        * readelf.c (process_dynamic_section): Detect over large section
+        offsets in the DT_SYMTAB entry.
+        PR binutils/21345
+        * readelf.c (process_mips_specific): Catch an unfeasible memory
+        allocation before it happens and print a suitable error message.
+Upstream-Status: Backport
+did not include all the commit as affect code does not exists. it does contain the two 
+fixes above.
+both cve's fixed by same comit.
+CVE: CVE-2017-9040
+CVE: CVE-2017-9042
+VER: <= 2.28
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ binutils/ChangeLog | 12 ++++++++++++
+ binutils/readelf.c | 26 +++++++++++++++++++++-----
+ 2 files changed, 33 insertions(+), 5 deletions(-)
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
+++ git/binutils/readelf.c
+@@ -9079,6 +9079,12 @@ process_dynamic_section (FILE * file)
+             processing that.  This is overkill, I know, but it
+             should work.  */
+          section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
+         if ((bfd_size_type) section.sh_offset > current_file_size)
+           {
+             /* See PR 21379 for a reproducer.  */
+             error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
+             return FALSE;
+           }
+ 
+          if (archive_file_offset != 0)
+            section.sh_size = archive_file_size - section.sh_offset;
+@@ -14882,6 +14888,15 @@ process_mips_specific (FILE * file)
+          return 0;
+        }
+ 
+      /* PR 21345 - print a slightly more helpful error message
+        if we are sure that the cmalloc will fail.  */
+      if (conflictsno * sizeof (* iconf) > current_file_size)
+       {
+         error (_("Overlarge number of conflicts detected: %lx\n"),
+                (long) conflictsno);
+         return FALSE;
+       }
+
+       iconf = (Elf32_Conflict *) cmalloc (conflictsno, sizeof (* iconf));
+       if (iconf == NULL)
+        {
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
+++ git/bfd/ChangeLog
+@@ -1,3 +1,15 @@
+2017-04-13  Nick Clifton  <nickc@redhat.com>
+ 
+       PR binutils/21379
+       * readelf.c (process_dynamic_section): Detect over large section
+       offsets in the DT_SYMTAB entry.
+
+2017-04-13  Nick Clifton  <nickc@redhat.com>
+
+       PR binutils/21345
+       * readelf.c (process_mips_specific): Catch an unfeasible memory
+       allocation before it happens and print a suitable error message.
+
+ 2017-04-03  Nick Clifton  <nickc@redhat.com>
+ 
+        PR binutils/21345
author	Armin Kuster <akuster@mvista.com>	2017-06-21 11:22:35 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-07 17:10:07 +0000
commit	4bca7db53e6444c7329e55275b7795387d42a234 (patch)
tree	f4f639bc1477f2ea3b0d7f2f0f59f411baaa32a7 /meta/recipes-devtools
parent	4be76c16e36950498a475fc8b99f35c3346bbd3b (diff)
download	poky-4bca7db53e6444c7329e55275b7795387d42a234.tar.gz

diff --git a/meta/recipes-devtools/binutils/binutils-2.27.inc b/meta/recipes-devtools/binutils/binutils-2.27.inc index eefb2e7031..53c09e6d0d 100644 --- a/meta/recipes-devtools/binutils/binutils-2.27.inc +++ b/meta/recipes-devtools/binutils/binutils-2.27.inc
@@ -49,6 +49,7 @@ SRC_URI = "\
49	file://CVE-2017-9038.patch \	49	file://CVE-2017-9038.patch \
50	file://CVE-2017-9039.patch \	50	file://CVE-2017-9039.patch \
51	file://CVE-2017-9039_1.patch \	51	file://CVE-2017-9039_1.patch \
		52	file://CVE-2017-9040_and_9042.patch \
52	"	53	"
53	S = "${WORKDIR}/git"	54	S = "${WORKDIR}/git"
54		55


diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch new file mode 100644 index 0000000000..d5089035e1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2017-9040_and_9042.patch
@@ -0,0 +1,83 @@
		1	From 7296a62a2a237f6b1ad8db8c38b090e9f592c8cf Mon Sep 17 00:00:00 2001
		2	From: Nick Clifton <nickc@redhat.com>
		3	Date: Thu, 13 Apr 2017 16:06:30 +0100
		4	Subject: [PATCH] readelf: fix out of range subtraction, seg fault from a NULL
		5	pointer and memory exhaustion, all from parsing corrupt binaries.
		6
		7	PR binutils/21379
		8	* readelf.c (process_dynamic_section): Detect over large section
		9	offsets in the DT_SYMTAB entry.
		10
		11	PR binutils/21345
		12	* readelf.c (process_mips_specific): Catch an unfeasible memory
		13	allocation before it happens and print a suitable error message.
		14
		15	Upstream-Status: Backport
		16
		17	did not include all the commit as affect code does not exists. it does contain the two
		18	fixes above.
		19	both cve's fixed by same comit.
		20
		21	CVE: CVE-2017-9040
		22	CVE: CVE-2017-9042
		23	VER: <= 2.28
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	---
		27	binutils/ChangeLog \| 12 ++++++++++++
		28	binutils/readelf.c \| 26 +++++++++++++++++++++-----
		29	2 files changed, 33 insertions(+), 5 deletions(-)
		30
		31	Index: git/binutils/readelf.c
		32	===================================================================
		33	--- git.orig/binutils/readelf.c
		34	+++ git/binutils/readelf.c
		35	@@ -9079,6 +9079,12 @@ process_dynamic_section (FILE * file)
		36	processing that. This is overkill, I know, but it
		37	should work. */
		38	section.sh_offset = offset_from_vma (file, entry->d_un.d_val, 0);
		39	+ if ((bfd_size_type) section.sh_offset > current_file_size)
		40	+ {
		41	+ /* See PR 21379 for a reproducer. */
		42	+ error (_("Invalid DT_SYMTAB entry: %lx"), (long) section.sh_offset);
		43	+ return FALSE;
		44	+ }
		45
		46	if (archive_file_offset != 0)
		47	section.sh_size = archive_file_size - section.sh_offset;
		48	@@ -14882,6 +14888,15 @@ process_mips_specific (FILE * file)
		49	return 0;
		50	}
		51
		52	+ /* PR 21345 - print a slightly more helpful error message
		53	+ if we are sure that the cmalloc will fail. */
		54	+ if (conflictsno * sizeof (* iconf) > current_file_size)
		55	+ {
		56	+ error (_("Overlarge number of conflicts detected: %lx\n"),
		57	+ (long) conflictsno);
		58	+ return FALSE;
		59	+ }
		60	+
		61	iconf = (Elf32_Conflict ) cmalloc (conflictsno, sizeof ( iconf));
		62	if (iconf == NULL)
		63	{
		64	Index: git/bfd/ChangeLog
		65	===================================================================
		66	--- git.orig/bfd/ChangeLog
		67	+++ git/bfd/ChangeLog
		68	@@ -1,3 +1,15 @@
		69	+2017-04-13 Nick Clifton <nickc@redhat.com>
		70	+
		71	+ PR binutils/21379
		72	+ * readelf.c (process_dynamic_section): Detect over large section
		73	+ offsets in the DT_SYMTAB entry.
		74	+
		75	+2017-04-13 Nick Clifton <nickc@redhat.com>
		76	+
		77	+ PR binutils/21345
		78	+ * readelf.c (process_mips_specific): Catch an unfeasible memory
		79	+ allocation before it happens and print a suitable error message.
		80	+
		81	2017-04-03 Nick Clifton <nickc@redhat.com>
		82
		83	PR binutils/21345